MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f2583d6908053c7fdf7e8b2da4f578432e761adbf11cbeab3b78b7da71ed843. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 5 File information Comments

SHA256 hash:	9f2583d6908053c7fdf7e8b2da4f578432e761adbf11cbeab3b78b7da71ed843
SHA3-384 hash:	eb722acd54ac7837c19c21c8dd957094b1e2a1a43e3b653d6ad1bd8b3d0093334824cb4eebe8a9d4e55d97a141a10369
SHA1 hash:	5e146c18717f7aa8cbd226ec750bce41bd8aa4b3
MD5 hash:	cc2566eae03240ffc314e5bee2dc4d26
humanhash:	johnny-black-music-spaghetti
File name:	cc2566eae03240ffc314e5bee2dc4d26.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	367'616 bytes
First seen:	2024-12-17 15:40:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f9df41ae4b2e96d07a46131787a7a3b9 (4 x LummaStealer)
ssdeep	6144:hT46u0Jny38rm3bYIOhtVlJ2rlC0vGLfAq0TwdLZc:hT46uIysrm3bY51+nODFMwPc
TLSH	T17174CF1176F19129E2B346357534DAA86E3FB8635E34859F3E08168F1B723918D72F83
TrID	46.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 25.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 8.5% (.EXE) Win64 Executable (generic) (10522/11/4) 5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
File icon (PE):
dhash icon	08183a4264301000 (1 x LummaStealer)
Reporter	abuse_ch
Tags:	exe LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

341

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

07a0b87962fbee50d2adc913f06a3e3b.exe

Verdict:

Malicious activity

Analysis date:

2024-12-17 08:42:52 UTC

Tags:

loader lumma stealer

Link:

https://app.any.run/tasks/c46f9935-0cac-4778-b806-81b87b917046

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.10706.26717.UNOFFICIAL

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67619c9f653a8698dfda2e18

Tags:

malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt to an infection source

Behavior that indicates a threat

DNS request

Connection attempt

Sending a custom TCP request

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Query of malicious DNS domain

Sending a TCP request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

fingerprint microsoft_visual_cc packed packed packer_detected

Link:

https://www.filescan.io/uploads/67619b90f7969ba597ac07b5/reports/9141a386-5f4f-4536-a6bc-3cad30c20ca3/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/9f2583d6908053c7fdf7e8b2da4f578432e761adbf11cbeab3b78b7da71ed843

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

LummaC2 Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6b2695d0-c02b-4d72-b451-2891dc417fd1

Result

Threat name:

LummaC

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1576847

Signature

AI detected suspicious sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

LummaC encrypted strings found

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9f2583d6908053c7fdf7e8b2da4f578432e761adbf11cbeab3b78b7da71ed843

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9f2583d6908053c7fdf7e8b2da4f578432e761adbf11cbeab3b78b7da71ed843/

Threat name:

Win32.Spyware.Stealc

Status:

Malicious

First seen:

2024-12-17 09:31:27 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=t4syhvuqqbj4p7px5cznut2xqqzooynnx4i4x2vtw6fx3jy63bbq._file

Verdict:

malicious

Label(s):

lummastealer

shellcode_loader_002

Similar samples:

error

LummaStealer

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma discovery stealer

Link:

https://tria.ge/reports/241217-s4rqjaslhz/

Behaviour

Program crash

System Location Discovery: System Language Discovery

Lumma Stealer, LummaC

Lumma family

Malware Config

C2 Extraction:

https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api

Verdict:

Suspicious

Tags:

c2 stealer lumma_stealer

YARA:

n/a

Link:

https://app.threat.zone/submission/5bb75ff9-4b78-414a-9de1-c450b90d1a3c

Unpacked files

SH256 hash:

5a0e2a1ca9596f0147274d96a311f9c6df07767b937af4bdca711986969b3797

MD5 hash:

24bca42f8c5b807ed2d1706cdea7e0bc

SHA1 hash:

c29031b997cc041b9eb8fbd9932ed03841a20ea0

Detections:

LummaStealer

Link:

https://www.unpac.me/results/66f83267-9656-4440-85a0-6c5e2b42ca3b/

SH256 hash:

9f2583d6908053c7fdf7e8b2da4f578432e761adbf11cbeab3b78b7da71ed843

MD5 hash:

cc2566eae03240ffc314e5bee2dc4d26

SHA1 hash:

5e146c18717f7aa8cbd226ec750bce41bd8aa4b3

Link:

https://www.unpac.me/results/66f83267-9656-4440-85a0-6c5e2b42ca3b/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	RansomPyShield_Antiransomware Create hunting rule
Author:	XiAnzheng
Description:	Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

exe 9f2583d6908053c7fdf7e8b2da4f578432e761adbf11cbeab3b78b7da71ed843

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3224579/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3346066/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::DeleteVolumeMountPointW KERNEL32.dll::FindFirstVolumeA KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::WriteConsoleA KERNEL32.dll::ReadConsoleOutputAttribute KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleAliasA KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileA KERNEL32.dll::GetFileAttributesW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample