MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b39525df56e9d5f26067add74133154b651ca91d4201302ce505444d00ac6693. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b39525df56e9d5f26067add74133154b651ca91d4201302ce505444d00ac6693
SHA3-384 hash: 936b3730124962acb49d06f8c65717bdc14714b72eed18e05978ee8ec228e1b6618c1394ceee0ecba665cdd710b96184
SHA1 hash: 0c86827c47e040d82869846c68bedb9d8afbcde0
MD5 hash: 731200ce89a30b22a5530838e57862f3
humanhash: fillet-fruit-montana-pizza
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'957'376 bytes
First seen:2024-09-28 22:51:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:amQnf57/NafVbxZe63ml3dpxzWwo5sryh5f9QfdiYratJbFJKdx2eZo1Ga7rjNk:FOTIdD29po5so5CfdiYrsbvKH2eta/p
Threatray 12 similar samples on MalwareBazaar
TLSH T1659533533D9BC0A7EE1AC332C046687473BAB8FE566194B75153885417C5AE02FA3BEC
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter jstrosch
Tags:.NET exe LummaStealer MSIL


Avatar
jstrosch
Found at hxxp://103.130.147[.]211/files/2.exe by #subcrawl

Intelligence

File Origin
# of uploads :
1
# of downloads :
401
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
83431261725e1e6bff498cca39e9defab1c62ced3c2bac642467169c5c92a6f4N
Verdict:
Malicious activity
Analysis date:
2024-09-28 22:42:55 UTC
Tags:
amadey botnet stealer loader metastealer redline stealc themida opendir cryptbot xworm remote evasion uac privateloader discord lumma gcleaner netreactor socks5systemz proxy crypto-regex
Link:
https://app.any.run/tasks/b25fcf69-04d0-4cf5-903f-22775759fce0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Msilzilla-10036350-0
Create hunting rule

Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66fac2da1fc3f42f04e85b04
Tags:
Packed Micro Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Connection attempt to an infection source
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/66f88897f71b9c224c143da7/reports/d3c99e46-a4b7-4bdf-91e9-e06b604a7544/overview
Verdict:
Malicious
Labled as:
Ser.Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/b39525df56e9d5f26067add74133154b651ca91d4201302ce505444d00ac6693
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/96245294-1beb-4b6e-b540-3e7d2697c825
Result
Threat name:
LummaC, Clipboard Hijacker, Cryptbot, Lu
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1521590
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops large PE files
Drops PE files to the document folder of the user
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Clipboard Hijacker
Yara detected Cryptbot
Yara detected LummaC Stealer
Yara detected Neoreklami
Yara detected PrivateLoader
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1521590 Sample: file.exe Startdate: 29/09/2024 Architecture: WINDOWS Score: 100 154 iplog.co 2->154 156 ghostreedmnu.shop 2->156 158 5 other IPs or domains 2->158 180 Suricata IDS alerts for network traffic 2->180 182 Found malware configuration 2->182 184 Malicious sample detected (through community Yara rule) 2->184 186 19 other signatures 2->186 15 file.exe 2 2->15         started        19 svchost.exe 2->19         started        signatures3 process4 file5 142 C:\Users\user\AppData\Local\...\file.exe.log, CSV 15->142 dropped 172 Contains functionality to inject code into remote processes 15->172 174 Writes to foreign memory regions 15->174 176 Allocates memory in foreign processes 15->176 178 Injects a PE file into a foreign processes 15->178 21 RegAsm.exe 27 15->21         started        26 conhost.exe 15->26         started        28 WerFault.exe 19->28         started        30 WerFault.exe 19->30         started        32 WerFault.exe 19->32         started        34 3 other processes 19->34 signatures6 process7 dnsIp8 160 ghostreedmnu.shop 188.114.96.3 CLOUDFLARENETUS European Union 21->160 162 api64.ipify.org 173.231.16.77, 443, 49706 WEBNXUS United States 21->162 164 8 other IPs or domains 21->164 134 C:\Users\...\tyq3dazbB0crObgKIDGLxiAO.exe, PE32 21->134 dropped 136 C:\Users\...\hI6pMK6rYY2urO_lpGyU85DA.exe, PE32 21->136 dropped 138 C:\Users\...\Jrh6BLxH1aqS3cJle2sY_F2Q.exe, PE32 21->138 dropped 140 7 other malicious files 21->140 dropped 194 Drops PE files to the document folder of the user 21->194 196 Creates HTML files with .exe extension (expired dropper behavior) 21->196 198 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 21->198 200 Found API chain indicative of sandbox detection 21->200 36 Jrh6BLxH1aqS3cJle2sY_F2Q.exe 7 21->36         started        39 hI6pMK6rYY2urO_lpGyU85DA.exe 2 21->39         started        41 G__XJZ9ACVwRjgVn6BXId6E1.exe 4 21->41         started        45 2 other processes 21->45 file9 signatures10 process11 dnsIp12 118 C:\Users\user\AppData\Local\...\Install.exe, PE32 36->118 dropped 47 Install.exe 4 36->47         started        120 C:\Users\...\hI6pMK6rYY2urO_lpGyU85DA.tmp, PE32 39->120 dropped 50 hI6pMK6rYY2urO_lpGyU85DA.tmp 18 17 39->50         started        166 fivevh5pt.top 84.38.182.221 SELECTELRU Russian Federation 41->166 122 C:\Users\user\AppData\...\service123.exe, PE32 41->122 dropped 124 C:\Users\user\...\IZImiIFXXrvtVOHFozZW.dll, PE32 41->124 dropped 206 Multi AV Scanner detection for dropped file 41->206 208 Found many strings related to Crypto-Wallets (likely being stolen) 41->208 210 Tries to harvest and steal browser information (history, passwords, etc) 41->210 212 Drops large PE files 41->212 126 C:\Users\user\AppData\Local\...\Y-Cleaner.exe, PE32 45->126 dropped 128 C:\Users\user\...\Bunifu_UI_v1.5.3.dll, PE32 45->128 dropped 130 C:\Users\user\AppData\Local\...\soft[1], PE32 45->130 dropped 132 C:\Users\user\AppData\Local\...\dll[1], PE32 45->132 dropped 214 Detected unpacking (changes PE section rights) 45->214 216 Detected unpacking (overwrites its own PE header) 45->216 218 Writes to foreign memory regions 45->218 220 3 other signatures 45->220 52 WerFault.exe 45->52         started        54 WerFault.exe 45->54         started        56 WerFault.exe 45->56         started        58 3 other processes 45->58 file13 signatures14 process15 file16 144 C:\Users\user\AppData\Local\...\Install.exe, PE32 47->144 dropped 60 Install.exe 47->60         started        146 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 50->146 dropped 148 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 50->148 dropped 150 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 50->150 dropped 152 16 other files (9 malicious) 50->152 dropped 63 playglock32x64.exe 19 50->63         started        process17 dnsIp18 226 Multi AV Scanner detection for dropped file 60->226 228 Uses schtasks.exe or at.exe to add and modify task schedules 60->228 230 Modifies Windows Defender protection settings 60->230 67 cmd.exe 60->67         started        70 forfiles.exe 60->70         started        72 schtasks.exe 60->72         started        168 ejrsoyz.ua 185.208.158.248 SIMPLECARRER2IT Switzerland 63->168 170 89.105.201.183 NOVOSERVE-ASNL Netherlands 63->170 116 C:\...drax Smart Maker 9.28.47.exe, PE32 63->116 dropped file19 signatures20 process21 signatures22 188 Suspicious powershell command line found 67->188 190 Uses cmd line tools excessively to alter registry or file data 67->190 192 Modifies Windows Defender protection settings 67->192 74 forfiles.exe 67->74         started        77 forfiles.exe 67->77         started        79 forfiles.exe 67->79         started        87 3 other processes 67->87 81 cmd.exe 70->81         started        83 conhost.exe 70->83         started        85 conhost.exe 72->85         started        process23 signatures24 222 Modifies Windows Defender protection settings 74->222 89 cmd.exe 74->89         started        92 cmd.exe 77->92         started        94 cmd.exe 79->94         started        224 Suspicious powershell command line found 81->224 96 powershell.exe 81->96         started        98 cmd.exe 87->98         started        100 cmd.exe 87->100         started        process25 signatures26 202 Uses cmd line tools excessively to alter registry or file data 89->202 102 reg.exe 89->102         started        104 reg.exe 92->104         started        106 reg.exe 94->106         started        108 WMIC.exe 96->108         started        204 Suspicious powershell command line found 98->204 110 powershell.exe 98->110         started        112 reg.exe 100->112         started        process27 process28 114 gpupdate.exe 110->114         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b39525df56e9d5f26067add74133154b651ca91d4201302ce505444d00ac6693
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b39525df56e9d5f26067add74133154b651ca91d4201302ce505444d00ac6693/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-09-28 21:48:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wokslx2w5hk7eydhvxlucmyvjnsrzki5iiatalhfavce2afmm2jq._file
Verdict:
malicious
Label(s):
gcleaner
Create hunting rule
smokeloader
Create hunting rule
shellcode_loader_002
Create hunting rule
risepro
Create hunting rule
socks5systemz
Create hunting rule
Similar samples:
2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70
LummaStealer
2a5b3f29c9ef00f3c760dbe59726938c4736f0360d0fe3458cbdacfd4e0fc1c1
LummaStealer
3bd386d0577ef2744c5d447c198a376b55a554b19ddeae45f1e3a985df59ba59
LummaStealer
9136c32467cd79e8fdb7ea154540093c005c6cf636bc52d7af6caf170a1a828b
LummaStealer
b39525df56e9d5f26067add74133154b651ca91d4201302ce505444d00ac6693
LummaStealer
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery
Link:
https://tria.ge/reports/240928-2tc9tssepc/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9db6ca3b-f0af-493b-b2d9-f5bfe7fc9838
Unpacked files
SH256 hash:
d8a1b2dbc07cdade7f6ea6e34a1a35f4730849824b5f9bdeb5c7028ba2b74851
MD5 hash:
b58fbd13d792e1e7d6a47f0dc7440867
SHA1 hash:
72d6285b1c1bebdb360deb162f4304976b6243ca
Link:
https://www.unpac.me/results/98671bda-22f4-4121-8240-d20e509dd25d/
SH256 hash:
b39525df56e9d5f26067add74133154b651ca91d4201302ce505444d00ac6693
MD5 hash:
731200ce89a30b22a5530838e57862f3
SHA1 hash:
0c86827c47e040d82869846c68bedb9d8afbcde0
Link:
https://www.unpac.me/results/98671bda-22f4-4121-8240-d20e509dd25d/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b39525df56e9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b39525df56e9d5f26067add74133154b651ca91d4201302ce505444d00ac6693

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe b39525df56e9d5f26067add74133154b651ca91d4201302ce505444d00ac6693

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3175044/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments