MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 866ad0e1f44d12677e3cd565d47283d6229df46e23387c1ed482abe145ce080d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 866ad0e1f44d12677e3cd565d47283d6229df46e23387c1ed482abe145ce080d
SHA3-384 hash: 4833654b13a4b47451f09c666aa79c4a17d8d1112e051e8c87e8bdb6221f25826fe3fdfac5ef3dddfdda1cf8d1849f8c
SHA1 hash: 37291b5995df69edfe03cbe14160f9a9d8a2a1e5
MD5 hash: 4bda52b2e4c36f04e98ee2783772ec52
humanhash: bakerloo-alabama-helium-montana
File name:the-final-pin.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:74'047'033 bytes
First seen:2023-09-18 13:12:19 UTC
Last seen:2023-12-13 18:17:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:D4/4rzOchPDevQn9PyQVLFL/JhdmSew8sZ1rv7j4ayD8P3DGH7:8kqcdio9Py6hdgsZ1nj4tUzGH7
Threatray 33 similar samples on MalwareBazaar
TLSH T1E8F733E0ABFC2549C569D7B014B243B33C19FA03E6B06846F98A4D5BF1456133FA9FA1
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
dhash icon 98e5676565a5a198 (20 x EpsilonStealer, 2 x NovaSentinel, 1 x LummaStealer)
Reporter Anonymous
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
336
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
the-final-pin.exe
Verdict:
Malicious activity
Analysis date:
2023-09-18 13:14:25 UTC
Tags:
evasion stealer
Link:
https://app.any.run/tasks/9c70b1c9-c6e8-48f5-b983-59d1748dca0e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Searching for the window
Сreating synchronization primitives
Sending a custom TCP request
Creating a process from a recently created file
Creating a window
Creating a file
DNS request
Searching for synchronization primitives
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
89%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65084ce31edabd99829c601e/reports/54f1b4f6-9e84-4f46-9161-66801ecb6c50/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/866ad0e1f44d12677e3cd565d47283d6229df46e23387c1ed482abe145ce080d
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1310028
Signature
May check the online IP address of the machine
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1310028 Sample: the-final-pin.exe Startdate: 18/09/2023 Architecture: WINDOWS Score: 56 67 tse1.mm.bing.net 2->67 79 May check the online IP address of the machine 2->79 10 the-final-pin.exe 205 2->10         started        signatures3 process4 file5 51 C:\Users\user\AppData\...\test test test.exe, PE32+ 10->51 dropped 53 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 10->53 dropped 55 C:\Users\user\AppData\Local\...\System.dll, PE32 10->55 dropped 57 17 other files (none is malicious) 10->57 dropped 13 test test test.exe 25 10->13         started        process6 dnsIp7 71 gofile.io 51.178.66.33, 443, 49724 OVHFR France 13->71 73 ipinfo.io 34.117.59.81, 443, 49712, 49713 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 13->73 75 2 other IPs or domains 13->75 59 C:\Users\user\AppData\Local\...\Web Data_tmp, SQLite 13->59 dropped 61 C:\Users\user\AppData\Local\...\Cookies_tmp, SQLite 13->61 dropped 63 C:\Users\user\AppData\...\Login Data_tmp, SQLite 13->63 dropped 65 3 other files (1 malicious) 13->65 dropped 83 Tries to harvest and steal browser information (history, passwords, etc) 13->83 18 cmd.exe 1 13->18         started        21 cmd.exe 1 13->21         started        23 cmd.exe 13->23         started        25 31 other processes 13->25 file8 signatures9 process10 dnsIp11 77 Uses schtasks.exe or at.exe to add and modify task schedules 18->77 28 WMIC.exe 1 18->28         started        31 conhost.exe 18->31         started        33 more.com 1 21->33         started        35 WMIC.exe 1 21->35         started        37 conhost.exe 21->37         started        39 cmd.exe 23->39         started        43 2 other processes 23->43 69 dns.google 8.8.4.4, 443, 49722, 49723 GOOGLEUS United States 25->69 41 WMIC.exe 1 25->41         started        45 54 other processes 25->45 signatures12 process13 signatures14 81 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 28->81 47 Conhost.exe 33->47         started        49 schtasks.exe 39->49         started        process15
Gathering data
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-09-18 02:41:13 UTC
File Type:
PE (Exe)
Extracted files:
151
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qzvnbypujujgo7r42vs5i4ud2yrj35doem4hyhwuqkv6croobagq._file
Verdict:
unknown
Similar samples:
30a1ae69eb70083e1fe40c28becf7de5ec557705aae764af211f70f87ae5a403
LummaStealer
36ed7e4e8dfce10773b1b1f1b7302e80d38bfd75d7c35bc5da2abf9a8a0b99e3
LummaStealer
398cb27e45b7edad5322cbf38a9c39510bb9d8b3267b6d88d9cb1c53c575a6bb
LummaStealer
41d9459adfc2174e254616e62e78811abee49d1114f044df8ef04eab28ed0514
LummaStealer
47d9aeb26536b9d9c74b69c0e7510cbdb6c3858e953711db573a5ff9112214cb
LummaStealer
516b7bd1f6bf44033b1c80a7ca6044ad76ade2449d2c429940ff311fb661d5d4
LummaStealer
5b7b0c5236d7365c0c65ce32845469f0da901f775319b93a47df593925f54205
LummaStealer
+ 23 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma persistence spyware stealer
Link:
https://tria.ge/reports/230918-qf4dbabg72/
Behaviour
Collects information from the system
Creates scheduled task(s)
Detects videocard installed
Enumerates processes with tasklist
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Enumerates physical storage devices
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Detect Lumma Stealer payload V2
Lumma Stealer
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/866ad0e1f44d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments