MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0aeb837cb5e762fc0b7d657c71d343e765cccb5780cd315756f682418b3cdfe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0aeb837cb5e762fc0b7d657c71d343e765cccb5780cd315756f682418b3cdfe
SHA3-384 hash: 3335cda731b4f8db0b2e679e5fa777dd625d7be7dea970167e0e093f69cbadb6317caf87155ac1e1584b43d66a1450cc
SHA1 hash: a1c6214e85b826b769d931a20434224e42da28c1
MD5 hash: 826ac9d03e37048df300b013335098d9
humanhash: fourteen-chicken-triple-solar
File name:826ac9d03e37048df300b013335098d9
Download: download sample
Signature LummaStealer
Create hunting rule
File size:122'368 bytes
First seen:2024-11-07 15:54:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 398697f041e256fb6c451f1966f76316 (1 x LummaStealer)
ssdeep 3072:ORIhf/ay4MQGyEDmGg9m5mZcErtLk0m/USg:vhf/ay4MQGAm5mZHV3b
TLSH T153C36B1B73A530F8E1674238C8510A46EBB3B43647619FAF03B447A61F636D19E3EB61
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter zbetcheckin
Tags:64 exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
2'518
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
826ac9d03e37048df300b013335098d9
Verdict:
Malicious activity
Analysis date:
2024-11-07 17:57:27 UTC
Tags:
lumma stealer
Link:
https://app.any.run/tasks/49c9d188-d845-4c86-a28f-bc1fb1006c2c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.SuspectCRC.26286.25312.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=672ce2de49e92a05dde3e9da
Tags:
powershell trojan overt sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Running batch commands
Launching a process
Сreating synchronization primitives
Sending an HTTP GET request to an infection source
Using the Windows Management Instrumentation requests
Creating a window
Connection attempt to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc
Link:
https://www.filescan.io/uploads/672ce2d9eb1ade0d53a151ee/reports/338791d2-ca19-4b9b-bb0d-96ba6100f44f/overview
Verdict:
Malicious
Labled as:
GrayWare/Wacapew
Link:
https://www.hybrid-analysis.com/sample/a0aeb837cb5e762fc0b7d657c71d343e765cccb5780cd315756f682418b3cdfe
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/753b8aec-dde9-4071-a5c3-b381e25fb07c
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
evad.troj.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1551388
Signature
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Download and Execution Cradles
Suricata IDS alerts for network traffic
Suspicious execution chain found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1551388 Sample: 7IXl1M9JGV.exe Startdate: 07/11/2024 Architecture: WINDOWS Score: 100 53 knifedxejsu.cyou 2->53 65 Suricata IDS alerts for network traffic 2->65 67 Found malware configuration 2->67 69 Antivirus detection for URL or domain 2->69 71 10 other signatures 2->71 11 7IXl1M9JGV.exe 1 2->11         started        13 svchost.exe 1 2 2->13         started        signatures3 process4 dnsIp5 16 cmd.exe 1 11->16         started        18 conhost.exe 11->18         started        61 127.0.0.1 unknown unknown 13->61 process6 process7 20 powershell.exe 14 24 16->20         started        dnsIp8 55 147.45.44.131, 49710, 80 FREE-NET-ASFREEnetEU Russian Federation 20->55 43 C:\Users\user\AppData\...\qh4rltex.cmdline, Unicode 20->43 dropped 45 C:\Users\user\AppData\Local\...\qh4rltex.0.cs, Unicode 20->45 dropped 73 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 20->73 75 Writes to foreign memory regions 20->75 77 Suspicious execution chain found 20->77 79 3 other signatures 20->79 25 RegAsm.exe 20->25         started        29 csc.exe 3 20->29         started        file9 signatures10 process11 dnsIp12 59 knifedxejsu.cyou 104.21.19.177, 443, 49711, 49712 CLOUDFLARENETUS United States 25->59 81 Query firmware table information (likely to detect VMs) 25->81 83 Found many strings related to Crypto-Wallets (likely being stolen) 25->83 85 Tries to harvest and steal browser information (history, passwords, etc) 25->85 87 Tries to steal Crypto Currency Wallets 25->87 32 chrome.exe 2 25->32         started        47 C:\Users\user\AppData\Local\...\qh4rltex.dll, PE32 29->47 dropped 36 cvtres.exe 1 29->36         started        file13 signatures14 process15 dnsIp16 49 192.168.11.20, 137, 138, 1900 unknown unknown 32->49 51 239.255.255.250, 1900 unknown Reserved 32->51 63 Found many strings related to Crypto-Wallets (likely being stolen) 32->63 38 chrome.exe 32->38         started        41 chrome.exe 32->41         started        signatures17 process18 dnsIp19 57 www.google.com 142.251.35.164, 443, 49716, 49717 GOOGLEUS United States 38->57
Score:
61%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/a0aeb837cb5e762fc0b7d657c71d343e765cccb5780cd315756f682418b3cdfe
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a0aeb837cb5e762fc0b7d657c71d343e765cccb5780cd315756f682418b3cdfe/
Threat name:
Win64.Spyware.Lummastealer
Create hunting rule
Status:
Suspicious
First seen:
2024-11-07 06:29:37 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
11 of 37 (29.73%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ucxlqn6llz3c7qfx2zl4ohjuhz3fztfvpagngflvn5ucigftzx7a._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/241107-tcrrwsvgka/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/eef1f3c8-dc46-41f3-8fab-5ee3bfc953f3
Unpacked files
SH256 hash:
a0aeb837cb5e762fc0b7d657c71d343e765cccb5780cd315756f682418b3cdfe
MD5 hash:
826ac9d03e37048df300b013335098d9
SHA1 hash:
a1c6214e85b826b769d931a20434224e42da28c1
Link:
https://www.unpac.me/results/89bdec71-8c41-450d-9d0e-0bf5cc3b164f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a0aeb837cb5e762fc0b7d657c71d343e765cccb5780cd315756f682418b3cdfe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe a0aeb837cb5e762fc0b7d657c71d343e765cccb5780cd315756f682418b3cdfe

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3280689/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments


Avatar
zbet commented on 2024-11-07 15:54:35 UTC

url : hxxps://ggrtrew.xyz/ResOO.exe