MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0aa434206748ac51fa00eaa0269239eee1ee17d47fb862952ac9e13c3cee364. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0aa434206748ac51fa00eaa0269239eee1ee17d47fb862952ac9e13c3cee364
SHA3-384 hash: cd8c1c0595fcfd31eaf7c1153a6ef617351d9d545d18cdda47dcda1d8ce2b18d901306074abcacc112c33132237c1d10
SHA1 hash: b7c45a9b8f1f4941e4fd37a3702f659b70ff753f
MD5 hash: bcb24468012c25e02d5e259ea3e73133
humanhash: chicken-sodium-magazine-wolfram
File name:bcb24468012c25e02d5e259ea3e73133.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'028'602 bytes
First seen:2024-11-06 15:43:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 12288:UC4ziv4qQcL9eLTz9tuznmkL4Ub1YcZP9HBy+1Sp6QJKESom9UwSn/CrSEnBz7dz:U3iv4QLcVizR1zZipTsEXCULChM6kZc
TLSH T1BA25235056DA9873E9792B347CB427226AF0F8494D73C54F538092ACB1B17A1CDBBB32
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 98b881f8c094c003 (1 x LummaStealer)
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
424
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://iploger.ru/25cHm6
Verdict:
Malicious activity
Analysis date:
2024-11-06 01:10:40 UTC
Tags:
evasion arch-exec
Link:
https://app.any.run/tasks/5fb01207-6775-469c-98d1-1f513defca5b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Trojan.Agent.GFP7RD.1558.9460.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=672b8ec98d23d904913460b3
Tags:
powershell autoit emotet gumen
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer microsoft_visual_cc overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/672b8ecbc7967d5267a91836/reports/d39e40b3-d5a2-4b00-91c5-395c326c41fa/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/b0aa434206748ac51fa00eaa0269239eee1ee17d47fb862952ac9e13c3cee364
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1ac57378-9db8-434d-9128-afc159de5dff
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1550363
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Benign windows process drops PE files
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Query firmware table information (likely to detect VMs)
Sigma detected: Search for Antivirus process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1550363 Sample: KfoiTvEwmD.exe Startdate: 06/11/2024 Architecture: WINDOWS Score: 100 78 wanderlust-gadgetnews.shop 2->78 80 tech-tribune.online 2->80 82 5 other IPs or domains 2->82 106 Suricata IDS alerts for network traffic 2->106 108 Antivirus detection for URL or domain 2->108 110 Multi AV Scanner detection for dropped file 2->110 112 7 other signatures 2->112 11 KfoiTvEwmD.exe 17 2->11         started        13 dmq.exe 2->13         started        16 svchost.exe 2->16         started        20 dmq.exe 2->20         started        signatures3 process4 dnsIp5 22 cmd.exe 3 11->22         started        136 Maps a DLL or memory area into another process 13->136 138 Switches to a custom stack to bypass stack traces 13->138 140 Found direct / indirect Syscall (likely to bypass EDR) 13->140 26 choice.exe 13->26         started        76 127.0.0.1 unknown unknown 16->76 62 C:\Users\user\AppData\...\dmq.exe (copy), PE32 16->62 dropped 64 C:\Users\user\AppData\Roaming\...\BIT5A5A.tmp, PE32 16->64 dropped 142 Benign windows process drops PE files 16->142 28 WerFault.exe 20->28         started        file6 signatures7 process8 file9 68 C:\Users\user\AppData\Local\Temp\...\Pork.pif, PE32 22->68 dropped 120 Drops PE files with a suspicious file extension 22->120 30 Pork.pif 2 22->30         started        35 choice.exe 1 22->35         started        37 cmd.exe 2 22->37         started        43 7 other processes 22->43 70 C:\Users\user\AppData\Local\Temp\pfo, PE32 26->70 dropped 122 Contains functionality to start a terminal service 26->122 124 Injects code into the Windows Explorer (explorer.exe) 26->124 126 Writes to foreign memory regions 26->126 39 explorer.exe 26->39         started        41 conhost.exe 26->41         started        signatures10 process11 dnsIp12 86 wanderlust-gadgetnews.shop 104.21.95.204, 443, 49977, 49978 CLOUDFLARENETUS United States 30->86 88 tech-tribune.online 213.159.73.34, 443, 49987 CTINET-ASCTINETAutonomousSystemRU Russian Federation 30->88 90 cdn1.pixel-story.shop 104.21.32.85, 443, 49986, 49988 CLOUDFLARENETUS United States 30->90 72 C:\Users\...\ZF6Y1IHSI039J3ZQHS1I9OK3TNX.exe, PE32 30->72 dropped 74 C:\Users\user\...748GHPR0GRJ9ERFBM78D.ps1, ASCII 30->74 dropped 92 Query firmware table information (likely to detect VMs) 30->92 94 Tries to harvest and steal ftp login credentials 30->94 96 Tries to harvest and steal browser information (history, passwords, etc) 30->96 98 Tries to steal Crypto Currency Wallets 30->98 45 ZF6Y1IHSI039J3ZQHS1I9OK3TNX.exe 1 2 30->45         started        48 powershell.exe 11 30->48         started        100 Found hidden mapped module (file has been removed from disk) 35->100 102 Switches to a custom stack to bypass stack traces 35->102 104 Contains functionality to start a terminal service 39->104 file13 signatures14 process15 signatures16 144 Multi AV Scanner detection for dropped file 45->144 146 Maps a DLL or memory area into another process 45->146 148 Switches to a custom stack to bypass stack traces 45->148 150 Found direct / indirect Syscall (likely to bypass EDR) 45->150 50 choice.exe 4 45->50         started        54 conhost.exe 48->54         started        process17 file18 66 C:\Users\user\AppData\Local\...\macqsmifhhsix, PE32 50->66 dropped 114 Contains functionality to start a terminal service 50->114 116 Injects code into the Windows Explorer (explorer.exe) 50->116 118 Writes to foreign memory regions 50->118 56 explorer.exe 50->56         started        60 conhost.exe 50->60         started        signatures19 process20 dnsIp21 84 moviecentral-petparade.com 104.21.23.211, 49997, 50001, 50003 CLOUDFLARENETUS United States 56->84 128 System process connects to network (likely due to code injection or exploit) 56->128 130 Contains functionality to start a terminal service 56->130 132 Contains functionality to inject code into remote processes 56->132 134 Switches to a custom stack to bypass stack traces 56->134 signatures22
Score:
58%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/b0aa434206748ac51fa00eaa0269239eee1ee17d47fb862952ac9e13c3cee364
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0aa434206748ac51fa00eaa0269239eee1ee17d47fb862952ac9e13c3cee364/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-11-06 00:34:45 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wcvegqqgosfmkh5ab2vae2jdt3xb5yl5i75ymkksvspbhq6o4nsa._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery stealer
Link:
https://tria.ge/reports/241106-s6gncaskaz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Enumerates processes with tasklist
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://worddosofrm.shop/api
https://mutterissuen.shop/api
https://standartedby.shop/api
https://nightybinybz.shop/api
https://conceszustyb.shop/api
https://bakedstusteeb.shop/api
https://respectabosiz.shop/api
https://moutheventushz.shop/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bf0f8065-7424-4f2f-9bff-c25f79a9ddcf
Unpacked files
SH256 hash:
a92031c3f754070e8bca0a769b0c68828ad892aea84e79ea0c5309fc83a2bb0b
MD5 hash:
8dbba0d76f33bfe16abc6c9289329a79
SHA1 hash:
1d04f42c4e79d7af48e478c58c20ac4f610ba83a
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/fc51d8ac-fb6d-422c-b710-da69244c1bbe/
Parent samples :
464e16f6d92d3c9eddeef69f7b1416fefb97817732155fe3549f37986d26fc44
bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295
8febc589fc4de7b009d3e406fddba66e389d5544bc5fad44d03f712ebf6c2bfa
de28cb5b2edea76c01a92ea416b5340c63c7c43aafc2ca0b9b4dafc6b9e51cbb
1ef7ccb345b2132b8e1a38bdef87dd47a0a0588603703ee63a201a9a8b5ba51d
e6db7d34b498982601b2c45ac5b2a1c1b9502e502514ccffae9862f2aa719f42
bf554462c091219488a1a53fff22213df8d9530fa6ff0f59033b0c9ee9173555
7b217c20a30ab1bdc4534f4adb62df226d128ec4d03c0eb2feb5ab35d2b7dc9f
92a24e160937ec00bd6a8e855cd55b9329760131c1412f35b18c92aacc299883
b7763f18a43e9727036d685576fe102901f45fd1b9407395bbc10966a9811d25
d480b6efcf1ccdc3a7cf4c1d22839e27e9701758b19c0a197b049b66bdcfe870
07d538c1cab4f197f08f0d1811a2e3538e373659e25bc08d129fe4caf631048a
049eaf34a048a80c4bdac29dbe453169f2b0927caec3e397c1b9eff016b9b415
0b3e1e30dae8e83d9e3832c6cb382dcfce5634a3f0d1610c575d890db11c77c7
3ec49e14a495f9bdafb8944db9125c0e8f7f4258c285962df393c8918b0665dd
f5dbb1b4280665ed5d85392c1f7050e4c15764ab222ccc2fbb63b0dcd7846507
b6c12a25d818dde41b6b677104f2f3de495a8175af811b5a71fc91e43c12c3fc
4c05c9ade0f5fa4dda9a53c74f8bc41c3ab59d29203dc11c2f5cc99a5dbf7df1
e5e142eea2e5369d6ddef616cd7acf6816ae9e194a77c00214be8575b983dc2f
891306bc14e8d196e6f229dfe9d713bb1e81af30efe5ea786672648cbe6fd032
69f1a8cbd899c9d340e4543d18fd75f5d2fdaaf1441b6c0c39b1ec2308408162
df4acc3856a25841fd14f01346473c85f5bc578d33daa488f78a59ca5649bef6
d5526528363ceeb718d30bc669038759c4cd80a1d3e9c8c661b12b261dcc9e29
4c26dd1754f1bd8da1c39bc2c7721d5bccbd6403d56f0370c53ee4d518167874
c37ae928bbfd115a32dbf0060e1a2d191a06cab66c7251796f1fb7212fc8c8ff
db1f9839eadfd7dc8c75c497af90215be8559501b4122a17218c59429833154c
0213e39792ac0c5b66491f90c4b0fc4afdd84f40944922cab8a3bcdb1cf88cfc
6f2c63f929acd8918c8f21f6141d1b13ca35a2b291d2d8d66771c80f481aea49
08f30ece5f7e77a69e58a970b3684c2a0eba1aa203ac97836dad32fc10a15e90
1c2ec4c72c2f31a327b6ba4dfe27a607d311578e25d96cf34c54845eea986f36
913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72
88f8b8834398bc8a18142466e963d14d08898c94aeef62f20209050fb08e7f1d
b8ed5a17150da2a420cc39505357223261437d4e99ce94599a7ffdbbfe71e6cf
c234e9cdff26c9f27b6c6365ffa668fdf4dfdb415694f3a4ab21f50dc3db0fac
48ac733e00c61226d506c26f12f6fdec6b67f3dd0a9f3a5dc6720c4096f8c0c8
35b325cf352fc1c4641f90fcc28bda81a4fa020334ba6d1fb71d06cbfc3ddf57
9ea5419cef3eba4b55697a827fa26e74e6fcc5fa4ff013cc97086d5e9e2d3f50
cbe9ac361320c689ea74990eb5b752c63b9bfec9deeb09ce7cfaaafb6baf41ef
d0e75a424812f8b899626795c8b929c40fdcbf09a0b7445d159f82256b896acf
2c9896b3eac1e686a331d810308ef7d7e4f131b764ec1c7c9d1205a79d00073f
2808948b635ccf20d4bf679457e45bfe21a783ec99e095e55382bede47f6579f
1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d
fe4f289171283f597e3bf13a4cc5d2eff0f8606b4afa4db31e2c2ec63842590f
e770d2f423513285e4f7f92dafff648c3ccc9a3623e6134edcd03ac79858d1c8
8ffc2aa27b84ed0736d57be8b45dcc56c817d404b8c4904e795dc51861d281f4
72c40603279789c395054781be9ae0b153ca29ebe3c2f9ff0cb609a603b5c545
a6da6ca04ee56f1e10dc25c07f938300fff7b3c1b50abe925b5f2b10b084216b
22fbefa1416f9ccc38791ac6198123e206f4e5b40590fe928f2a4148542c500c
beb7a3127427fa0560207cdb0becfebb2ed1c6d8dad335d3b3266ec741cdd495
8cbbab0078ffa7583aac63129650635a102ceb458dbc0bddf59758a04bfd5fe2
85104c53c0061dd183981df87ad8744c85d8c8c6f044698a1ed98705edaf4117
d731d91b237184f6dee0cfad065acb770ef904a70b4ca7a625f85d0a474a1714
e84f3f36aa22f8b7f7399ce57c68014ea23140e88755516db02b5e056d18dad6
523cd90154c376b7f6953f1e825eb467b231b3fffe30ab321c1a69da22cb1148
5afd5d949b10aa25737aeaf454ae3ad441311a50d0e8aace71ebec8ffe7118cf
986efaa8bb0469535ddac90dbe8cd3e7cd710e9570e7ff2edda7f82b893baa79
9817f4d8bc1374f102196cfcb8a351abdc0563dea60f6084a7525e5ee5409b6d
c5c3401f71f4361ed454bbd96ea7cdd8a9132a655815e35e207dfff0ea690469
bc37b8380183870ec6acd56886f3ef4537bf63c71935a094307875e03b0d2bb5
613a067be7f86864c48431c6fe36e2cba8ccec593df598f5e3720e283e280a56
94b4b5b599c81c62f2ea6c44530f0058cf7e42c11ab9b6f16fd78bdfe5a5f44c
065a1a3575aac28ccb77e4d00b18907aab16f8432913425ffcde44abf24ef840
81d6f774c002106258af4350818c9c3687185584c59e1a797b4019bd462a086c
e407bd010e2e640169a2812066864cd837b10506f01316dc2cada9ba64d99428
931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993
8ae2402f1925ee78bdf48ce3cf3e7eebecaaf26c4a45ccc105d6beb735657f31
f34dd7ec6030b1879d60faa8705fa1668adc210ddd52bcb2b0c2406606c5bccf
c26ce02368f7e800361b6174fb471e5499347e4205b354011908bff9409d2e1e
19c683016b8171a4bdb6c987b2045307289656d2c555d08f14ef6c342dca0ea0
7a2c1437ed5ff19adf078f17881fc836a4b08d3eaaff243d5ca77577f5880169
8b2070fb57b6077848ffcbf2bc39f22e417efe372214d339dfc9460f1ecde920
a4e0fd3483e26b4c0dfda5b2c1cb89571e06a8162e88b8a47a810a4b38934b1f
c263ebdc90fdb0a75d6570f178156c0ba665ac9f846b8172d7835733e5c3de59
bdc7b917477bb49af7a5b06e5d9ed20e08fed25944f297a6b36a50d03d8a5777
a9157bff7034c95796152201796c6f97530e27277429af9ff350ac554bd37939
4d2c2b9bf545415c67feb1dc50f92f629525994b9be6eb65648b16e1694ce864
8d23f5cb10165d0de3300234c684d134b0bded5edcd5f4522dda62b367993080
7305c4bb03ec5c017a4297e7e47d7749e56ca5bb56d3d5399a37cd0ae6b3bfd0
b0aa434206748ac51fa00eaa0269239eee1ee17d47fb862952ac9e13c3cee364
9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642
47cad489ed7b741695a2d2a3c14350078867de45368c94188343c9fb4d79980f
9c46859695bed9bd827e2292e634c39e2982f40d9be6b170d185ae154a1a6a5f
ad123b1589cb2c726de8da9af56ec2dacc22518cda285dc3c014c65c4d405a1d
06363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f
b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c
b376d8b2108027a42534314eb5d82a70b06984c7dca8e91df66d00f5c6e91f20
SH256 hash:
b0aa434206748ac51fa00eaa0269239eee1ee17d47fb862952ac9e13c3cee364
MD5 hash:
bcb24468012c25e02d5e259ea3e73133
SHA1 hash:
b7c45a9b8f1f4941e4fd37a3702f659b70ff753f
Link:
https://www.unpac.me/results/fc51d8ac-fb6d-422c-b710-da69244c1bbe/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments