MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0aace14aa0063bbe33249fd42bc296974a9bb41cae186e1cdd1c28cbe77973a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LunaLogger

Vendor detections: 10

Intelligence 10 IOCs YARA 19 File information Comments

SHA256 hash:	c0aace14aa0063bbe33249fd42bc296974a9bb41cae186e1cdd1c28cbe77973a
SHA3-384 hash:	720a3c33be4b2776c1117bd7eb54f61e3db95752c0ca0d99a6a4ae1a2e890877da8f647423450719fc767e91cf3a06b4
SHA1 hash:	a358e4c730f144df189c0ec484252b4a0ca53c44
MD5 hash:	8794e9e33b69aace2f9fd08c2c364694
humanhash:	seven-tennessee-johnny-early
File name:	TS-240518-Luna7.exe
Download:	download sample
Signature	LunaLogger Create hunting rule
File size:	16'463'524 bytes
First seen:	2024-05-18 02:34:25 UTC
Last seen:	2024-05-18 03:24:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f4f2e2b03fe5666a721620fcea3aea9b (15 x BlankGrabber, 10 x PythonStealer, 6 x CrealStealer)
ssdeep	393216:KPo9DM45CtKh2Jp5M/urEUWj+rMgE5PKk9buK+:B9NMKhNdbmMgbkEK+
Threatray	93 similar samples on MalwareBazaar
TLSH	T1FBF633D937605894F5D6103B9667881197B7FCB25768C39F0AF832A22F433E08D3AE65
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	kafan_shengui
Tags:	exe LunaLogger

Intelligence

File Origin

# of uploads :

# of downloads :

355

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c0aace14aa0063bbe33249fd42bc296974a9bb41cae186e1cdd1c28cbe77973a.exe

Verdict:

Malicious activity

Analysis date:

2024-05-18 16:38:48 UTC

Tags:

evasion discord python

Link:

https://app.any.run/tasks/8b77e8e9-173e-44f6-8db0-66c015143354

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win64.Evo-gen.18799.26767.UNOFFICIAL

Gathering data

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Restart of the analyzed sample

Using the Windows Management Instrumentation requests

DNS request

Connection attempt

Delayed reading of the file

Creating a window

Sending a custom TCP request

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/c0aace14aa0063bbe33249fd42bc296974a9bb41cae186e1cdd1c28cbe77973a

Result

Verdict:

MALICIOUS

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/2352ce76-23ed-490d-8e3b-ccd97a995ac6

Result

Threat name:

Luna Logger

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1443690

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to infect the boot sector

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected Luna Logger

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c0aace14aa0063bbe33249fd42bc296974a9bb41cae186e1cdd1c28cbe77973a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c0aace14aa0063bbe33249fd42bc296974a9bb41cae186e1cdd1c28cbe77973a/

Threat name:

Win64.Trojan.LunaLogger

Status:

Malicious

First seen:

2024-05-17 12:19:42 UTC

File Type:

PE+ (Exe)

Extracted files:

1531

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ycvm4ffkabr3xyzsjh6ufpbjnf2kto2bzlqynyon2hbizptxs45a._file

Verdict:

unknown

LunaLogger

215fbdf1d0e7183bda896248c954a58d05b15e0e39e9e00d3814f4362fcff0ad

LunaLogger

51d9264e591df98e96eb17cc0fc735cbcd32a4448c2c5497d51924ad95fc9a6d

LunaLogger

a2bc5f647723f5af00feb34d1dd7bc73942207416f5a49425baceab8f251d473

LunaLogger

a879fcea4ce6f6041ffc6271c261cf6fc09ec21ac118db277572ddf7b08e8708

LunaLogger

db700864811a1de2e51bcd01a28b480f4b3cf97d903134a5fe4ab9f8d38f3a35

LunaLogger

ddac3b2f0fa734edf2a07db0ceec19c3926b9423314e3138dc29a0568a1cdcd9

LunaLogger

+ 83 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

pyinstaller spyware stealer upx

Link:

https://tria.ge/reports/240518-c21yesgc79/

Behaviour

Detects videocard installed

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Unpacked files

SH256 hash:

c0aace14aa0063bbe33249fd42bc296974a9bb41cae186e1cdd1c28cbe77973a

MD5 hash:

8794e9e33b69aace2f9fd08c2c364694

SHA1 hash:

a358e4c730f144df189c0ec484252b4a0ca53c44

Detections:

PyInstaller

Link:

https://www.unpac.me/results/bdf613e9-10c5-4e33-a35e-2902ae994554/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c0aace14aa0063bbe33249fd42bc296974a9bb41cae186e1cdd1c28cbe77973a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	CAS_Malware_Hunting Create hunting rule
Author:	Michael Reinprecht
Description:	DEMO CAS YARA Rules for sample2.exe

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__ConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Glasses Create hunting rule
Author:	Seth Hardy
Description:	Glasses family

Rule name:	GlassesCode Create hunting rule
Author:	Seth Hardy
Description:	Glasses code features

Rule name:	ldpreload Create hunting rule
Author:	xorseed
Reference:	https://stuff.rop.io/

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller.

Rule name:	PyInstaller_Packed_April_2024 Create hunting rule
Author:	NDA0N
Description:	Detects files packed with PyInstaller

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	WHIRLPOOL_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (FORCE_INTEGRITY)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::ConvertSidToStringSidW ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDriveTypeW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineW KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetConsoleCtrlHandler KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::RemoveDirectoryW KERNEL32.dll::SetDllDirectoryW
WIN_USER_API	Performs GUI Actions	USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample