MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 739345a9fa6a95c79e3aaf761a810e917492c2072330ec5bb058447b9d56ea62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 739345a9fa6a95c79e3aaf761a810e917492c2072330ec5bb058447b9d56ea62
SHA3-384 hash: c1e2c294ec9e23ac243c23b8b5c46b25f1b6d45479c7dc716557d25142c2d2eca973a2b15e523d5e7534815e6404ac81
SHA1 hash: e0a741dbbdd703b9254e5613b36dc727262c1efc
MD5 hash: c77592f28d3267b7c5e0529b6741548a
humanhash: solar-lima-may-mountain
File name:random(4).exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:3'151'360 bytes
First seen:2025-01-02 08:13:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:kkIlQwjVgzA0wb9Ah375vpndrsYtS8EACCRG0g+/yWXPifETW:slngzby9AhFvpndgYt/Eirgiph
Threatray 1 similar samples on MalwareBazaar
TLSH T130E54AD2A4C961CFE48E37784A37ED82592D02F96B214DC3A81D74BE7D63CC911B2C66
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter JAMESWT_WT
Tags:exe lev-tolstoi-com LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
382
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
random4.exe
Verdict:
Malicious activity
Analysis date:
2025-01-02 08:18:22 UTC
Tags:
lumma stealer themida
Link:
https://app.any.run/tasks/05afdca0-f5a7-498f-9a6a-e874d8034a1a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.2875.14164.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67764acf1ada707798254287
Tags:
vmdetect autorun autoit lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
DNS request
Connection attempt
Sending a custom TCP request
Behavior that indicates a threat
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm packed packed packer_detected
Link:
https://www.filescan.io/uploads/67764acc41e2601d6358de46/reports/c35f4c7d-e1da-4490-b76e-f3388a639519/overview
Verdict:
Malicious
Labled as:
Cerbu.Generic
Link:
https://www.hybrid-analysis.com/sample/739345a9fa6a95c79e3aaf761a810e917492c2072330ec5bb058447b9d56ea62
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b4773cd9-bce2-4569-9056-9537646c222d
Result
Threat name:
LummaC, Amadey, LummaC Stealer, Stealc,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1583232
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops PE files to the document folder of the user
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Reads the Security eventlog
Reads the System eventlog
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1583232 Sample: random(4).exe Startdate: 02/01/2025 Architecture: WINDOWS Score: 100 161 Found malware configuration 2->161 163 Malicious sample detected (through community Yara rule) 2->163 165 Antivirus detection for dropped file 2->165 167 18 other signatures 2->167 11 random(4).exe 2 2->11         started        16 6319f0cc28.exe 2->16         started        18 skotes.exe 2->18         started        20 6 other processes 2->20 process3 dnsIp4 139 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 11->139 141 104.21.48.1 CLOUDFLARENETUS United States 11->141 117 C:\Users\...117U4SX64NXMV3YXYV8G3PIA0S0.exe, PE32 11->117 dropped 119 C:\...\7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe, PE32 11->119 dropped 197 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->197 199 Query firmware table information (likely to detect VMs) 11->199 201 Found many strings related to Crypto-Wallets (likely being stolen) 11->201 215 2 other signatures 11->215 22 7L2IH7SHMJ2UHKK6X5B1EYK6W8VN0.exe 4 11->22         started        26 NU4SX64NXMV3YXYV8G3PIA0S0.exe 37 11->26         started        203 Tries to harvest and steal ftp login credentials 16->203 205 Tries to harvest and steal browser information (history, passwords, etc) 16->205 207 Tries to steal Crypto Currency Wallets 16->207 209 Hides threads from debuggers 18->209 211 Tries to detect sandboxes / dynamic malware analysis system (registry check) 18->211 213 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->213 29 taskkill.exe 20->29         started        file5 signatures6 process7 dnsIp8 91 C:\Users\user\AppData\Local\...\skotes.exe, PE32 22->91 dropped 169 Detected unpacking (changes PE section rights) 22->169 171 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 22->171 173 Tries to evade debugger and weak emulator (self modifying code) 22->173 181 4 other signatures 22->181 31 skotes.exe 4 64 22->31         started        135 185.215.113.206 WHOLESALECONNECTIONSNL Portugal 26->135 137 127.0.0.1 unknown unknown 26->137 93 C:\Users\user\Documents\FIJDGIJJKE.exe, PE32 26->93 dropped 95 C:\Users\user\AppData\...\softokn3[1].dll, PE32 26->95 dropped 97 C:\Users\user\AppData\Local\...\random[2].exe, PE32 26->97 dropped 99 11 other files (7 malicious) 26->99 dropped 175 Multi AV Scanner detection for dropped file 26->175 177 Attempt to bypass Chrome Application-Bound Encryption 26->177 179 Drops PE files to the document folder of the user 26->179 183 7 other signatures 26->183 36 cmd.exe 26->36         started        38 chrome.exe 26->38         started        40 conhost.exe 29->40         started        file9 signatures10 process11 dnsIp12 143 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 31->143 145 172.67.129.178 CLOUDFLARENETUS United States 31->145 147 31.41.244.11 AEROEXPRESS-ASRU Russian Federation 31->147 83 C:\Users\user\AppData\...\ad8a3a5306.exe, PE32 31->83 dropped 85 C:\Users\user\AppData\...\8a0ebcc2e0.exe, PE32 31->85 dropped 87 C:\Users\user\AppData\...\a48f6ed5ed.exe, PE32 31->87 dropped 89 23 other malicious files 31->89 dropped 153 Detected unpacking (changes PE section rights) 31->153 155 Tries to detect sandboxes and other dynamic analysis tools (window names) 31->155 157 Creates HTML files with .exe extension (expired dropper behavior) 31->157 159 5 other signatures 31->159 42 982cf429c9.exe 31->42         started        45 8a0ebcc2e0.exe 31->45         started        48 6319f0cc28.exe 31->48         started        57 10 other processes 31->57 50 FIJDGIJJKE.exe 36->50         started        52 conhost.exe 36->52         started        149 192.168.2.4 unknown unknown 38->149 151 239.255.255.250 unknown Reserved 38->151 54 chrome.exe 38->54         started        file13 signatures14 process15 dnsIp16 101 C:\Users\...\win32trace.cp310-win_amd64.pyd, PE32+ 42->101 dropped 103 C:\Users\...\win32api.cp310-win_amd64.pyd, PE32+ 42->103 dropped 105 C:\...\_win32sysloader.cp310-win_amd64.pyd, PE32+ 42->105 dropped 113 69 other files (66 malicious) 42->113 dropped 59 982cf429c9.exe 42->59         started        217 Detected unpacking (changes PE section rights) 45->217 219 Modifies windows update settings 45->219 221 Disables Windows Defender Tamper protection 45->221 237 3 other signatures 45->237 223 Multi AV Scanner detection for dropped file 48->223 225 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 48->225 227 Query firmware table information (likely to detect VMs) 48->227 229 Tries to evade debugger and weak emulator (self modifying code) 50->229 239 2 other signatures 50->239 123 142.250.185.174 GOOGLEUS United States 54->123 125 142.250.186.110 GOOGLEUS United States 54->125 133 7 other IPs or domains 54->133 127 176.53.146.223 VANNINVENTURESGB United Kingdom 57->127 129 185.156.73.23 RELDAS-NETRU Russian Federation 57->129 131 34.197.122.172 AMAZON-AESUS United States 57->131 107 C:\Users\user\AppData\...\AutoIt3_x64.exe, PE32+ 57->107 dropped 109 C:\Users\user\AppData\...\AutoIt3_x64.exe, PE32+ 57->109 dropped 111 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32 57->111 dropped 115 3 other files (none is malicious) 57->115 dropped 231 Contains functionality to inject code into remote processes 57->231 233 Adds a directory exclusion to Windows Defender 57->233 235 Tries to steal Crypto Currency Wallets 57->235 241 2 other signatures 57->241 62 AutoIt3_x64.exe 57->62         started        64 9ce3a8a3dc.exe 57->64         started        67 AutoIt3_x64.exe 57->67         started        69 7 other processes 57->69 file17 signatures18 process19 dnsIp20 185 Hides threads from debuggers 59->185 71 cmd.exe 59->71         started        187 Loading BitLocker PowerShell Module 62->187 189 Reads the Security eventlog 62->189 191 Reads the System eventlog 62->191 121 188.114.97.3 CLOUDFLARENETUS European Union 64->121 193 Query firmware table information (likely to detect VMs) 64->193 195 Tries to steal Crypto Currency Wallets 64->195 73 conhost.exe 69->73         started        75 conhost.exe 69->75         started        77 WmiPrvSE.exe 69->77         started        79 3 other processes 69->79 signatures21 process22 process23 81 conhost.exe 71->81         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/739345a9fa6a95c79e3aaf761a810e917492c2072330ec5bb058447b9d56ea62
Detection:
lumma
Create hunting rule
Link:
https://mwdb.cert.pl/sample/739345a9fa6a95c79e3aaf761a810e917492c2072330ec5bb058447b9d56ea62/
Threat name:
Win32.Trojan.Cerbu
Create hunting rule
Status:
Malicious
First seen:
2025-01-02 08:10:04 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oojulkp2nkk4phr2v53bvaiosf2jfqqhemyoyw5qlbchxhkw5jra._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
amadey
Create hunting rule
lummastealer
Create hunting rule
Similar samples:
739345a9fa6a95c79e3aaf761a810e917492c2072330ec5bb058447b9d56ea62
LummaStealer
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery evasion stealer
Link:
https://tria.ge/reports/250102-j4zayasqaz/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://cloudewahsj.shop/api
https://rabidcowse.shop/api
https://noisycuttej.shop/api
https://tirepublicerj.shop/api
https://framekgirus.shop/api
https://wholersorie.shop/api
https://abruptyopsn.shop/api
https://nearycrepso.shop/api
https://fancywaxxers.shop/api
Verdict:
Suspicious
Tags:
stealer lumma_stealer c2 lumma doh
YARA:
n/a
Link:
https://app.threat.zone/submission/11469a14-193c-498d-9e6b-1c82ee72caa4
Unpacked files
SH256 hash:
d87e48bf902ec4d30548c1bc7c2826ee742642e05b6adb6f6f5a4492438d5c7c
MD5 hash:
5a714fd5d6b3a2f0f01a2f0e3ea87b4c
SHA1 hash:
621a64e38c45c149766bbeea319d6e65dd1d2bcb
Link:
https://www.unpac.me/results/1cdc3551-67a5-4124-be36-978aabc72d9a/
SH256 hash:
739345a9fa6a95c79e3aaf761a810e917492c2072330ec5bb058447b9d56ea62
MD5 hash:
c77592f28d3267b7c5e0529b6741548a
SHA1 hash:
e0a741dbbdd703b9254e5613b36dc727262c1efc
Link:
https://www.unpac.me/results/1cdc3551-67a5-4124-be36-978aabc72d9a/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/739345a9fa6a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/739345a9fa6a95c79e3aaf761a810e917492c2072330ec5bb058447b9d56ea62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_david_CSC846
Create hunting rule
Author:David
Description:CSC-846 Golang
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 739345a9fa6a95c79e3aaf761a810e917492c2072330ec5bb058447b9d56ea62

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3245480/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3337943/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments