MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7bd481dc283efe81449911e8898a8e842ea5c65ba69baa87f4f9887b214881f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	7bd481dc283efe81449911e8898a8e842ea5c65ba69baa87f4f9887b214881f1
SHA3-384 hash:	aa1c893e9a29daf1852461e994782c4b2b18063cf3008bc5678b552d21cab2d1d69e8c2030035c6a86e54c3fbb2fa5ae
SHA1 hash:	d4edd4b106e99e433c147a3fdd9a52134190f83b
MD5 hash:	d07ee7b5b360c30bd5e71499e472878c
humanhash:	nine-crazy-apart-uniform
File name:	file
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	3'185'152 bytes
First seen:	2024-11-10 06:00:28 UTC
Last seen:	2024-11-10 06:00:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep	49152:hc7UG58yyDfSdTrlQ5KwFXg/XF2vvu5VpN:9yyDfSdTrlQ5KwF2gu5
Threatray	29 similar samples on MalwareBazaar
TLSH	T170E52A62B406F3CBFC4A1A74503BCE53695D02B70B1444C3B868667E7EA7ECA16F6C64
TrID	42.7% (.EXE) Win32 Executable (generic) (4504/4/1) 19.2% (.EXE) OS/2 Executable (generic) (2029/13) 19.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.9% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Bitsight
Tags:	exe LummaStealer

Bitsight

url: http://185.215.113.16/luma/random.exe

Intelligence

File Origin

# of uploads :

# of downloads :

378

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2024-11-10 06:01:34 UTC

Tags:

lumma stealer possible-phishing stealc loader

Link:

https://app.any.run/tasks/e634df69-b203-4c7d-a7e1-147f81af89fb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.30934.28960.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67304c571621f8e41b8f11b4

Tags:

shellcode extens virus spam

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Searching for analyzing tools

Connection attempt to an infection source

Behavior that indicates a threat

DNS request

Connection attempt

Sending a custom TCP request

Query of malicious DNS domain

Sending a TCP request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed packed packer_detected

Link:

https://www.filescan.io/uploads/67304c1ec9e5125dc6d4ceba/reports/fe265d54-dcf4-4cac-a420-0ee59a8442c7/overview

Verdict:

Malicious

Labled as:

Jaik.Generic

Link:

https://www.hybrid-analysis.com/sample/7bd481dc283efe81449911e8898a8e842ea5c65ba69baa87f4f9887b214881f1

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/4d6d4e00-0021-45cd-9345-6abaff1144be

Result

Threat name:

LummaC, Stealc, Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1552998

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7bd481dc283efe81449911e8898a8e842ea5c65ba69baa87f4f9887b214881f1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7bd481dc283efe81449911e8898a8e842ea5c65ba69baa87f4f9887b214881f1/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2024-11-10 06:01:04 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 38 (39.47%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ppkidxbih37icrezchuitcuoqqxklrs3u2n2vb7u7gehwikiqhyq._file

Verdict:

malicious

Label(s):

lummastealer

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma discovery evasion stealer

Link:

https://tria.ge/reports/241110-gqwa1szrbt/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

System Location Discovery: System Language Discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks BIOS information in registry

Identifies Wine through registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Lumma Stealer, LummaC

Lumma family

Malware Config

C2 Extraction:

https://navygenerayk.store/api

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/55b50974-20dd-41a3-a960-b4da5eec5840

Unpacked files

SH256 hash:

753e6118c255da9ee58d457451e0b9ec9d7a0d2008a7d6c9b0bc2c0ca9d133e3

MD5 hash:

dbe77550e051bb6f8237de159e7272ca

SHA1 hash:

271b85f017e6def885799d2c107c54a4e8fd9c07

Link:

https://www.unpac.me/results/6c7532b9-d149-4c5b-9e97-331a1e93f964/

SH256 hash:

7bd481dc283efe81449911e8898a8e842ea5c65ba69baa87f4f9887b214881f1

MD5 hash:

d07ee7b5b360c30bd5e71499e472878c

SHA1 hash:

d4edd4b106e99e433c147a3fdd9a52134190f83b

Link:

https://www.unpac.me/results/6c7532b9-d149-4c5b-9e97-331a1e93f964/

Malware family:

Lumma

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7bd481dc283e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7bd481dc283efe81449911e8898a8e842ea5c65ba69baa87f4f9887b214881f1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

exe 7bd481dc283efe81449911e8898a8e842ea5c65ba69baa87f4f9887b214881f1

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3245480/

URLhaus

https://urlhaus.abuse.ch/url/3273363/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample