MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b16b380f60786a78e3e8760f4a65e0906f744e43b2a04eead206596727443082. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b16b380f60786a78e3e8760f4a65e0906f744e43b2a04eead206596727443082
SHA3-384 hash: ba22f9bf9d4b9b5b0501e1e7fb0ab1f3d3ea6775ca173fc23db67a51cd0530aee64aad7df56401e66bfd2a5222801aae
SHA1 hash: ca47da5cc86c31aea84a6b170bc948f1020abe89
MD5 hash: 1cc167273eeaf450abb5e548edfabc89
humanhash: uniform-crazy-nuts-eight
File name:Setup.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:9'633'609 bytes
First seen:2024-07-29 14:08:33 UTC
Last seen:2024-07-29 14:39:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 40ab50289f7ef5fae60801f88d4541fc (59 x ValleyRAT, 49 x Gh0stRAT, 41 x OffLoader)
ssdeep 196608:Fsd7F8Iox9opRvxDKokM7JQpBgKDQhN0F:Fsd2px4lwrM7ClQhNu
Threatray 19 similar samples on MalwareBazaar
TLSH T111A62323F2CBE03DE05E1B3305B3945494F77A216922AE579AECB4ACCF751601E3E256
TrID 39.3% (.EXE) Inno Setup installer (107240/4/30)
21.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
15.7% (.EXE) InstallShield setup (43053/19/16)
15.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.8% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter aachum
Tags:exe LummaStealer


Avatar
iamaachum
https://rentry.co/pddaiytf => https://mega.nz/file/BRwxVJDb#gL9fi-YCdJpiYQUhOdhLJTL5SwLMzdU8UkHfitZZyKg

Lumma C2:
https://dividenntyss.shop/api
https://horizonvxjis.shop/api
https://effectivedoxzj.shop/api
https://parntorpkxzlp.shop/api
https://stimultaionsppzv.shop/api
https://grassytaisol.shop/api
https://broccoltisop.shop/api
https://shellfyyousdjz.shop/api
https://bravedreacisopm.shop/api

Intelligence

File Origin
# of uploads :
2
# of downloads :
368
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2024-07-29 14:04:01 UTC
Tags:
installer lumma stealer
Link:
https://app.any.run/tasks/2619588f-8de4-4eca-b5e6-72ff16746964

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a7a27f3ee5253b89e5e18b
Tags:
Discovery Encryption Execution Generic Network Static Stealth Trojan Aptluminousmoth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Restart of the analyzed sample
Creating a process with a hidden window
Searching for the window
Creating a file
Moving a recently created file
Launching a process
Running batch commands
Using the Windows Management Instrumentation requests
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
embarcadero_delphi fingerprint installer lolbin overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/66a7a28878d5c73fb1c89809/reports/2a2ba567-218e-4530-9699-b820037a4f88/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/b16b380f60786a78e3e8760f4a65e0906f744e43b2a04eead206596727443082
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4f2cc705-5e00-4e67-b01c-9c0dbe6089b2
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1484110
Signature
AI detected suspicious sample
Antivirus detection for dropped file
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
LummaC encrypted strings found
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Switches to a custom stack to bypass stack traces
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1484110 Sample: Setup.exe Startdate: 29/07/2024 Architecture: WINDOWS Score: 100 99 Antivirus detection for dropped file 2->99 101 Multi AV Scanner detection for dropped file 2->101 103 Machine Learning detection for dropped file 2->103 105 AI detected suspicious sample 2->105 10 Setup.exe 2 2->10         started        process3 file4 85 C:\Users\user\AppData\Local\...\Setup.tmp, PE32 10->85 dropped 13 Setup.tmp 3 5 10->13         started        process5 file6 89 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 13->89 dropped 91 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 13->91 dropped 16 Setup.exe 2 13->16         started        19 more.com 3 13->19         started        22 StrCmp.exe 35 13->22         started        process7 file8 63 C:\Users\user\AppData\Local\...\Setup.tmp, PE32 16->63 dropped 24 Setup.tmp 5 26 16->24         started        65 C:\Users\user\AppData\...\npxqgigullvmnp, PE32 19->65 dropped 67 C:\Users\user\AppData\Local\...\Hypnotism.pif, PE32 19->67 dropped 107 Drops PE files with a suspicious file extension 19->107 109 Writes to foreign memory regions 19->109 111 Found hidden mapped module (file has been removed from disk) 19->111 113 3 other signatures 19->113 28 Hypnotism.pif 1 19->28         started        30 conhost.exe 19->30         started        signatures9 process10 file11 77 C:\Users\user\AppData\...\wlessfp1.dll (copy), PE32 24->77 dropped 79 C:\Users\user\...\lang-1058.dll (copy), PE32 24->79 dropped 81 C:\Users\user\...\lang-1049.dll (copy), PE32 24->81 dropped 83 31 other files (24 malicious) 24->83 dropped 115 Uses ping.exe to sleep 24->115 117 Uses ping.exe to check the status of other devices and networks 24->117 32 ImPackr.exe 2 19 24->32         started        36 PING.EXE 1 24->36         started        39 cmd.exe 1 24->39         started        41 5 other processes 24->41 119 Switches to a custom stack to bypass stack traces 28->119 121 Found direct / indirect Syscall (likely to bypass EDR) 28->121 signatures12 process13 dnsIp14 69 C:\Users\user\AppData\...\wlessfp1.dll, PE32 32->69 dropped 71 C:\Users\user\...\SftTree_IX86_U_60.dll, PE32 32->71 dropped 73 C:\Users\user\AppData\...\ImWrappU.dll, PE32 32->73 dropped 75 9 other files (6 malicious) 32->75 dropped 95 Tries to steal Mail credentials (via file / registry access) 32->95 97 Switches to a custom stack to bypass stack traces 32->97 43 ImPackr.exe 3 32->43         started        93 127.0.0.1 unknown unknown 36->93 47 conhost.exe 36->47         started        49 conhost.exe 39->49         started        51 tasklist.exe 1 39->51         started        53 find.exe 1 39->53         started        55 conhost.exe 41->55         started        57 conhost.exe 41->57         started        59 conhost.exe 41->59         started        61 12 other processes 41->61 file15 signatures16 process17 file18 87 C:\Users\user\AppData\Roaming\...\StrCmp.exe, PE32 43->87 dropped 123 Tries to steal Mail credentials (via file / registry access) 43->123 125 Maps a DLL or memory area into another process 43->125 127 Switches to a custom stack to bypass stack traces 43->127 129 Found direct / indirect Syscall (likely to bypass EDR) 43->129 signatures19
Score:
23%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/b16b380f60786a78e3e8760f4a65e0906f744e43b2a04eead206596727443082
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b16b380f60786a78e3e8760f4a65e0906f744e43b2a04eead206596727443082/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2024-07-29 00:47:14 UTC
File Type:
PE (Exe)
AV detection:
15 of 24 (62.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wfvtqd3apbvhry7ioyhuuzpasbxxitsdwkqe52wsazmwoj2egcba._file
Verdict:
unknown
Similar samples:
0bc0f7f9471990917d43fdbf85339afc9b11c14f12e34a2e94b40a99685434f2
LummaStealer
7143a5a1be6622001a7fdc52367a92155125504715dd96b38df6e67a6d48bd0c
LummaStealer
7a71a886d46f90a91cd0994a372db22c11c7bc23f4b3fa88177c2ed4def4ba9f
LummaStealer
9ffac3be20e18a26f2e3d748ec0cddf8aa1c28ac7010e2b28c29586c35ee00fc
LummaStealer
a785bb5943ae900656aec2cfca17124ce7292eb6d14be835c0f6461d90aee689
LummaStealer
b0410c03a893377b1726c7d31fed5796ae24c8ba55061aa7a02f04fd96a32af5
LummaStealer
+ 9 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery stealer
Link:
https://tria.ge/reports/240729-rf4jrawcnd/
Behaviour
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Lumma Stealer, LummaC
Malware Config
C2 Extraction:
https://dividenntyss.shop/api
https://horizonvxjis.shop/api
https://effectivedoxzj.shop/api
https://parntorpkxzlp.shop/api
https://stimultaionsppzv.shop/api
https://grassytaisol.shop/api
https://broccoltisop.shop/api
https://shellfyyousdjz.shop/api
https://bravedreacisopm.shop/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5f242578-cf82-40ab-9dcc-6b5ee0c267ec
Unpacked files
SH256 hash:
794e4135015d6507846a072f81168eaf297c78dbe529e4cc94ddbb475b43d694
MD5 hash:
0a8d31efde93f55df43e8a3cde98e8fa
SHA1 hash:
2df48a22c5cf85cad7cf320384ce5cea51f87cee
Link:
https://www.unpac.me/results/5d87e305-66a5-4cbe-8a62-75f9506b2c9e/
SH256 hash:
b16b380f60786a78e3e8760f4a65e0906f744e43b2a04eead206596727443082
MD5 hash:
1cc167273eeaf450abb5e548edfabc89
SHA1 hash:
ca47da5cc86c31aea84a6b170bc948f1020abe89
Link:
https://www.unpac.me/results/5d87e305-66a5-4cbe-8a62-75f9506b2c9e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b16b380f60786a78e3e8760f4a65e0906f744e43b2a04eead206596727443082

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe b16b380f60786a78e3e8760f4a65e0906f744e43b2a04eead206596727443082

(this sample)

  
Link
https://tria.ge/240729-q19qts1ckl/behavioral2
anyrun
any.run
https://app.any.run/tasks/2619588f-8de4-4eca-b5e6-72ff16746964
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::AllocateAndInitializeSid
advapi32.dll::ConvertSidToStringSidW
advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
advapi32.dll::EqualSid
advapi32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
advapi32.dll::OpenThreadToken
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments