MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ba968e74429e18117d73b6f96cb382f7f16c9f5a7fd67e0e77bc764731fe5e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ba968e74429e18117d73b6f96cb382f7f16c9f5a7fd67e0e77bc764731fe5e9
SHA3-384 hash: c1e513a9102ad635640bb69ba42d8caf1428cd2a018974f23ac5584dfa08d82c83f3ec16dd843f21fbd270faa9184cd0
SHA1 hash: 231ac816a488a65db5ee5677aafff01e1ddd24ee
MD5 hash: c32f4fcbdd788c04c97460adee6e9cd4
humanhash: pizza-thirteen-mexico-hotel
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'972'672 bytes
First seen:2024-10-25 01:37:44 UTC
Last seen:2024-10-25 02:22:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:9EihviZCwnVAnmzrpkl8foXTh9ULz7IXCBIK00t6ivS8r0i:9Eih6EwnVAnmzrpkXqJJS8V
Threatray 213 similar samples on MalwareBazaar
TLSH T167D53BD3B68A71CFD48A26BC951BCD86586D03BB572508C3A86C74BE7E63CC11EB5C24
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:exe LummaStealer


Avatar
Bitsight
url: http://185.215.113.16/luma/random.exe

Intelligence

File Origin
# of uploads :
22
# of downloads :
410
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-10-25 01:44:06 UTC
Tags:
lumma stealer
Link:
https://app.any.run/tasks/c4ed9216-1d83-41f4-ae25-a3b283f1de23

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.27575.373.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=671af67f748a1dac01b7d3a3
Tags:
Malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Behavior that indicates a threat
DNS request
Connection attempt
Sending a custom TCP request
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected
Link:
https://www.filescan.io/uploads/671af67eb5a54248f9e43bfb/reports/909c6b17-6712-47a0-85a0-65d4eab5ac8a/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/9ba968e74429e18117d73b6f96cb382f7f16c9f5a7fd67e0e77bc764731fe5e9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/33867327-2025-4c8c-a968-526a3a92f77c
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1541711
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9ba968e74429e18117d73b6f96cb382f7f16c9f5a7fd67e0e77bc764731fe5e9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ba968e74429e18117d73b6f96cb382f7f16c9f5a7fd67e0e77bc764731fe5e9/
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2024-10-25 01:38:07 UTC
File Type:
PE (Exe)
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=touwrz2efhqycf6xhnxznszyf57rnspvu76wpyhhppdwi4y74xuq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
1dbff9fecdd48ef2147a00446d6163e7fae0480af36d72f71b1483ed8f33df92
LummaStealer
32437a843db147563e28256279e435eb7a2dbc92d510f8fbf0375fb9111070a1
LummaStealer
4694d88e7ba125cedf2199d51ab85edc18ddbe0780c2584ebb99ecaadeb99510
LummaStealer
9108d11c01d471075430db40318c8a315834f2c4a42666873918e677254aadb4
LummaStealer
b649fde943868879f85d809bf5e84d9873b1c5ed308941e19cebb3ea6a230aff
LummaStealer
be03d283d7eba7aac1c4aca040ef3368b2a25d9d953ee56ab83561c4491e11a3
LummaStealer
c112677eb35bb70dfdb60790e376320a837007039141c92aa895a84f7709e305
LummaStealer
e71b7babc7ee29408bbd8d0942570a8f2748da3eb3c00e29bf516e687666d2e7
LummaStealer
error
LummaStealer
f4995b1d057c8e9874d5f85cfa25bca71ff44a4141da6903c7e30f518728596f
LummaStealer
f911cd5b49dfd210d30323cb1975b05eb9e98659ce4776153a4f86956ac59105
LummaStealer
+ 203 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery evasion stealer
Link:
https://tria.ge/reports/241025-b2ejra1fmk/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Malware Config
C2 Extraction:
https://clearancek.site
https://licendfilteo.site
https://spirittunek.store
https://bathdoomgaz.store
https://studennotediw.store
https://dissapoiznw.store
https://eaglepawnoy.store
https://mobbipenju.store
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4d546611-cf82-475f-b307-103840a88c21
Unpacked files
SH256 hash:
cc269333da1bc7a0bd57340dc271d41fa56ed27185b7410f285ae57ac295f763
MD5 hash:
c8ec7f7387dd7394bebf26f04030b08f
SHA1 hash:
dfb402014e74a155cea097213035938e83e01c09
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/4d6670a8-60b4-4281-a181-c768f525fa94/
SH256 hash:
9ba968e74429e18117d73b6f96cb382f7f16c9f5a7fd67e0e77bc764731fe5e9
MD5 hash:
c32f4fcbdd788c04c97460adee6e9cd4
SHA1 hash:
231ac816a488a65db5ee5677aafff01e1ddd24ee
Link:
https://www.unpac.me/results/4d6670a8-60b4-4281-a181-c768f525fa94/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9ba968e74429/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9ba968e74429e18117d73b6f96cb382f7f16c9f5a7fd67e0e77bc764731fe5e9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 9ba968e74429e18117d73b6f96cb382f7f16c9f5a7fd67e0e77bc764731fe5e9

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3245480/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments