MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a28bd583dab27c6e95c9f14ae64bd0b6831cc9226737f68b1a8bf9dd033843fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a28bd583dab27c6e95c9f14ae64bd0b6831cc9226737f68b1a8bf9dd033843fa
SHA3-384 hash: 47bbc45cd4fd50908fcc1cebe0611a32cfb043784981087f2360a2d8abf4b1578e9fbe015cdbff69e4c402ec2b20486e
SHA1 hash: 94dbd7b49946dac493466b8702f7ca527833b9cc
MD5 hash: b71b7aedba64dfac7fb62b18fe22e956
humanhash: angel-connecticut-happy-earth
File name:b71b7aedba64dfac7fb62b18fe22e956.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'868'288 bytes
First seen:2024-12-31 08:43:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:wm34NGu4QOrYpj44bPupQKfXOzihBGxPJwFsYW/VY4TO7j013wx/AZM4tdMilBEh:Zruq0G4ja+KB3eYmF0AZRz
Threatray 1 similar samples on MalwareBazaar
TLSH T1538533543C70301CDD9BEFB695BB8AEEAB1829148C924B776FA0C02374971D3D49C75A
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
395
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
addd965c46898d41684a63f0766be521afccc2f95d5ddc54dde0d623b1da5dbb.exe
Verdict:
Malicious activity
Analysis date:
2024-12-30 23:17:18 UTC
Tags:
amadey botnet stealer loader themida cryptbot gcleaner litehttp lumma auto povertystealer lumar exfiltration github antivm
Link:
https://app.any.run/tasks/c846ef33-4843-4511-8418-6ed7ba4e522e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Lumma.1113.30529.31117.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6773aede1ada70779824c313
Tags:
autorun virus spawn small
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
DNS request
Connection attempt
Sending a custom TCP request
Behavior that indicates a threat
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected
Link:
https://www.filescan.io/uploads/6773aed9027a5db46d248280/reports/e2798778-eee8-4b09-a6e3-d0a4f53eca8c/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/a28bd583dab27c6e95c9f14ae64bd0b6831cc9226737f68b1a8bf9dd033843fa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f818c243-53ee-4dd3-b45a-43870ce230e9
Result
Threat name:
LummaC, Amadey, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1582703
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582703 Sample: Dl6wuWiQdg.exe Startdate: 31/12/2024 Architecture: WINDOWS Score: 100 28 fancywaxxers.shop 2->28 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Antivirus detection for URL or domain 2->48 50 11 other signatures 2->50 8 Dl6wuWiQdg.exe 1 2->8         started        13 skotes.exe 12 2->13         started        15 skotes.exe 2->15         started        signatures3 process4 dnsIp5 30 185.215.113.16, 49748, 49754, 80 WHOLESALECONNECTIONSNL Portugal 8->30 32 fancywaxxers.shop 104.21.112.1, 443, 49712, 49713 CLOUDFLARENETUS United States 8->32 26 C:\Users\user\...\8WYS1MQTL0QCOHKIPL8.exe, PE32 8->26 dropped 60 Detected unpacking (changes PE section rights) 8->60 62 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->62 64 Query firmware table information (likely to detect VMs) 8->64 72 6 other signatures 8->72 17 8WYS1MQTL0QCOHKIPL8.exe 4 8->17         started        34 185.215.113.43, 49914, 49930, 49946 WHOLESALECONNECTIONSNL Portugal 13->34 66 Hides threads from debuggers 13->66 68 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->68 70 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 13->70 file6 signatures7 process8 file9 24 C:\Users\user\AppData\Local\...\skotes.exe, PE32 17->24 dropped 36 Antivirus detection for dropped file 17->36 38 Detected unpacking (changes PE section rights) 17->38 40 Machine Learning detection for dropped file 17->40 42 7 other signatures 17->42 21 skotes.exe 17->21         started        signatures10 process11 signatures12 52 Antivirus detection for dropped file 21->52 54 Detected unpacking (changes PE section rights) 21->54 56 Tries to detect sandboxes and other dynamic analysis tools (window names) 21->56 58 6 other signatures 21->58
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a28bd583dab27c6e95c9f14ae64bd0b6831cc9226737f68b1a8bf9dd033843fa
Detection:
lumma
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a28bd583dab27c6e95c9f14ae64bd0b6831cc9226737f68b1a8bf9dd033843fa/
Threat name:
Win32.Trojan.LummaC
Create hunting rule
Status:
Malicious
First seen:
2024-12-31 02:58:22 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ukf5la62wj6g5foj6ffoms6qw2brzsjcm437ncy2rp452azyip5a._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
lummastealer
Create hunting rule
Similar samples:
a28bd583dab27c6e95c9f14ae64bd0b6831cc9226737f68b1a8bf9dd033843fa
LummaStealer
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery evasion stealer
Link:
https://tria.ge/reports/241231-knq53avmdr/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://cloudewahsj.shop/api
https://rabidcowse.shop/api
https://noisycuttej.shop/api
https://tirepublicerj.shop/api
https://framekgirus.shop/api
https://wholersorie.shop/api
https://abruptyopsn.shop/api
https://nearycrepso.shop/api
https://fancywaxxers.shop/api
Verdict:
Suspicious
Tags:
stealer lumma lumma_stealer c2
YARA:
n/a
Link:
https://app.threat.zone/submission/1198a24b-53cd-49b9-9c9b-d0b76c554bf4
Unpacked files
SH256 hash:
3745f602e91a4421a323354c3029fe65fb7b9d98e44a240af5f25e5ed6c4830a
MD5 hash:
6774809c8110237ebbf4aae4da32b561
SHA1 hash:
8073f2317f31c8bba3edd8a1b741291cf83125f1
Link:
https://www.unpac.me/results/62330ded-fccc-40e1-b03b-ed3928612a80/
SH256 hash:
a28bd583dab27c6e95c9f14ae64bd0b6831cc9226737f68b1a8bf9dd033843fa
MD5 hash:
b71b7aedba64dfac7fb62b18fe22e956
SHA1 hash:
94dbd7b49946dac493466b8702f7ca527833b9cc
Link:
https://www.unpac.me/results/62330ded-fccc-40e1-b03b-ed3928612a80/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a28bd583dab2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a28bd583dab27c6e95c9f14ae64bd0b6831cc9226737f68b1a8bf9dd033843fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe a28bd583dab27c6e95c9f14ae64bd0b6831cc9226737f68b1a8bf9dd033843fa

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3337943/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments