MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80e820374e64aba34f70f88c5d7d3ecf7967d833d1ab674d50379ee4034a30d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80e820374e64aba34f70f88c5d7d3ecf7967d833d1ab674d50379ee4034a30d0
SHA3-384 hash: 65879978fcf9e74d16c139735845fd4fad56b3955aae34b859b31326658d41f53832c14e866f8ec01e6d1440362c3e2d
SHA1 hash: 897b3e60a77b96d2423525a6db8ccb386abeb14d
MD5 hash: 7884feeb676b85c98dbbe6a0e6f92cbc
humanhash: high-nevada-orange-purple
File name:7884feeb676b85c98dbbe6a0e6f92cbc.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'825'280 bytes
First seen:2024-12-23 06:58:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:K4h8NFmxfLLAPDd/5n9hTRVlFJ3FJxMsIdows8W:KoWFmKF/hTnlFJ3F7yobp
Threatray 145 similar samples on MalwareBazaar
TLSH T1CB8533187A2768EFC27CDFBBC02696061E753F7034AF5E3A5966A5F06D8300E7386605
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
413
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
floxif
Create hunting rule
ID:
1
File name:
tight.exe
Verdict:
Malicious activity
Analysis date:
2024-12-23 07:48:17 UTC
Tags:
telegram lumma stealer evasion floxif agenttesla exfiltration loader stealc cryptbot dcrat rat arch-exec smtp golang backdoor spyware autoit blackmoon xworm
Link:
https://app.any.run/tasks/dafc5b26-1918-4601-b5b0-be2d5a679c21

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.108867.7210.21308.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67690a498a4d48ee35fe6c42
Tags:
vmdetect virus xpack spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Behavior that indicates a threat
DNS request
Connection attempt
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm packed packed packer_detected xpack
Link:
https://www.filescan.io/uploads/67690a490d9e75e2728976e7/reports/8a32d7ad-8445-4aef-9fca-6eb667051934/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/80e820374e64aba34f70f88c5d7d3ecf7967d833d1ab674d50379ee4034a30d0
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4c0c7606-c9c2-4f3f-9f80-6508a263159d
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1579789
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/80e820374e64aba34f70f88c5d7d3ecf7967d833d1ab674d50379ee4034a30d0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/80e820374e64aba34f70f88c5d7d3ecf7967d833d1ab674d50379ee4034a30d0/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2024-12-22 11:23:16 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qducan2omsv2gt3q7cgf27j6z54wpwbt2gvwotkqg6poia2kgdia._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
3a4c78c6e7ff0e5b6a3ccaf96dbc283cffdf37e036d85c27640c5486054c4710
LummaStealer
3d7006312157afde3e4e4393d7a6d116cb7b2b8c0d29f8c22565c6a367c2919e
LummaStealer
58a7419810fcd51ee607619cfd09707c75c0dff2c074c36e880f6d69dd51737d
LummaStealer
681c8a530105b233c88c772aba230ec7585824648f17701ec2e70a5db91c40f3
LummaStealer
c0ab2ce327eb8e97036ac5bd876658cb5b7016dab1d8dd1aced2786f66941d40
LummaStealer
c714577cc08df82a0894aa58aa968fa3b9761c198581bd99fce150fa488248e3
LummaStealer
d607b4eddf572f2fec9793349518180df59d795f58fce6223e8183ebf45b7e6c
LummaStealer
e57a172afd44d0e2225c849de5f6e8c2a68e263e371547b2d3f4ba951dccbc00
LummaStealer
error
LummaStealer
+ 135 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery evasion stealer
Link:
https://tria.ge/reports/241223-hr5fraxkgy/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Verdict:
Suspicious
Tags:
lumma_stealer stealer c2 lumma
YARA:
n/a
Link:
https://app.threat.zone/submission/4d406b95-935c-41d9-98af-1750830fbac7
Unpacked files
SH256 hash:
6e4ac1b6dcba6ee21e740ff496e66f906452d8724c844bc8df7ab68cb3831277
MD5 hash:
41b4743a54c539202017cad8cce2e0c7
SHA1 hash:
bb3b2d79b047f60032fee5e12f3e1861e7a70e2f
Link:
https://www.unpac.me/results/195f736d-507a-44f1-882e-0ee5814be3d0/
SH256 hash:
80e820374e64aba34f70f88c5d7d3ecf7967d833d1ab674d50379ee4034a30d0
MD5 hash:
7884feeb676b85c98dbbe6a0e6f92cbc
SHA1 hash:
897b3e60a77b96d2423525a6db8ccb386abeb14d
Link:
https://www.unpac.me/results/195f736d-507a-44f1-882e-0ee5814be3d0/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/80e820374e64/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/80e820374e64aba34f70f88c5d7d3ecf7967d833d1ab674d50379ee4034a30d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 80e820374e64aba34f70f88c5d7d3ecf7967d833d1ab674d50379ee4034a30d0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3245480/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments