MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1c10ee5b3ddc4c7ccc74436d9ce4bcca7fd50e8b8fb412cacff069e63a2f686. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 5 File information Comments

SHA256 hash:	c1c10ee5b3ddc4c7ccc74436d9ce4bcca7fd50e8b8fb412cacff069e63a2f686
SHA3-384 hash:	1eb2c7838fbbe4255d344e89cc4f48164146bba7deef3cc0f47929893adbcfa93ffe6555e74c79bedc8648a2ec48f5d0
SHA1 hash:	13d48172ade3bd971eccac0908b054834a4371c9
MD5 hash:	a7a10b23e71ea1eb0f791fe0175dddf1
humanhash:	massachusetts-utah-social-lion
File name:	a7a10b23e71ea1eb0f791fe0175dddf1.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	3'998'720 bytes
First seen:	2025-02-14 05:59:39 UTC
Last seen:	2025-02-14 07:10:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	12162a611fb2169f101a204969fe495d (9 x LummaStealer, 2 x GhostSocks)
ssdeep	49152:vxN4Ixpg7d5suPJQ01hZv2rPTjq/9ihZnBjikV:vzPxsAuqcZv2bTjqVih/V
TLSH	T18906B4C1AE539A02D796E2B9B1A12B61A1E7DC03D040C45371CEFD4C4BFA39E56B3B46
TrID	41.9% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 31.3% (.EXE) InstallShield setup (43053/19/16) 10.3% (.EXE) Win32 Executable Delphi generic (14182/79/4) 7.2% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2) 3.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
File icon (PE):
dhash icon	f0c082a7858ec4e0 (12 x LummaStealer, 2 x GhostSocks)
Reporter	abuse_ch
Tags:	exe LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

518

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

random.exe

Verdict:

Malicious activity

Analysis date:

2025-02-13 20:02:27 UTC

Tags:

auto amadey botnet stealer stealc loader cryptbot gcleaner opendir generic lumma telegram povertystealer lumar exfiltration

Link:

https://app.any.run/tasks/6adb8857-554e-4244-bfd9-3f96661e9253

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.1660.13512.UNOFFICIAL

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67aedbf3a0fd713c335ac993

Tags:

kryptik delphi virus zusy

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Connection attempt to an infection source

Using the Windows Management Instrumentation requests

Query of malicious DNS domain

Sending a TCP request to an infection source

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/c1c10ee5b3ddc4c7ccc74436d9ce4bcca7fd50e8b8fb412cacff069e63a2f686

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Microsoft Corporation

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/4a35d2ac-8e8e-4427-ae8b-f589fb0580a3

Result

Threat name:

LummaC Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1614823

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

92%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c1c10ee5b3ddc4c7ccc74436d9ce4bcca7fd50e8b8fb412cacff069e63a2f686

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c1c10ee5b3ddc4c7ccc74436d9ce4bcca7fd50e8b8fb412cacff069e63a2f686/

Threat name:

Win32.Trojan.LummaStealer

Status:

Malicious

First seen:

2025-02-13 18:57:53 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yhaq5znt3xcmptghiq3nttslzst72uhixd5uclfm74dj4y5c62da._file

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma discovery spyware stealer

Link:

https://tria.ge/reports/250214-gqem9svpes/

Behaviour

Suspicious behavior: EnumeratesProcesses

Browser Information Discovery

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Lumma Stealer, LummaC

Lumma family

Malware Config

C2 Extraction:

https://effficientworkflow.cyou/api

Verdict:

Malicious

Tags:

lumma stealer lumma_stealer c2

YARA:

n/a

Link:

https://app.threat.zone/submission/86552f36-a3bd-410a-b67d-9a9c87255af9

Unpacked files

SH256 hash:

c1c10ee5b3ddc4c7ccc74436d9ce4bcca7fd50e8b8fb412cacff069e63a2f686

MD5 hash:

a7a10b23e71ea1eb0f791fe0175dddf1

SHA1 hash:

13d48172ade3bd971eccac0908b054834a4371c9

Link:

https://www.unpac.me/results/04a20569-e39b-45dc-a4ef-4eb22137f542/

SH256 hash:

e1852b7600bf19da3b5a5db4db40274821153bebf592920c3f6274c140f39613

MD5 hash:

428fd49c6ca983608e097c7f9fd2dab6

SHA1 hash:

267147e1dccafcccf91f8f682b75e54837e2774c

Detections:

win_lumma_auto

LummaStealer

Link:

https://www.unpac.me/results/04a20569-e39b-45dc-a4ef-4eb22137f542/

Malware family:

Lumma

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c1c10ee5b3dd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.87

Link:

https://yomi.yoroi.company/submissions/c1c10ee5b3ddc4c7ccc74436d9ce4bcca7fd50e8b8fb412cacff069e63a2f686

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

exe c1c10ee5b3ddc4c7ccc74436d9ce4bcca7fd50e8b8fb412cacff069e63a2f686

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3438179/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3423144/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Reviews

ID	Capabilities	Evidence
SHELL_API	Manipulates System Shell	shell32.dll::ShellExecuteA
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetDriveTypeA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateDirectoryA kernel32.dll::CreateFileA kernel32.dll::GetFileAttributesA kernel32.dll::FindFirstFileA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA
WIN_BASE_USER_API	Retrieves Account Information	kernel32.dll::GetComputerNameA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::EmptyClipboard user32.dll::FindWindowA user32.dll::OpenClipboard user32.dll::PeekMessageA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample