MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcaff60055929f46412dd46cfe9f59413be788904cb1d55f794ecb5ef0409cba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bcaff60055929f46412dd46cfe9f59413be788904cb1d55f794ecb5ef0409cba
SHA3-384 hash: 798aa0c1382c0aff3f4361fca647377a6e891d464fef86d27671e74dfcb60da854fa72847114a647286f9f3a205d7dc7
SHA1 hash: db1fc3f2de367def833b34dfc6228ea3e185815d
MD5 hash: 646b8b4f1120776d924259da33f0e73d
humanhash: xray-pasta-princess-don
File name:646b8b4f1120776d924259da33f0e73d.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'841'664 bytes
First seen:2024-12-26 11:35:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:J6seTDSido6vMuVPisYo80uYZPmsCEJyY6oXr6AxBE:J6suK/psPfcg1XGAxB
TLSH T1DE85336ACBF280E8CF13C47CEBB25B107A16BE6A05C5FD71259255D312335AA92DBDC0
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
369
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
6e2bdd518dfd54cb6614f541cb44877abcdf6528221744798de6ff8858dec3cd
Verdict:
Malicious activity
Analysis date:
2024-12-26 08:29:03 UTC
Tags:
amadey botnet stealer loader stealc themida gcleaner lumma telegram credentialflusher auto coinminer arch-exec netreactor
Link:
https://app.any.run/tasks/c91b44b0-75f0-4def-b120-9cc4643e1594

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Lumma.1113.23771.22742.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=676d3fa875bf3268d2fe9a94
Tags:
vmdetect autorun spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected
Link:
https://www.filescan.io/uploads/676d3fa5d986a2005f8ca8c3/reports/ee6cbeaa-2d41-4d24-b3df-35fed97a49da/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/bcaff60055929f46412dd46cfe9f59413be788904cb1d55f794ecb5ef0409cba
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/398b17b5-bf9e-4722-9e2b-cc7c7439d17f
Result
Threat name:
LummaC, Amadey, AsyncRAT, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1580865
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops PE files to the document folder of the user
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Modifies the context of a thread in another process (thread injection)
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected Vidar stealer
Yara detected WorldWind Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580865 Sample: i8Vwc7iOaG.exe Startdate: 26/12/2024 Architecture: WINDOWS Score: 100 170 Found malware configuration 2->170 172 Malicious sample detected (through community Yara rule) 2->172 174 Antivirus detection for URL or domain 2->174 176 27 other signatures 2->176 9 skotes.exe 50 2->9         started        14 i8Vwc7iOaG.exe 2 2->14         started        16 axplong.exe 2->16         started        18 5 other processes 2->18 process3 dnsIp4 146 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 9->146 148 31.41.244.11 AEROEXPRESS-ASRU Russian Federation 9->148 102 C:\Users\user\AppData\...\fd096224d5.exe, PE32 9->102 dropped 104 C:\Users\user\AppData\...\98f8ef74ec.exe, PE32 9->104 dropped 106 C:\Users\user\AppData\...\5f4a2ffa3a.exe, PE32 9->106 dropped 116 29 other malicious files 9->116 dropped 230 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->230 232 Hides threads from debuggers 9->232 234 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->234 20 ukX1YE2.exe 9->20         started        24 t0IHakP.exe 9->24         started        27 5fe60d6c80.exe 9->27         started        37 5 other processes 9->37 150 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 14->150 152 172.67.165.185 CLOUDFLARENETUS United States 14->152 108 C:\Users\user\...\Y71AV1VIPLT8Y663WBDXSB.exe, PE32 14->108 dropped 110 C:\Users\user\...\4XVI62Q28CHMU2Y2V4F8.exe, PE32 14->110 dropped 236 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->236 238 Query firmware table information (likely to detect VMs) 14->238 240 Found many strings related to Crypto-Wallets (likely being stolen) 14->240 252 3 other signatures 14->252 29 Y71AV1VIPLT8Y663WBDXSB.exe 37 14->29         started        31 4XVI62Q28CHMU2Y2V4F8.exe 4 14->31         started        154 104.18.10.31 CLOUDFLARENETUS United States 16->154 112 C:\Users\user\AppData\...\28c520debd.exe, PE32 16->112 dropped 114 C:\Users\user\...\projectspecificpro.exe, PE32+ 16->114 dropped 118 12 other malicious files 16->118 dropped 242 Creates multiple autostart registry keys 16->242 244 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->244 246 Detected unpacking (changes PE section rights) 18->246 248 Tries to detect sandboxes and other dynamic analysis tools (window names) 18->248 250 Tries to evade debugger and weak emulator (self modifying code) 18->250 33 msedge.exe 18->33         started        35 msedge.exe 18->35         started        file5 signatures6 process7 dnsIp8 84 C:\Users\user\AppData\...\soonmaintain.exe, PE32+ 20->84 dropped 86 C:\Users\user\AppData\...\soonmaiintain.exe, PE32 20->86 dropped 178 Multi AV Scanner detection for dropped file 20->178 180 Creates multiple autostart registry keys 20->180 39 soonmaintain.exe 20->39         started        132 149.154.167.220 TELEGRAMRU United Kingdom 24->132 134 104.16.185.241 CLOUDFLARENETUS United States 24->134 144 2 other IPs or domains 24->144 98 5 other malicious files 24->98 dropped 182 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->182 184 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 24->184 196 2 other signatures 24->196 53 2 other processes 24->53 88 C:\Users\user\AppData\Local\...\axplong.exe, PE32 27->88 dropped 186 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 27->186 42 axplong.exe 27->42         started        136 185.215.113.206 WHOLESALECONNECTIONSNL Portugal 29->136 138 127.0.0.1 unknown unknown 29->138 90 C:\Users\user\Documents\FIJECAEHJJ.exe, PE32 29->90 dropped 92 C:\Users\user\AppData\...\softokn3[1].dll, PE32 29->92 dropped 94 C:\Users\user\AppData\Local\...\random[2].exe, PE32 29->94 dropped 100 11 other files (7 malicious) 29->100 dropped 188 Detected unpacking (changes PE section rights) 29->188 190 Attempt to bypass Chrome Application-Bound Encryption 29->190 192 Drops PE files to the document folder of the user 29->192 198 6 other signatures 29->198 44 cmd.exe 29->44         started        55 2 other processes 29->55 96 C:\Users\user\AppData\Local\...\skotes.exe, PE32 31->96 dropped 200 3 other signatures 31->200 46 skotes.exe 31->46         started        140 172.67.157.254 CLOUDFLARENETUS United States 37->140 142 104.121.10.34 AKAMAI-ASUS United States 37->142 194 Writes to foreign memory regions 37->194 202 3 other signatures 37->202 48 BitLockerToGo.exe 37->48         started        51 dea82620d5.exe 37->51         started        57 3 other processes 37->57 file9 signatures10 process11 dnsIp12 222 3 other signatures 39->222 59 InstallUtil.exe 39->59         started        224 2 other signatures 42->224 204 Uses netsh to modify the Windows network and firewall settings 44->204 206 Tries to harvest and steal WLAN passwords 44->206 63 FIJECAEHJJ.exe 44->63         started        65 conhost.exe 44->65         started        208 Detected unpacking (changes PE section rights) 46->208 226 2 other signatures 46->226 120 149.154.167.99 TELEGRAMRU United Kingdom 48->120 122 116.203.8.178 HETZNER-ASDE Germany 48->122 210 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 48->210 212 Found many strings related to Crypto-Wallets (likely being stolen) 48->212 214 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 48->214 67 chrome.exe 48->67         started        69 msedge.exe 48->69         started        124 172.67.209.202 CLOUDFLARENETUS United States 51->124 216 Query firmware table information (likely to detect VMs) 51->216 228 2 other signatures 51->228 71 conhost.exe 53->71         started        77 6 other processes 53->77 126 192.168.2.5 unknown unknown 55->126 128 239.255.255.250 unknown Reserved 55->128 218 Monitors registry run keys for changes 55->218 73 chrome.exe 55->73         started        75 msedge.exe 55->75         started        130 172.67.150.49 CLOUDFLARENETUS United States 57->130 220 Tries to steal Crypto Currency Wallets 57->220 signatures13 process14 dnsIp15 156 45.89.196.115 DEDIPATH-LLCUS Russian Federation 59->156 254 Query firmware table information (likely to detect VMs) 59->254 256 Tries to harvest and steal ftp login credentials 59->256 258 Tries to harvest and steal browser information (history, passwords, etc) 59->258 260 Tries to steal Crypto Currency Wallets 59->260 262 Detected unpacking (changes PE section rights) 63->262 264 Tries to evade debugger and weak emulator (self modifying code) 63->264 266 Hides threads from debuggers 63->266 268 2 other signatures 63->268 79 chrome.exe 67->79         started        82 msedge.exe 69->82         started        158 142.250.181.138 GOOGLEUS United States 73->158 160 142.250.181.74 GOOGLEUS United States 73->160 162 6 other IPs or domains 73->162 signatures16 process17 dnsIp18 164 142.250.181.68 GOOGLEUS United States 79->164 166 172.217.19.10 GOOGLEUS United States 79->166 168 3 other IPs or domains 79->168
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bcaff60055929f46412dd46cfe9f59413be788904cb1d55f794ecb5ef0409cba
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bcaff60055929f46412dd46cfe9f59413be788904cb1d55f794ecb5ef0409cba/
Threat name:
Win32.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2024-12-26 11:36:06 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xsx7macvskpumqjn2rwp5h2zie56pceqjsy5kx3zj3fv54cats5a._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery evasion stealer
Link:
https://tria.ge/reports/241226-nqkmvavjey/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://hummskitnj.buzz/api
https://cashfuzysao.buzz/api
https://appliacnesot.buzz/api
https://screwamusresz.buzz/api
https://inherineau.buzz/api
https://scentniej.buzz/api
https://rebuildeso.buzz/api
https://prisonyfork.buzz/api
https://mindhandru.buzz/api
Verdict:
Suspicious
Tags:
lumma_stealer stealer lumma c2
YARA:
n/a
Link:
https://app.threat.zone/submission/3d36c30e-fd0c-4961-8925-22eae9d30702
Unpacked files
SH256 hash:
a66fc3763fa1afed085640920dd6a3ad9a36b9647a02f1416aa37b65ada6c0eb
MD5 hash:
628f3cf8bac658a837e88c556c836d43
SHA1 hash:
498168e2a8f1d231efb7982b879a387e8dbc96d8
Link:
https://www.unpac.me/results/697af023-5aa1-483c-a324-8d180dccc9be/
SH256 hash:
bcaff60055929f46412dd46cfe9f59413be788904cb1d55f794ecb5ef0409cba
MD5 hash:
646b8b4f1120776d924259da33f0e73d
SHA1 hash:
db1fc3f2de367def833b34dfc6228ea3e185815d
Link:
https://www.unpac.me/results/697af023-5aa1-483c-a324-8d180dccc9be/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bcaff6005592/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bcaff60055929f46412dd46cfe9f59413be788904cb1d55f794ecb5ef0409cba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe bcaff60055929f46412dd46cfe9f59413be788904cb1d55f794ecb5ef0409cba

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3245480/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments