MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba77d65b3ebd95ffab7cc02f4f82dabad6255ee2d2c80ed43242e49dae743d44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba77d65b3ebd95ffab7cc02f4f82dabad6255ee2d2c80ed43242e49dae743d44
SHA3-384 hash: 82b3c89a5858568dd837342987e75506576eeb8070c9f5c0c87082bdf22a71be3147d3e65f4ac2470c638aa80d908b25
SHA1 hash: 460f6e64c70c056a77d29089816a12c51e16fe60
MD5 hash: 25d3a292cc77c47f1cd83cf6d36b6a3d
humanhash: oven-muppet-mobile-oxygen
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'948'096 bytes
First seen:2024-10-18 22:12:47 UTC
Last seen:2024-10-18 22:26:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:6anFwM6HdQYCxVgENKdoGkYyOEv+yuxiLovbsqTNJLj6h3juICqFrC2z2pGEKXKv:56HdTrdWYw+NvqSErRz2AVFR4xOKiC
Threatray 196 similar samples on MalwareBazaar
TLSH T158D539A2B40972CFD88E13B9D8ABCD875C5D43F6472249C7A82874BA6D77CC113B6C64
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:exe LummaStealer


Avatar
Bitsight
url: http://185.215.113.103/lumka/random.exe

Intelligence

File Origin
# of uploads :
21
# of downloads :
443
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-10-18 22:17:31 UTC
Tags:
lumma stealer opendir loader stealc amadey botnet themida
Link:
https://app.any.run/tasks/f132fa61-7629-4403-bb8d-aad0178d0a7b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.13079.28569.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6712dd7534f884d15c8ce4ad
Tags:
Powershell Autorun Spam
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected
Link:
https://www.filescan.io/uploads/6712dd72dabcdf17c34597cb/reports/ed7cb6b9-4de0-4158-a51d-744fd35cb692/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/ba77d65b3ebd95ffab7cc02f4f82dabad6255ee2d2c80ed43242e49dae743d44
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0a3b1c6f-5108-4c58-a18d-bbafea769fb1
Result
Threat name:
LummaC, Amadey, Credential Flusher, Lumm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1537440
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1537440 Sample: file.exe Startdate: 19/10/2024 Architecture: WINDOWS Score: 100 103 studennotediw.store 2->103 105 steamcommunity.com 2->105 107 43 other IPs or domains 2->107 131 Suricata IDS alerts for network traffic 2->131 133 Found malware configuration 2->133 135 Antivirus detection for URL or domain 2->135 137 19 other signatures 2->137 9 file.exe 3 2->9         started        14 skotes.exe 2->14         started        16 b0064ef9c7.exe 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 121 sergei-esenin.com 172.67.206.204, 443, 49722, 49728 CLOUDFLARENETUS United States 9->121 123 steamcommunity.com 104.102.49.254, 443, 49711 AKAMAI-ASUS United States 9->123 125 185.215.113.103, 49798, 50034, 50037 WHOLESALECONNECTIONSNL Portugal 9->125 89 C:\Users\user\...\Y6WLCGXEQC6AUOZG1VDBT5C.exe, PE32 9->89 dropped 91 C:\...\MI5ORANISZNYYD06O0Z7QK050OSFZ.exe, PE32 9->91 dropped 93 C:\Users\...\LCEENA7ZMHNOZ2BW6CHYL63Z1W5.exe, PE32 9->93 dropped 175 Query firmware table information (likely to detect VMs) 9->175 177 Found many strings related to Crypto-Wallets (likely being stolen) 9->177 179 Tries to evade debugger and weak emulator (self modifying code) 9->179 193 2 other signatures 9->193 20 LCEENA7ZMHNOZ2BW6CHYL63Z1W5.exe 34 9->20         started        25 MI5ORANISZNYYD06O0Z7QK050OSFZ.exe 4 9->25         started        27 Y6WLCGXEQC6AUOZG1VDBT5C.exe 9->27         started        127 185.215.113.43, 50031, 50033, 50035 WHOLESALECONNECTIONSNL Portugal 14->127 129 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 14->129 95 C:\Users\user\AppData\...\b0064ef9c7.exe, PE32 14->95 dropped 97 C:\Users\user\AppData\Local\Temp\...\num.exe, PE32 14->97 dropped 99 C:\Users\user\AppData\...\b0088cf881.exe, PE32 14->99 dropped 101 6 other malicious files 14->101 dropped 181 Creates multiple autostart registry keys 14->181 183 Hides threads from debuggers 14->183 185 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->185 29 b0064ef9c7.exe 14->29         started        31 b0088cf881.exe 14->31         started        33 d38363b604.exe 14->33         started        39 4 other processes 14->39 187 Tries to harvest and steal browser information (history, passwords, etc) 16->187 189 Tries to steal Crypto Currency Wallets 16->189 191 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->191 35 firefox.exe 18->35         started        37 firefox.exe 18->37         started        file6 signatures7 process8 dnsIp9 109 185.215.113.37, 49843, 50036, 80 WHOLESALECONNECTIONSNL Portugal 20->109 71 C:\Users\user\AppData\...\softokn3[1].dll, PE32 20->71 dropped 73 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 20->73 dropped 75 C:\Users\user\AppData\...\mozglue[1].dll, PE32 20->75 dropped 85 9 other files (5 malicious) 20->85 dropped 139 Antivirus detection for dropped file 20->139 141 Multi AV Scanner detection for dropped file 20->141 143 Detected unpacking (changes PE section rights) 20->143 157 6 other signatures 20->157 77 C:\Users\user\AppData\Local\...\skotes.exe, PE32 25->77 dropped 145 Machine Learning detection for dropped file 25->145 159 2 other signatures 25->159 41 skotes.exe 25->41         started        147 Binary is likely a compiled AutoIt script file 27->147 44 taskkill.exe 1 27->44         started        46 taskkill.exe 1 27->46         started        48 taskkill.exe 1 27->48         started        55 3 other processes 27->55 79 C:\Users\...\AZGJT88PEXUHS2WO9A6QFTMQ.exe, PE32 29->79 dropped 149 Query firmware table information (likely to detect VMs) 29->149 151 Tries to detect sandboxes and other dynamic analysis tools (window names) 29->151 153 Tries to harvest and steal ftp login credentials 29->153 50 AZGJT88PEXUHS2WO9A6QFTMQ.exe 29->50         started        155 Modifies windows update settings 31->155 161 3 other signatures 31->161 163 2 other signatures 33->163 111 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49901, 49915, 49916 GOOGLEUS United States 35->111 113 push.services.mozilla.com 34.107.243.93, 443, 49948, 50019 GOOGLEUS United States 35->113 115 9 other IPs or domains 35->115 81 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 35->81 dropped 83 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 35->83 dropped 87 2 other malicious files 35->87 dropped 52 firefox.exe 35->52         started        57 2 other processes 35->57 59 2 other processes 39->59 file10 signatures11 process12 dnsIp13 165 Antivirus detection for dropped file 41->165 167 Detected unpacking (changes PE section rights) 41->167 169 Machine Learning detection for dropped file 41->169 173 4 other signatures 41->173 61 conhost.exe 44->61         started        63 conhost.exe 46->63         started        65 conhost.exe 48->65         started        171 Multi AV Scanner detection for dropped file 50->171 117 www.wikipedia.org 52->117 119 dyna.wikimedia.org 52->119 67 conhost.exe 55->67         started        69 conhost.exe 55->69         started        signatures14 process15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ba77d65b3ebd95ffab7cc02f4f82dabad6255ee2d2c80ed43242e49dae743d44
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba77d65b3ebd95ffab7cc02f4f82dabad6255ee2d2c80ed43242e49dae743d44/
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2024-10-18 22:13:07 UTC
File Type:
PE (Exe)
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xj35mwz6xwk77k34yaxu7aw2xllckxxc2lea5vbsilsj3ltuhvca._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
0785ad7bb7e17f18665229dc9a772fae8d074c58f8cff680ab848f396bd952f9
LummaStealer
08643496ffbec35a84e902dbdbfe27b8b1043d66627dec62d3c6a2f0de76111c
LummaStealer
8eb064e3306fcaa33fa6b9e5cab91001de88a9e207208abc67eac98a526e4b4c
LummaStealer
9108d11c01d471075430db40318c8a315834f2c4a42666873918e677254aadb4
LummaStealer
bc1dc5638c3d4cafd7307956d800931cfc801e982c4907d01efffe063bcda0ca
LummaStealer
c7c24e8887dd978f70cfce8e2e5f449b49de0012d8cbdfce51c0227cffe94cb7
LummaStealer
cb774b9e9e0427ffec6716c083ff67383a95a3d2a841cbab201a50ba76fb6fa4
LummaStealer
daf673c259d9aaf3bf320d667b0840f104c2150c30650dbd58f2a1bcc8a692af
LummaStealer
ef8356d61e6803858f00eb94f0fba1e5733d5c50033113c7365f99664b76656c
LummaStealer
error
LummaStealer
f4995b1d057c8e9874d5f85cfa25bca71ff44a4141da6903c7e30f518728596f
LummaStealer
+ 186 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery evasion stealer
Link:
https://tria.ge/reports/241018-14259stalk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Malware Config
C2 Extraction:
https://clearancek.site
https://licendfilteo.site
https://spirittunek.store
https://bathdoomgaz.store
https://studennotediw.store
https://dissapoiznw.store
https://eaglepawnoy.store
https://mobbipenju.store
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0ddacf8f-6863-461c-a8f5-42b37b001142
Unpacked files
SH256 hash:
76cebf6372957a72e1c038e4f9027dae72e18511dfd0d993a0c347de363a0951
MD5 hash:
1e7ebdd7e425dc08962a269b82b3d5c8
SHA1 hash:
c4dbc470a423272c8fb7a3486d7beba04c9d2213
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/8f757abf-a3b8-45e5-ad87-444039af3c4d/
SH256 hash:
ba77d65b3ebd95ffab7cc02f4f82dabad6255ee2d2c80ed43242e49dae743d44
MD5 hash:
25d3a292cc77c47f1cd83cf6d36b6a3d
SHA1 hash:
460f6e64c70c056a77d29089816a12c51e16fe60
Link:
https://www.unpac.me/results/8f757abf-a3b8-45e5-ad87-444039af3c4d/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ba77d65b3ebd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba77d65b3ebd95ffab7cc02f4f82dabad6255ee2d2c80ed43242e49dae743d44

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe ba77d65b3ebd95ffab7cc02f4f82dabad6255ee2d2c80ed43242e49dae743d44

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3241739/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments