MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aac905a9cc4ed6041bcd5fc673d90634244ad3ea444bde85139c0bd2c20b0f17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aac905a9cc4ed6041bcd5fc673d90634244ad3ea444bde85139c0bd2c20b0f17
SHA3-384 hash: d705f1a307f07ad590a38bd0b3b06fa183b24b2abcfe2a73546065b964c11325bb6be189e3e0064a10e67c4e37649d49
SHA1 hash: ee0d3136a7b8e839cdf43f562f7367841641c295
MD5 hash: 3ae16a382d2de7cb2ee143606ef1ef47
humanhash: november-sweet-alaska-may
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:12'903'424 bytes
First seen:2024-10-07 15:33:47 UTC
Last seen:2024-10-07 16:22:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f6a0e4d369769e7f67a20f6adebcb068 (1 x LummaStealer)
ssdeep 393216:34nJZQQ11JU7NsSnWXTWsFDO3KjgJGduaZda9h4i:3kZdJUCS/ED+UVZAP
Threatray 1 similar samples on MalwareBazaar
TLSH T1ADD633A71E9DF0EAEEC12A309E17B99B33F16BE904944C3C7CC04EDA9857E31605A543
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:exe LummaStealer


Avatar
Bitsight
url: http://nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
408
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-10-07 15:35:19 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/0bf2e70c-4ab4-4e58-a724-7bbbb18dd048

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.17097.4411.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6703ff6cebeac9e680513ae7
Tags:
malware
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin packed shell32
Link:
https://www.filescan.io/uploads/6703ff6c06f0c2314b42b14b/reports/791a9741-2a92-4620-97dd-9f6a4b31667c/overview
Verdict:
Malicious
Labled as:
Kelios.Generic
Link:
https://www.hybrid-analysis.com/sample/aac905a9cc4ed6041bcd5fc673d90634244ad3ea444bde85139c0bd2c20b0f17
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5357e062-8bb1-4a73-8e58-b14563ab9072
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1528250
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
LummaC encrypted strings found
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aac905a9cc4ed6041bcd5fc673d90634244ad3ea444bde85139c0bd2c20b0f17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aac905a9cc4ed6041bcd5fc673d90634244ad3ea444bde85139c0bd2c20b0f17/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-10-07 15:34:09 UTC
File Type:
PE (Exe)
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vleqlkomj3laig6nl7dhhwiggqsevu7kirf55bittqf5fqqlb4lq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
aac905a9cc4ed6041bcd5fc673d90634244ad3ea444bde85139c0bd2c20b0f17
LummaStealer
error
LummaStealer
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/241007-szrjzatdjd/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a8d92e41-f94f-4243-b135-b0da2315a41d
Unpacked files
SH256 hash:
c9b9fbe94b3095ed45482d78df5f40ad41b40b63a1964eace3fa6b1378b59ffb
MD5 hash:
aa01925902b45ce7275434c390fcdcb3
SHA1 hash:
a38baf7a998af3e0fdcecbd360670aa7871f2466
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/e0c84a7c-1148-43e7-9c9c-e42a286af74b/
SH256 hash:
aac905a9cc4ed6041bcd5fc673d90634244ad3ea444bde85139c0bd2c20b0f17
MD5 hash:
3ae16a382d2de7cb2ee143606ef1ef47
SHA1 hash:
ee0d3136a7b8e839cdf43f562f7367841641c295
Link:
https://www.unpac.me/results/e0c84a7c-1148-43e7-9c9c-e42a286af74b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aac905a9cc4ed6041bcd5fc673d90634244ad3ea444bde85139c0bd2c20b0f17

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe aac905a9cc4ed6041bcd5fc673d90634244ad3ea444bde85139c0bd2c20b0f17

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3219218/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW

Comments