MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b287c0bc239b434b90eef01bcbd00ff48192b7cbeb540e568b8cdcdc26f90959. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b287c0bc239b434b90eef01bcbd00ff48192b7cbeb540e568b8cdcdc26f90959
SHA3-384 hash: e803c6e2878daa39e4fce22e090c3e212490fddc549183719284eae0a05c997421d50f65c9d060448ff0ab25da512419
SHA1 hash: e330e5b7f62ca55cb6e6c97406e0b56878806960
MD5 hash: 1bcf03b31489b63436d4216249bbf246
humanhash: wolfram-lake-mexico-mexico
File name:1bcf03b31489b63436d4216249bbf246.msi
Download: download sample
Signature LummaStealer
Create hunting rule
File size:4'230'656 bytes
First seen:2023-08-22 07:37:17 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:SQCt+uKTFy+XHBflMPzidUtyWmk60KAOmG:DCh0BfMEWt66DG
Threatray 5 similar samples on MalwareBazaar
TLSH T11816BF12B98AC53AFA3F6172957AF7B6117E7EE00B7244D762D93A7D0A704C14232E07
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:LummaStealer msi signed

Code Signing Certificate

Organisation:SimplyHired.com
Issuer:SimplyHired.com
Algorithm:sha256WithRSAEncryption
Valid from:2023-08-04T15:26:36Z
Valid to:2024-08-04T15:46:36Z
Serial number: 77880c2a132f0d8449371ff306c1c20a
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: b7b2afef1eeaf4a39961bd70fbea460023b0a8dca56bb2ddd5dfbfa1723a3f6d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/444069/
Detection(s):
SecuriteInfo.com.Win32.DangerousSig.31613.1750.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.DangerousSig.25350.20576.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm control evasive fingerprint lolbin msiexec remote shell32
Link:
https://www.filescan.io/uploads/64e465dbc5baea601a28b7ba/reports/c403dd07-93fd-48e9-881e-bf70f7b2fe24/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b287c0bc239b434b90eef01bcbd00ff48192b7cbeb540e568b8cdcdc26f90959
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/b287c0bc239b434b90eef01bcbd00ff48192b7cbeb540e568b8cdcdc26f90959
Result
Threat name:
Amadey, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1294939
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Drops executables to the windows directory (C:\Windows) and starts them
Found hidden mapped module (file has been removed from disk)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1294939 Sample: Lc3269IMw7.msi Startdate: 22/08/2023 Architecture: WINDOWS Score: 100 88 known.co.ke 2->88 90 garekarsmdskinclinic.com 2->90 92 buyerbrand.xyz 2->92 118 Snort IDS alert for network traffic 2->118 120 Malicious sample detected (through community Yara rule) 2->120 122 Antivirus detection for URL or domain 2->122 124 7 other signatures 2->124 14 MpCopyAccelerator.exe 4 2->14         started        17 msiexec.exe 12 40 2->17         started        20 Componenteevryday.exe 2->20         started        22 msiexec.exe 2 2->22         started        signatures3 process4 file5 76 C:\Users\user\...\MpCopyAccelerator.exe, PE32+ 14->76 dropped 78 C:\Users\user\AppData\...\MpClient.dll, PE32+ 14->78 dropped 24 MpCopyAccelerator.exe 1 14->24         started        80 C:\Windows\Installer\MSID1BF.tmp, PE32 17->80 dropped 82 C:\Windows\Installer\MSICF2C.tmp, PE32 17->82 dropped 84 C:\Windows\Installer\MSICE7F.tmp, PE32 17->84 dropped 86 6 other malicious files 17->86 dropped 102 Drops executables to the windows directory (C:\Windows) and starts them 17->102 27 msiexec.exe 1 17->27         started        29 MSID1BF.tmp 17->29         started        104 Multi AV Scanner detection for dropped file 20->104 106 Machine Learning detection for dropped file 20->106 108 Writes to foreign memory regions 20->108 110 2 other signatures 20->110 31 jsc.exe 20->31         started        signatures6 process7 signatures8 132 Writes to foreign memory regions 24->132 134 Maps a DLL or memory area into another process 24->134 33 cmd.exe 2 24->33         started        process9 file10 66 C:\Users\user\AppData\Local\...\xeyhbtmupvxl, PE32 33->66 dropped 112 Injects code into the Windows Explorer (explorer.exe) 33->112 114 Writes to foreign memory regions 33->114 116 Found hidden mapped module (file has been removed from disk) 33->116 37 explorer.exe 2 13 33->37         started        42 conhost.exe 33->42         started        signatures11 process12 dnsIp13 98 known.co.ke 146.59.70.14, 443, 49738, 49739 OVHFR Norway 37->98 100 buyerbrand.xyz 188.114.97.7, 49702, 49703, 49704 CLOUDFLARENETUS European Union 37->100 72 C:\Users\user\AppData\...\kguwqhjmsuvi.exe, PE32 37->72 dropped 126 System process connects to network (likely due to code injection or exploit) 37->126 128 Query firmware table information (likely to detect VMs) 37->128 130 Tries to harvest and steal browser information (history, passwords, etc) 37->130 44 kguwqhjmsuvi.exe 4 37->44         started        48 cmd.exe 1 37->48         started        file14 signatures15 process16 file17 74 C:\Users\user\Videos\Componenteevryday.exe, PE32 44->74 dropped 136 Multi AV Scanner detection for dropped file 44->136 138 Machine Learning detection for dropped file 44->138 140 Writes to foreign memory regions 44->140 142 2 other signatures 44->142 50 jsc.exe 1 16 44->50         started        54 conhost.exe 48->54         started        56 timeout.exe 1 48->56         started        58 fsutil.exe 1 48->58         started        signatures18 process19 dnsIp20 94 45.9.74.182, 49743, 49746, 49747 FIRST-SERVER-EU-ASRU Russian Federation 50->94 96 garekarsmdskinclinic.com 68.66.226.99, 49744, 80 A2HOSTINGUS United States 50->96 68 C:\Users\user\AppData\Local\...\so64x.dll, MS-DOS 50->68 dropped 70 C:\Users\user\AppData\Local\...\so64x[1].dll, MS-DOS 50->70 dropped 60 rundll32.exe 50->60         started        file21 process22 process23 62 rundll32.exe 60->62         started        process24 64 WerFault.exe 62->64         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b287c0bc239b434b90eef01bcbd00ff48192b7cbeb540e568b8cdcdc26f90959/
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2023-08-21 15:32:49 UTC
File Type:
Binary (Archive)
Extracted files:
140
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wkd4bpbdtnbuxeho6an4xuap6sazfn6l5nka4vulrtonyjxzbfmq._file
Verdict:
malicious
Label(s):
zloader
Create hunting rule
Similar samples:
019c873d4b11582413a486bc3607ddeec5829617bde1d6bdff61c93b721509c9
LummaStealer
5ace35adeb360b9e165e7c55065d12f192a3ec0ca601dd73b332bd8cd68d51fe
LummaStealer
c9094685ae4851fd5a5b886b73c7b07efd9b47ea0bdae3f823d035cf1b3b9e48
LummaStealer
fa70210641dbdb01ebd60ff4b1e39efeeaa16d4570ef97f9f20824f5adb7d43c
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma spyware stealer
Link:
https://tria.ge/reports/230822-jgd2gscc3x/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Lumma Stealer
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b287c0bc239b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/b287c0bc239b434b90eef01bcbd00ff48192b7cbeb540e568b8cdcdc26f90959

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Microsoft Software Installer (MSI) msi b287c0bc239b434b90eef01bcbd00ff48192b7cbeb540e568b8cdcdc26f90959

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2705870/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/444069/

Comments