MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1a8d188faf67af1101532c8e3ae1f93e89c98bae6026413baac952071881448. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1a8d188faf67af1101532c8e3ae1f93e89c98bae6026413baac952071881448
SHA3-384 hash: d3b34e9aad4102ab99f84693eb47f49c84e1017246786af88d9fdbb2de28565a580da2c4c4a9f7c2ff78a161f7a4c589
SHA1 hash: 75396f047cb7f9325499b68212ee510b63408a74
MD5 hash: faaa0638078fa6c600182454ac3ecf41
humanhash: sweet-emma-sierra-apart
File name:faaa0638078fa6c600182454ac3ecf41.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:462'297 bytes
First seen:2024-12-04 13:41:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5cf67e46aa84f207c6fd099e033c354c (18 x LummaStealer)
ssdeep 6144:e+WoC/IdkUPq5l+WoC/IdkUPq50+WoC/IdkUPq5bw+WoC/IdkUPq5S+WoC/IdkUW:epOkVpOkkpOk0pOkipOk
TLSH T150A406A3B6D81176D8E1A271257CA27DA13AE77C4F3A90CB131443BD67747C8AD342A3
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10522/11/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
385
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
faaa0638078fa6c600182454ac3ecf41.exe
Verdict:
No threats detected
Analysis date:
2024-12-04 14:22:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5d748cb6-90c5-4415-9198-b4a406d84efa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
ditekSHen.MALWARE.Win.Trojan.FakeCaptcha-Downloader.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67505df212e85e185e75b0fe
Tags:
injection virus gates
Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Labled as:
Midie.Generic
Link:
https://www.hybrid-analysis.com/sample/a1a8d188faf67af1101532c8e3ae1f93e89c98bae6026413baac952071881448
Malware family:
Microsoft Corporation
Create hunting rule
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a98e66fb-f876-4dc0-b15c-ffb86c546c21
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1568333
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
54%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/a1a8d188faf67af1101532c8e3ae1f93e89c98bae6026413baac952071881448
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1a8d188faf67af1101532c8e3ae1f93e89c98bae6026413baac952071881448/
Threat name:
Win32.Dropper.Lumma
Create hunting rule
Status:
Malicious
First seen:
2024-12-04 05:55:18 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
22 of 38 (57.89%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ugundch26z5pceavgleohlq7spujzgf24ybgie52vsksa4micrea._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/241204-qznrzaslcp/
Behaviour
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0c0f344a-13d4-4ae6-83b6-f5f4962b4064
Unpacked files
SH256 hash:
a1a8d188faf67af1101532c8e3ae1f93e89c98bae6026413baac952071881448
MD5 hash:
faaa0638078fa6c600182454ac3ecf41
SHA1 hash:
75396f047cb7f9325499b68212ee510b63408a74
Detections:
Emmenhtal
Create hunting rule
Link:
https://www.unpac.me/results/30f806d1-e663-4824-837a-59ac54b99761/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1a8d188faf67af1101532c8e3ae1f93e89c98bae6026413baac952071881448

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:IDATDropper
Create hunting rule
Author:NDA0E
Description:Detects files containing embedded JavaScript; the JS executes a PowerShell command which either downloads IDATLoader in an archive, or an executable (not IDATLoader) which is loaded into memory. The modified PE will only run if it's executed as an HTML Application (.hta).
Rule name:MALWARE_Win_FakeCaptcha_Downloader
Create hunting rule
Author:ditekshen
Description:Detects downloader executables dropped by fake captcha
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe a1a8d188faf67af1101532c8e3ae1f93e89c98bae6026413baac952071881448

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3319129/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::FreeSid
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
MULTIMEDIA_APICan Play MultimediaPlaySndSrv.DLL::PlaySoundServerInitialize
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::GetTokenInformation
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::OpenProcess
KERNEL32.dll::OpenSemaphoreW
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::DeleteFileW
KERNEL32.dll::GetFileAttributesW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegGetValueW
ADVAPI32.dll::RegLoadMUIStringW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW

Comments