MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98727c9ef422f67f6858530e833b101bf235d8e78b363c201fd0f0125c861c2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 98727c9ef422f67f6858530e833b101bf235d8e78b363c201fd0f0125c861c2c
SHA3-384 hash: 1d0103362be8cd88c515fa105aced21aaf20cc496d7c664e3537ca9af51923d21cd777d0de099b48ccc994efaa53c95a
SHA1 hash: 4ec30e94c8c554a45adbc0826e3b97fdf40b0741
MD5 hash: 2422d51ed6d21df3ce5591f3b0a03125
humanhash: grey-thirteen-happy-sink
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'900'480 bytes
First seen:2024-11-01 09:55:01 UTC
Last seen:2024-11-01 11:25:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:lFsMrw991f3oE5c/JDuEJFvQec4FcPt1fc9wlyPHKZGHFlCRqxMZ4KJeRXYAoFcU:l7rw99mqVdPt1fLUzuqUymB1rLgb1P
Threatray 69 similar samples on MalwareBazaar
TLSH T139D54BD5B94A71CFD49A2674812BCF46996C4BF44B2048D3A87C74BA7E73CC116FAC28
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:exe LummaStealer


Avatar
Bitsight
url: http://185.215.113.16/luma/random.exe

Intelligence

File Origin
# of uploads :
24
# of downloads :
431
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-01 09:57:54 UTC
Tags:
lumma stealer loader amadey botnet stealc themida
Link:
https://app.any.run/tasks/e90f911d-d631-4a38-bdad-8ec9be597e61

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.26879.19570.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6724a57d8d23d90491326d9d
Tags:
vmdetect autorun autoit spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Connection attempt to an infection source
Behavior that indicates a threat
DNS request
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm packed packed packer_detected
Link:
https://www.filescan.io/uploads/6724a577ae830d48b5dc5ac0/reports/fdc2b032-2592-4271-b764-c0d6eb82ae56/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/98727c9ef422f67f6858530e833b101bf235d8e78b363c201fd0f0125c861c2c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ad66aa30-bc79-4a29-801a-c96fd7d49e21
Result
Threat name:
LummaC, Amadey, LummaC Stealer, Stealc
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1546642
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546642 Sample: file.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 100 133 thumbystriw.store 2->133 135 presticitpo.store 2->135 137 3 other IPs or domains 2->137 147 Suricata IDS alerts for network traffic 2->147 149 Found malware configuration 2->149 151 Antivirus detection for URL or domain 2->151 153 16 other signatures 2->153 12 skotes.exe 4 30 2->12         started        17 file.exe 2 2->17         started        signatures3 process4 dnsIp5 139 185.215.113.43, 49801, 49817, 49854 WHOLESALECONNECTIONSNL Portugal 12->139 141 31.41.244.11, 49820, 80 AEROEXPRESS-ASRU Russian Federation 12->141 113 C:\Users\user\AppData\Local\Temp\...\num.exe, PE32 12->113 dropped 115 C:\Users\user\AppData\...\661f3ff865.exe, PE32 12->115 dropped 117 C:\Users\user\AppData\...\1553f88169.exe, PE32 12->117 dropped 123 8 other malicious files 12->123 dropped 187 Creates multiple autostart registry keys 12->187 189 Hides threads from debuggers 12->189 191 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->191 193 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 12->193 19 9eba8044e7.exe 12->19         started        23 fontcreator.exe 2 12->23         started        25 fontcreator.exe 12->25         started        143 necklacedmny.store 188.114.97.3, 443, 49730, 49731 CLOUDFLARENETUS European Union 17->143 145 185.215.113.16, 49738, 49878, 80 WHOLESALECONNECTIONSNL Portugal 17->145 119 C:\Users\user\...\KOLH45MMED0OMDDRYHIG.exe, PE32 17->119 dropped 121 C:\Users\user\...\FT773VWATWFL9SRK5RTU4.exe, PE32 17->121 dropped 195 Query firmware table information (likely to detect VMs) 17->195 197 Found many strings related to Crypto-Wallets (likely being stolen) 17->197 199 Tries to harvest and steal ftp login credentials 17->199 201 4 other signatures 17->201 27 KOLH45MMED0OMDDRYHIG.exe 4 17->27         started        29 FT773VWATWFL9SRK5RTU4.exe 9 1 17->29         started        file6 signatures7 process8 file9 83 C:\Users\...\SWJQ0719J9GFR3PZ91XO7LBLZA7.exe, PE32 19->83 dropped 85 C:\Users\...\7URDKE3CJSA37VV3INEEM0S4N1C.exe, PE32 19->85 dropped 155 Multi AV Scanner detection for dropped file 19->155 157 Query firmware table information (likely to detect VMs) 19->157 159 Tries to detect sandboxes and other dynamic analysis tools (window names) 19->159 173 2 other signatures 19->173 87 C:\Users\user\AppData\...\fontcreator.tmp, PE32 23->87 dropped 31 fontcreator.tmp 3 5 23->31         started        89 C:\Users\user\AppData\...\fontcreator.tmp, PE32 25->89 dropped 34 fontcreator.tmp 25->34         started        91 C:\Users\user\AppData\Local\...\skotes.exe, PE32 27->91 dropped 161 Antivirus detection for dropped file 27->161 163 Detected unpacking (changes PE section rights) 27->163 165 Machine Learning detection for dropped file 27->165 175 3 other signatures 27->175 36 skotes.exe 27->36         started        167 Modifies windows update settings 29->167 169 Disables Windows Defender Tamper protection 29->169 171 Tries to evade debugger and weak emulator (self modifying code) 29->171 177 3 other signatures 29->177 signatures10 process11 file12 125 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 31->125 dropped 127 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 31->127 dropped 39 fontcreator.exe 2 31->39         started        129 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 34->129 dropped 131 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 34->131 dropped 42 fontcreator.exe 34->42         started        179 Antivirus detection for dropped file 36->179 181 Detected unpacking (changes PE section rights) 36->181 183 Machine Learning detection for dropped file 36->183 185 4 other signatures 36->185 signatures13 process14 file15 93 C:\Users\user\AppData\...\fontcreator.tmp, PE32 39->93 dropped 44 fontcreator.tmp 39->44         started        95 C:\Users\user\AppData\...\fontcreator.tmp, PE32 42->95 dropped 47 fontcreator.tmp 42->47         started        process16 file17 97 C:\Users\user\AppData\Local\...\is-8C9AL.tmp, PE32 44->97 dropped 99 C:\Users\user\AppData\...\Updater.exe (copy), PE32 44->99 dropped 101 C:\Users\user\...\nvfvsdksvc_x64.exe (copy), PE32+ 44->101 dropped 109 7 other files (6 malicious) 44->109 dropped 49 cmd.exe 44->49         started        51 cmd.exe 44->51         started        53 cmd.exe 44->53         started        61 4 other processes 44->61 103 C:\Users\user\AppData\Local\...\is-21RVC.tmp, PE32 47->103 dropped 105 C:\Users\user\...\nvfvsdksvc_x64.exe (copy), PE32+ 47->105 dropped 107 C:\Users\user\AppData\Local\...\is-GF03F.tmp, PE32+ 47->107 dropped 111 6 other files (5 malicious) 47->111 dropped 55 cmd.exe 47->55         started        57 cmd.exe 47->57         started        59 cmd.exe 47->59         started        63 2 other processes 47->63 process18 process19 65 conhost.exe 49->65         started        67 2 other processes 49->67 69 3 other processes 51->69 71 3 other processes 53->71 73 3 other processes 55->73 75 3 other processes 57->75 77 3 other processes 59->77 79 9 other processes 61->79 81 5 other processes 63->81
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/98727c9ef422f67f6858530e833b101bf235d8e78b363c201fd0f0125c861c2c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/98727c9ef422f67f6858530e833b101bf235d8e78b363c201fd0f0125c861c2c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-11-01 09:56:05 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 38 (47.37%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
4e41e54de5d7e5527c76b18ac994a069a0cecb0724906b15dbf2cac70ad8916d
LummaStealer
5f481a84688e02aa0dbb5bc3ecd52cb7360a59bad55934d729c2b92bac0258be
LummaStealer
61bbeef15d0f2e8a21a6f78c0895081c871fc8cf4085a5d5a481938e8d4ef78f
LummaStealer
678052dd7d25f56d1ff5f3d66b5d63d407c013a60d1070fc4e21f4cba66b3303
LummaStealer
6e2b1ee5f03b5cc5117b10f8436ae0b716c0e2c7f3accf3d97928a322bf71e9e
LummaStealer
88ebcda50348fcb520f493b4b6b3742d2df3f10d04a2452158a6381a6443db5c
LummaStealer
8ec6d77a18cdc5f0bced1a5efc38a3295a9637e42dd2594d3188e3a64aed532d
LummaStealer
93e14db4af6b127444c9349f6c9162f4eebba4c220378be18d63f9951cb63b0c
LummaStealer
bf4dd45749338c3f9fec76ba69cb27ab2ceb995c54056efa681b07629413bb27
LummaStealer
error
LummaStealer
f42352eff074322a0fe0c7883384502fb8c08f963f06e575bc32f76d711f63fe
LummaStealer
+ 59 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery evasion stealer
Link:
https://tria.ge/reports/241101-lxrzds1mbp/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://necklacedmny.store/api
https://founpiuer.store/api
https://navygenerayk.store/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/20f15ad8-bbd7-47e5-9405-627561148cf8
Unpacked files
SH256 hash:
ce81abab2927cd84038908b665e51a13328e608dedbe9ce8c0f8d1a9dd7766a4
MD5 hash:
dae1852f0a63a16cd1c6c65240ac3af5
SHA1 hash:
a78c2d6e89c50c8c4b5f2ae69a45938fa3f9b9e4
Link:
https://www.unpac.me/results/03e848cd-ca33-4db3-a496-c9f232e8e0f5/
SH256 hash:
98727c9ef422f67f6858530e833b101bf235d8e78b363c201fd0f0125c861c2c
MD5 hash:
2422d51ed6d21df3ce5591f3b0a03125
SHA1 hash:
4ec30e94c8c554a45adbc0826e3b97fdf40b0741
Link:
https://www.unpac.me/results/03e848cd-ca33-4db3-a496-c9f232e8e0f5/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/98727c9ef422/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/98727c9ef422f67f6858530e833b101bf235d8e78b363c201fd0f0125c861c2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 98727c9ef422f67f6858530e833b101bf235d8e78b363c201fd0f0125c861c2c

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments