MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7697ce85f9ed74011c263d652398ffb421b4154f758a0977161dccdb621e0498. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7697ce85f9ed74011c263d652398ffb421b4154f758a0977161dccdb621e0498
SHA3-384 hash: 2d35294c671900785b4d92fd70b7b215f3510e1e8dc5355961f597a608da3ceded97cfe8c1a9032c99782803ffbf3e1d
SHA1 hash: 42bb853ce1378804759750ad6af93dd9987f937c
MD5 hash: cecb7a32b99931ca6fef22437f424147
humanhash: snake-montana-foxtrot-yankee
File name:cecb7a32b99931ca6fef22437f424147.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'563'176 bytes
First seen:2024-10-17 14:54:48 UTC
Last seen:2024-10-17 15:45:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c68e3728e5b31346dadca5959fef3f1a (1 x LummaStealer, 1 x RedLineStealer)
ssdeep 12288:oAELJw3lLWRtdzC2cEPFX4NHfAmAnK9BhOGz83kEO:4LJYWRt8pE9X2HfnJo0t
TLSH T13175121235C1D472EA725E300520EEB25EBEF9305E609EDB339946766F742C0CD2AD6B
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
402
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cecb7a32b99931ca6fef22437f424147.exe
Verdict:
Malicious activity
Analysis date:
2024-10-17 15:17:03 UTC
Tags:
lumma stealer
Link:
https://app.any.run/tasks/104d9a3e-c9fa-4550-9f33-b2b07f14b97a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.38772.1948.14668.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6711254a34f884d15c8c55ed
Tags:
Injection Exploit Obfusc
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc invalid-signature microsoft_visual_cc overlay packed signed
Link:
https://www.filescan.io/uploads/67112548b8693873ac833d6f/reports/78019fa2-5f3d-4184-90f9-e90728306dc2/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/7697ce85f9ed74011c263d652398ffb421b4154f758a0977161dccdb621e0498
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/84ec3ee7-a8d7-4430-afed-98a8b8f193d7
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1536155
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7697ce85f9ed74011c263d652398ffb421b4154f758a0977161dccdb621e0498
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7697ce85f9ed74011c263d652398ffb421b4154f758a0977161dccdb621e0498/
Threat name:
Win32.Trojan.StealC
Create hunting rule
Status:
Malicious
First seen:
2024-10-17 14:39:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o2l45bpz5v2achbghvsshgh7wqq3ifkpowfas5ywdxgnwyq6asma._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery stealer
Link:
https://tria.ge/reports/241017-saffeasaja/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Lumma Stealer, LummaC
Malware Config
C2 Extraction:
https://conceptionnyi.sbs
https://platformcati.sbs
https://nervepianoyo.sbs
https://qualifielgalt.sbs
https://smashygally.sbs
https://fightyglobo.sbs
https://modellydivi.sbs
https://pioneeruyj.sbs
https://underlinefiue.sbs
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/699dd5f2-eb46-496f-8e17-49045563f224
Unpacked files
SH256 hash:
38ef332c58cbcca62a7e8b193eb9ec78f46b8dba93ca5c9af246357e48b6a302
MD5 hash:
010509d28032082f9b90f8bb8d229421
SHA1 hash:
2fe3ef40152068a72735650ca1ce9d3c95f62864
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/df369c96-2e69-4324-a23b-c72b737adc90/
Parent samples :
7697ce85f9ed74011c263d652398ffb421b4154f758a0977161dccdb621e0498
90063167aaf36431f1f81b05ecd37a67742948594e87fee8f6ac3b9167675c40
4ee86de8758a1e350e36e4937e3f0ea0cd63d89843214b4fe286c0127827476b
5a665f7a7d1c8ebc81dd0d767325e15e69ecd8b3cc672421f6b74ad554081f65
71527d46d6782df79cda9916bc582da504587add2b03daf87ce3a9fc88cde027
f67a453c7486224c13b7047ba6f03ee9d20635c18564da76102f0a5174a4260d
SH256 hash:
7697ce85f9ed74011c263d652398ffb421b4154f758a0977161dccdb621e0498
MD5 hash:
cecb7a32b99931ca6fef22437f424147
SHA1 hash:
42bb853ce1378804759750ad6af93dd9987f937c
Link:
https://www.unpac.me/results/df369c96-2e69-4324-a23b-c72b737adc90/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7697ce85f9ed74011c263d652398ffb421b4154f758a0977161dccdb621e0498

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 7697ce85f9ed74011c263d652398ffb421b4154f758a0977161dccdb621e0498

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3235477/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments