MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 be005ba86358270309689b128acbc55c0fada78dfcb02f356dd4a41faed50a6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
LummaStealer
Vendor detections: 14
| SHA256 hash: | be005ba86358270309689b128acbc55c0fada78dfcb02f356dd4a41faed50a6f |
|---|---|
| SHA3-384 hash: | 7b6e94a94e50b5196a2226afcfeb6586db93f4ea01865765c8b0900ed539258e24088deacbcee9a7114692d23d83e036 |
| SHA1 hash: | 81c606d28808704ccfe51a61efe5236b5f25dcb6 |
| MD5 hash: | 3d6d5b8b81c3d2a550a49f3693329ff9 |
| humanhash: | gee-december-thirteen-burger |
| File name: | 3d6d5b8b81c3d2a550a49f3693329ff9 |
| Download: | download sample |
| Signature | LummaStealer |
| File size: | 584'232 bytes |
| First seen: | 2024-10-15 04:15:50 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 5569ec101333623476b6cdb226005b45 (7 x LummaStealer, 3 x Stealc, 2 x Vidar) |
| ssdeep | 12288:oJIq7wblQ7YikgUco+boLb+gd4ssk2ngtWihg3RacKH4EO:UIMwpY3kgRo+KOsOnDIGbKYt |
| TLSH | T186C4E1127581C4B7C52312330AA8D772693EF8211B525ADFA7580FBECFB06D09E3596E |
| TrID | 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1) |
| Magika | pebin |
| Reporter |  zbetcheckin |
| Tags: | 32 exe LummaStealer |
Intelligence
File Origin
# of uploads :
1
# of downloads :
392
Origin country :
FRVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3d6d5b8b81c3d2a550a49f3693329ff9
Verdict:
No threats detected
Analysis date:
2024-10-15 04:19:33 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Verdict:
Malicious
Score:
93.3%
Tags:
Injection Exploit Obfusc
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint invalid-signature microsoft_visual_cc overlay packed signed
Verdict:
Malicious
Labled as:
Lazy.Generic
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Result
Threat name:
LummaC
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
High number of junk calls founds (likely related to sandbox DOS / API hammering)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Score:
100%
Verdict:
Malware
File Type:
PE
Threat name:
Win32.Trojan.LummaStealer
Status:
Malicious
First seen:
2024-10-15 04:16:06 UTC
File Type:
PE (Exe)
AV detection:
20 of 24 (83.33%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
lumma
Score:
10/10
Tags:
family:lumma discovery stealer
Behaviour
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Lumma Stealer, LummaC
Malware Config
C2 Extraction:
https://drawwyobstacw.sbs
https://condifendteu.sbs
https://ehticsprocw.sbs
https://vennurviot.sbs
https://resinedyw.sbs
https://enlargkiw.sbs
https://allocatinow.sbs
https://mathcucom.sbs
https://unlikerwu.sbs
https://condifendteu.sbs
https://ehticsprocw.sbs
https://vennurviot.sbs
https://resinedyw.sbs
https://enlargkiw.sbs
https://allocatinow.sbs
https://mathcucom.sbs
https://unlikerwu.sbs
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
a0b9f0603ea9e49c856e54fda16cc874ff3562ae9d3a858f4074d5fbc87678d5
MD5 hash:
2bac8778f57a4f9644deb2100fb67f3f
SHA1 hash:
0697f25c4d2a4453bfe3de6520ffeed9325c06d9
Detections:
LummaStealer
Parent samples :
be005ba86358270309689b128acbc55c0fada78dfcb02f356dd4a41faed50a6f
2c57550c42e474958fccb2e1540a661e9f4a4fe87e85c7dd3579e8af3916608c
68bbe13e84ebdffbdd2e1e7ba425d836645be218d4ac0bb2cca2d87590d9e7d6
32648b04a43ed9cfa7c160cb22f518990b0cb654359964a4e0d25c3d061e1d01
75aa29590d61dce65ae569f63ebda46edd6eba1b853a745ff1091d18fc8b46a3
2c57550c42e474958fccb2e1540a661e9f4a4fe87e85c7dd3579e8af3916608c
68bbe13e84ebdffbdd2e1e7ba425d836645be218d4ac0bb2cca2d87590d9e7d6
32648b04a43ed9cfa7c160cb22f518990b0cb654359964a4e0d25c3d061e1d01
75aa29590d61dce65ae569f63ebda46edd6eba1b853a745ff1091d18fc8b46a3
SH256 hash:
be005ba86358270309689b128acbc55c0fada78dfcb02f356dd4a41faed50a6f
MD5 hash:
3d6d5b8b81c3d2a550a49f3693329ff9
SHA1 hash:
81c606d28808704ccfe51a61efe5236b5f25dcb6
Malware family:
Lumma
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | cobalt_strike_tmp01925d3f |
|---|---|
| Author: | The DFIR Report |
| Description: | files - file ~tmp01925d3f.exe |
| Reference: | https://thedfirreport.com |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | pe_detect_tls_callbacks |
|---|
| Rule name: | PE_Digital_Certificate |
|---|---|
| Author: | albertzsigovits |
| Rule name: | PE_Potentially_Signed_Digital_Certificate |
|---|---|
| Author: | albertzsigovits |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThreadpoolWork |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA KERNEL32.dll::GetCommandLineW |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.dll::WriteConsoleW KERNEL32.dll::FreeConsole KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleOutputCP KERNEL32.dll::GetConsoleMode |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CreateFileW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.url : hxxp://assets.gziraq.com/css/63e909b3647d.exe