MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ef212f5c726e72277b21aed2397390296cb4ce431b2270808925a22852fdbe9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ef212f5c726e72277b21aed2397390296cb4ce431b2270808925a22852fdbe9
SHA3-384 hash: 6eb07764b9d5387f874295f6f4963b145e82d126349c68c8f06782f658cca333545ec2529af4cc9ed64789ed16112fe0
SHA1 hash: 3df5b3d39a47168aac776137582cbbe6a94a9c22
MD5 hash: ca9bae7d8fa56f97bb596d225e1469c3
humanhash: salami-rugby-happy-lion
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:153'088 bytes
First seen:2024-10-02 10:00:46 UTC
Last seen:2024-10-02 14:23:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 3072:wDvSQhc6JZga21nypl2IR1O1SAgDwpjsP/Kc+5vbC7ZQ:w7SQ/S2lpWiwpISJbC7
TLSH T1FEE3F5DD766072DFC85BC472DEA82CA8EA6074BB831F4117906716ADAE0D897CF150F2
TrID 28.5% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.2% (.EXE) Win32 Executable (generic) (4504/4/1)
5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter Bitsight
Tags:exe LummaStealer


Avatar
Bitsight
url: http://147.45.44.104/ldms/66fd195977583_EdgeOUpdater.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
365
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-10-02 10:03:49 UTC
Tags:
evasion confuser
Link:
https://app.any.run/tasks/6bb1133c-e9a5-40d4-8af7-e44020fff586

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packed.ConfuserEx-6391397-0
Create hunting rule

PUA.Win.Packed.ConfuserEx-6582917-0
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66fd19de780a9b632d22774f
Tags:
Ransomware Autorun Extens Remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Searching for the window
Launching a process
Reading critical registry keys
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
confuser confuserex net packed packed
Link:
https://www.filescan.io/uploads/66fd19e0168559661d51a33b/reports/d3d093fc-455c-4d29-869c-20aecdd85f56/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/8ef212f5c726e72277b21aed2397390296cb4ce431b2270808925a22852fdbe9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4207ed58-5ae3-4c9b-b8e8-714daeb4104e
Result
Threat name:
LummaC, PrivateLoader, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1524021
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops PE files to the document folder of the user
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected PrivateLoader
Yara detected Stealc
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524021 Sample: file.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 100 144 treatynreit.site 2->144 146 steamcommunity.com 2->146 148 15 other IPs or domains 2->148 186 Suricata IDS alerts for network traffic 2->186 188 Found malware configuration 2->188 190 Antivirus detection for URL or domain 2->190 192 20 other signatures 2->192 15 file.exe 1 6 2->15         started        19 LKMService.exe 2->19         started        21 GoogleUpdater.exe 2->21         started        23 2 other processes 2->23 signatures3 process4 dnsIp5 126 C:\Users\user\AppData\...\LKMService.exe, PE32 15->126 dropped 128 C:\Users\...\LKMService.exe:Zone.Identifier, ASCII 15->128 dropped 130 C:\Users\user\AppData\Local\...\file.exe.log, CSV 15->130 dropped 166 Detected unpacking (changes PE section rights) 15->166 168 Creates multiple autostart registry keys 15->168 26 LKMService.exe 16 42 15->26         started        31 WerFault.exe 19->31         started        33 WerFault.exe 21->33         started        152 104.26.13.205 CLOUDFLARENETUS United States 23->152 35 WerFault.exe 23->35         started        file6 signatures7 process8 dnsIp9 154 147.45.44.104, 49711, 49725, 49726 FREE-NET-ASFREEnetEU Russian Federation 26->154 156 api.ipify.org 104.26.12.205, 49708, 80 CLOUDFLARENETUS United States 26->156 158 yalubluseks.eu 172.67.140.92, 443, 49709, 49710 CLOUDFLARENETUS United States 26->158 114 C:\...\f98ae5e6665140c7bc7a10ef5c598fcb.exe, PE32 26->114 dropped 116 C:\Users\user\AppData\...behaviorgraphoogleUpdater.exe, PE32 26->116 dropped 220 Multi AV Scanner detection for dropped file 26->220 222 Creates multiple autostart registry keys 26->222 224 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 26->224 37 f98ae5e6665140c7bc7a10ef5c598fcb.exe 2 26->37         started        40 GoogleUpdater.exe 26->40         started        file10 signatures11 process12 signatures13 194 Multi AV Scanner detection for dropped file 37->194 196 Contains functionality to inject code into remote processes 37->196 198 Writes to foreign memory regions 37->198 200 2 other signatures 37->200 42 RegAsm.exe 17 37->42         started        47 conhost.exe 37->47         started        process14 dnsIp15 160 api64.ipify.org 173.231.16.77, 443, 49715 WEBNXUS United States 42->160 162 ipinfo.io 34.117.59.81, 443, 49716 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 42->162 164 2 other IPs or domains 42->164 118 C:\Users\...\ZNiWLZA4sT3dAjz_lF65fVs6.exe, PE32 42->118 dropped 120 C:\Users\...4aR4O9hOTF5WJfvKNpcVCp8.exe, PE32 42->120 dropped 122 C:\Users\...\66fbfccd837ac_vadggdsa[1].exe, PE32 42->122 dropped 124 C:\Users\user\...\66fbfcc301a31_swws[1].exe, PE32 42->124 dropped 226 Drops PE files to the document folder of the user 42->226 228 Found many strings related to Crypto-Wallets (likely being stolen) 42->228 230 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 42->230 232 3 other signatures 42->232 49 ZNiWLZA4sT3dAjz_lF65fVs6.exe 42->49         started        52 E4aR4O9hOTF5WJfvKNpcVCp8.exe 42->52         started        file16 signatures17 process18 signatures19 170 Multi AV Scanner detection for dropped file 49->170 172 Writes to foreign memory regions 49->172 174 Allocates memory in foreign processes 49->174 54 RegAsm.exe 49->54         started        59 conhost.exe 49->59         started        61 RegAsm.exe 49->61         started        176 Injects a PE file into a foreign processes 52->176 63 conhost.exe 52->63         started        65 RegAsm.exe 52->65         started        process20 dnsIp21 150 46.8.231.109, 58515, 80 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics Russian Federation 54->150 106 C:\Users\user\AppData\...\softokn3[1].dll, PE32 54->106 dropped 108 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 54->108 dropped 110 C:\Users\user\AppData\...\mozglue[1].dll, PE32 54->110 dropped 112 12 other files (8 malicious) 54->112 dropped 212 Tries to steal Mail credentials (via file / registry access) 54->212 214 Tries to harvest and steal browser information (history, passwords, etc) 54->214 216 Tries to steal Crypto Currency Wallets 54->216 218 Tries to harvest and steal Bitcoin Wallet information 54->218 67 cmd.exe 54->67         started        69 cmd.exe 54->69         started        file22 signatures23 process24 process25 71 userCGHCGIIDGD.exe 67->71         started        74 conhost.exe 67->74         started        76 userJEHDHIEGII.exe 69->76         started        78 conhost.exe 69->78         started        signatures26 202 Multi AV Scanner detection for dropped file 71->202 204 Writes to foreign memory regions 71->204 206 Allocates memory in foreign processes 71->206 80 RegAsm.exe 71->80         started        85 conhost.exe 71->85         started        208 Injects a PE file into a foreign processes 76->208 210 LummaC encrypted strings found 76->210 87 RegAsm.exe 76->87         started        89 conhost.exe 76->89         started        91 RegAsm.exe 76->91         started        93 2 other processes 76->93 process27 dnsIp28 132 cowod.hopto.org 45.132.206.251 LIFELINK-ASRU Russian Federation 80->132 134 49.12.197.9 HETZNER-ASDE Germany 80->134 136 steamcommunity.com 104.102.49.254 AKAMAI-ASUS United States 80->136 98 C:\Users\user\...\66fbfcc9963ca_ldfsna[1].exe, PE32 80->98 dropped 100 C:\ProgramData\JJJEGCGDGH.exe, PE32 80->100 dropped 102 C:\ProgramData\FIEHIIIJDA.exe, PE32 80->102 dropped 104 C:\ProgramDataBAEBFIIEC.exe, PE32 80->104 dropped 178 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 80->178 180 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 80->180 182 Tries to harvest and steal ftp login credentials 80->182 184 3 other signatures 80->184 95 FIEHIIIJDA.exe 80->95         started        138 gravvitywio.store 104.21.16.12 CLOUDFLARENETUS United States 87->138 140 absorptioniw.site 104.21.17.174 CLOUDFLARENETUS United States 87->140 142 6 other IPs or domains 87->142 file29 signatures30 process31 signatures32 234 Multi AV Scanner detection for dropped file 95->234 236 Writes to foreign memory regions 95->236 238 Allocates memory in foreign processes 95->238 240 Injects a PE file into a foreign processes 95->240
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8ef212f5c726e72277b21aed2397390296cb4ce431b2270808925a22852fdbe9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8ef212f5c726e72277b21aed2397390296cb4ce431b2270808925a22852fdbe9/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-10-02 10:01:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r3zbf5ohe3tse55sdlwshfzzaklmwtheggzcocaisjncfbjp3puq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/241002-l17h9azfjq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Verdict:
Suspicious
Tags:
red_team_tool
YARA:
SUSP_NET_NAME_ConfuserEx
Link:
https://app.threat.zone/submission/cd1f99e4-9e30-4042-9cf9-191fee1ac3dc
Unpacked files
SH256 hash:
76c36f1d3548a62aa1504eb81eb0ad70fa3c5b256d49ca71784d46182b0b3d4d
MD5 hash:
d85c32cb4419179b8fa9b315b3ae1c2e
SHA1 hash:
5f09310dd4dcf0a5b70b023ff2c37d1ad84caa63
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_NET_NAME_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/700a63f2-7bf6-4883-b790-bbebd26f75a3/
SH256 hash:
8ef212f5c726e72277b21aed2397390296cb4ce431b2270808925a22852fdbe9
MD5 hash:
ca9bae7d8fa56f97bb596d225e1469c3
SHA1 hash:
3df5b3d39a47168aac776137582cbbe6a94a9c22
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_NET_NAME_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/700a63f2-7bf6-4883-b790-bbebd26f75a3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8ef212f5c726e72277b21aed2397390296cb4ce431b2270808925a22852fdbe9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 8ef212f5c726e72277b21aed2397390296cb4ce431b2270808925a22852fdbe9

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3204866/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments