MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89eb95ecd046e2b621bf45aa2dc4e0976acb825e3cfefb033147746b09891c44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 18

Intelligence 18 IOCs YARA 7 File information Comments

SHA256 hash:	89eb95ecd046e2b621bf45aa2dc4e0976acb825e3cfefb033147746b09891c44
SHA3-384 hash:	cd24e3975170f38c447dd29ae475636545f55710d40d6e0a63b0a774777ce497e67f91c7ed99c3e6b191c93f9fe70983
SHA1 hash:	b2682bceba4b2cd879cd74b7ee0ffcf5883663fa
MD5 hash:	0518a4ae59d7e76126f153bc9cb97170
humanhash:	tango-violet-five-pluto
File name:	kuly.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	381'304 bytes
First seen:	2024-10-02 11:59:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep	6144:FnhrPSAouJdIaOX0E4Oh+O29vr5M85PdfQfQtdwnemh5BL7WpN8ZOEn2kEUCi0I:FnhfoSdDg0vOK9v6sPdfSQtuhHL7KOkM
TLSH	T1D8842310F7C9A85AECEC8CB6D589C7A62D34ECE8C881477E54CFD2100BD165A97F2792
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	tcains1
Tags:	exe LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

443

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

kuly.exe

Verdict:

Malicious activity

Analysis date:

2024-10-02 11:55:09 UTC

Tags:

lumma stealer

Link:

https://app.any.run/tasks/8c9a29f8-c212-4355-b0f1-bf60d6966d08

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66fd35c30fdf88870979a3e3

Tags:

Exploit Micro Msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file

Launching a process

DNS request

Connection attempt

Sending a custom TCP request

Behavior that indicates a threat

Connection attempt to an infection source

Query of malicious DNS domain

Sending a TCP request to an infection source

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/66fd35c488188863f38dbcbd/reports/2f372e3f-55b9-412d-ac88-5ae972e32347/overview

Verdict:

Malicious

Labled as:

Marsilia.Generic

Link:

https://www.hybrid-analysis.com/sample/89eb95ecd046e2b621bf45aa2dc4e0976acb825e3cfefb033147746b09891c44

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

LummaC2 Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4563023c-60ee-4e86-8480-2035f6b64191

Result

Threat name:

LummaC

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1524071

Signature

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Writes to foreign memory regions

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/89eb95ecd046e2b621bf45aa2dc4e0976acb825e3cfefb033147746b09891c44

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/89eb95ecd046e2b621bf45aa2dc4e0976acb825e3cfefb033147746b09891c44/

Threat name:

ByteCode-MSIL.Trojan.RedlineStealer

Status:

Malicious

First seen:

2024-10-02 12:00:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 38 (47.37%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rhvzl3gqi3rlmin7iwvc3rhas5vmxas6ht7pwazri52gwcmjdrca._file

Verdict:

malicious

Label(s):

lummastealer

Similar samples:

error

LummaStealer

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma discovery stealer

Link:

https://tria.ge/reports/241002-n6asksyekf/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Lumma Stealer, LummaC

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/45a75444-9249-4086-96ed-b7617256051e

Unpacked files

SH256 hash:

0c1ac6dfc023e6e2844e4ad2f8472c8c5df1f010018f8e5f41a13a8eea46f655

MD5 hash:

ef7652f3ae540cb3b12824a08762a342

SHA1 hash:

53b59a6e251ab3067695ea395a64f88e5333535d

Detections:

LummaStealer

Link:

https://www.unpac.me/results/3f80f2cf-ae11-49bf-a9ab-f1270ecc7604/

SH256 hash:

89eb95ecd046e2b621bf45aa2dc4e0976acb825e3cfefb033147746b09891c44

MD5 hash:

0518a4ae59d7e76126f153bc9cb97170

SHA1 hash:

b2682bceba4b2cd879cd74b7ee0ffcf5883663fa

Link:

https://www.unpac.me/results/3f80f2cf-ae11-49bf-a9ab-f1270ecc7604/

Malware family:

Lumma

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/89eb95ecd046/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/89eb95ecd046e2b621bf45aa2dc4e0976acb825e3cfefb033147746b09891c44

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

exe 89eb95ecd046e2b621bf45aa2dc4e0976acb825e3cfefb033147746b09891c44

(this sample)

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample