MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7143a5a1be6622001a7fdc52367a92155125504715dd96b38df6e67a6d48bd0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7143a5a1be6622001a7fdc52367a92155125504715dd96b38df6e67a6d48bd0c
SHA3-384 hash: 39dd35e363b67f518ed7008f77017275da9ed162c044c141a0f754704ec3730752fd84627de1c4d58d177f42189b5ab6
SHA1 hash: 236f48538bd7bd1946f05a1a27828ddc4ca4536e
MD5 hash: 1d3ba94f6e0d1b6638ac611bb08c4111
humanhash: social-cardinal-missouri-kitten
File name:Setup.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:15'854'480 bytes
First seen:2024-07-22 12:25:05 UTC
Last seen:2024-08-24 06:35:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 40ab50289f7ef5fae60801f88d4541fc (59 x ValleyRAT, 49 x Gh0stRAT, 41 x OffLoader)
ssdeep 393216:xTyPRezBkxisrQxYi6n4BIV4E1xWCXbH0ZH3P:oezBkx1QxYbn4BINvWCLIH3P
TLSH T1D7F63313B6C7E53DF05E0B3246B3A5A554F33B25A523BE6A8BE0886CCF254541E3E742
TrID 45.4% (.EXE) Inno Setup installer (107240/4/30)
24.3% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
17.6% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.4% (.EXE) Win64 Executable (generic) (10523/12/4)
2.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon e9e2eae6b696c6ec (11 x LummaStealer, 4 x Vidar, 2 x FickerStealer)
Reporter aachum
Tags:exe LummaStealer


Avatar
iamaachum
https://rentry.co/isajcuifdwefd => https://mega.nz/file/tKtSQBLR#ig1NKxN2YIxCJmAwuviCOUIor-O90Aue79hRkpLeNUE

Lumma C2:
https://enormousseop.shop/api
https://unseaffarignsk.shop/api
https://shepherdlyopzc.shop/api
https://upknittsoappz.shop/api
https://liernessfornicsa.shop/api
https://outpointsozp.shop/api
https://callosallsaospz.shop/api
https://lariatedzugspd.shop/api
https://indexterityszcoxp.shop/api
Amadey C2:
http://brasseriehub2.com/h9fmdW6/index.php
http://brasseriehub.com/h9fmdW5/index.php

Intelligence

File Origin
# of uploads :
4
# of downloads :
369
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2024-07-22 12:18:38 UTC
Tags:
hijackloader loader lumma amadey botnet stealer
Link:
https://app.any.run/tasks/be8886d9-dad6-4f7d-b684-7dfb2a506ac3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=669e4fa62f6eaff4b90f2c5e
Tags:
Execution Generic Network Stealth Trojan
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Restart of the analyzed sample
Creating a process with a hidden window
Searching for the window
Creating a file
Moving a recently created file
Moving a file to the %temp% subdirectory
Creating a file in the %AppData% subdirectories
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
embarcadero_delphi fingerprint installer lolbin overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/669e4fddf1068d66afc02b4d/reports/3a95f48f-ba62-438d-a66f-8ce2bb900754/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/7143a5a1be6622001a7fdc52367a92155125504715dd96b38df6e67a6d48bd0c
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7c378168-ade7-41d4-ab52-716870cf6f24
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1478334
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
LummaC encrypted strings found
Maps a DLL or memory area into another process
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1478334 Sample: Setup.exe Startdate: 22/07/2024 Architecture: WINDOWS Score: 100 89 Found malware configuration 2->89 91 Antivirus detection for dropped file 2->91 93 Yara detected LummaC Stealer 2->93 95 2 other signatures 2->95 12 Setup.exe 2 2->12         started        process3 file4 67 C:\Users\user\AppData\Local\...\Setup.tmp, PE32 12->67 dropped 15 Setup.tmp 3 5 12->15         started        process5 file6 85 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 15->85 dropped 87 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 15->87 dropped 18 Setup.exe 2 15->18         started        21 MpCmdRun.exe 2 15->21         started        process7 file8 51 C:\Users\user\AppData\Local\...\Setup.tmp, PE32 18->51 dropped 23 Setup.tmp 5 8 18->23         started        26 conhost.exe 21->26         started        process9 file10 55 C:\Users\user~1\...\DuetUpdater.exe (copy), PE32 23->55 dropped 57 C:\Users\user\AppData\Local\...\is-QA1MV.tmp, PE32 23->57 dropped 59 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 23->59 dropped 61 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 23->61 dropped 28 IDRBackup.exe 12 23->28         started        32 DuetUpdater.exe 13 23->32         started        process11 file12 69 C:\Users\user\AppData\Roaming\...\vclx120.bpl, PE32 28->69 dropped 71 C:\Users\user\AppData\Roaming\...\vcl120.bpl, PE32 28->71 dropped 73 C:\Users\user\AppData\Roaming\...\sqlite3.dll, PE32 28->73 dropped 81 6 other malicious files 28->81 dropped 111 Switches to a custom stack to bypass stack traces 28->111 34 IDRBackup.exe 3 28->34         started        75 C:\Users\user\AppData\Local\...\vclx120.bpl, PE32 32->75 dropped 77 C:\Users\user\AppData\Local\...\vcl120.bpl, PE32 32->77 dropped 79 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 32->79 dropped 83 6 other malicious files 32->83 dropped 38 conhost.exe 32->38         started        signatures13 process14 file15 53 C:\Users\user\AppData\Roamingbehaviorgraphnr\...\Bt.exe, PE32 34->53 dropped 97 Maps a DLL or memory area into another process 34->97 99 Switches to a custom stack to bypass stack traces 34->99 101 Found direct / indirect Syscall (likely to bypass EDR) 34->101 40 more.com 3 34->40         started        44 Bt.exe 35 34->44         started        signatures16 process17 file18 63 C:\Users\user\AppData\...\tvjkarqatrjyjs, PE32 40->63 dropped 65 C:\Users\user\AppData\...\SputterPork.pif, PE32 40->65 dropped 103 Drops PE files with a suspicious file extension 40->103 105 Writes to foreign memory regions 40->105 107 Found hidden mapped module (file has been removed from disk) 40->107 109 3 other signatures 40->109 46 SputterPork.pif 1 40->46         started        49 conhost.exe 40->49         started        signatures19 process20 signatures21 113 Switches to a custom stack to bypass stack traces 46->113 115 Found direct / indirect Syscall (likely to bypass EDR) 46->115
Score:
27%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/7143a5a1be6622001a7fdc52367a92155125504715dd96b38df6e67a6d48bd0c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7143a5a1be6622001a7fdc52367a92155125504715dd96b38df6e67a6d48bd0c/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2024-07-22 12:26:08 UTC
File Type:
PE (Exe)
AV detection:
15 of 24 (62.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ofb2lin6myraagt73rjdm6uscviskuchcxoznm4n63thu3kixuga._file
Verdict:
unknown
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma stealer
Link:
https://tria.ge/reports/240722-plnz5sybpm/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Lumma Stealer
Malware Config
C2 Extraction:
https://enormousseop.shop/api
https://unseaffarignsk.shop/api
https://shepherdlyopzc.shop/api
https://upknittsoappz.shop/api
https://liernessfornicsa.shop/api
https://outpointsozp.shop/api
https://callosallsaospz.shop/api
https://lariatedzugspd.shop/api
https://indexterityszcoxp.shop/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3c776fa5-73d8-4736-88bf-55adf8108a67
Unpacked files
SH256 hash:
8c5377e5b6dd221e61ebb70f5788ef5410291ae691be5e75ab1a182afdfa7b76
MD5 hash:
8f5b7030acff469053674e18c2a98fae
SHA1 hash:
42d503c8b735003bc94d3be7b88f152e9089886d
Link:
https://www.unpac.me/results/63a00de7-f259-4234-b2d3-3bd08c3bfcb3/
SH256 hash:
7143a5a1be6622001a7fdc52367a92155125504715dd96b38df6e67a6d48bd0c
MD5 hash:
1d3ba94f6e0d1b6638ac611bb08c4111
SHA1 hash:
236f48538bd7bd1946f05a1a27828ddc4ca4536e
Link:
https://www.unpac.me/results/63a00de7-f259-4234-b2d3-3bd08c3bfcb3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7143a5a1be6622001a7fdc52367a92155125504715dd96b38df6e67a6d48bd0c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 7143a5a1be6622001a7fdc52367a92155125504715dd96b38df6e67a6d48bd0c

(this sample)

  
Link
https://tria.ge/240722-pbv1pswhje
anyrun
any.run
https://app.any.run/tasks/be8886d9-dad6-4f7d-b684-7dfb2a506ac3
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::AllocateAndInitializeSid
advapi32.dll::ConvertSidToStringSidW
advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
advapi32.dll::EqualSid
advapi32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
advapi32.dll::OpenThreadToken
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments