MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c24ff50a15372a69690f4c7cd783609e92924ec38f2f42148573d35980f07cd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	c24ff50a15372a69690f4c7cd783609e92924ec38f2f42148573d35980f07cd3
SHA3-384 hash:	72d18bf18d1cf07645c7fd93f1df4c45649e6a0618b84980dccaaaaa13192c3069824116eb2acfde554ab47a3a5a622e
SHA1 hash:	91b10f58461f510dd9b8ffc9fe12cb306ecba034
MD5 hash:	d6cbd563d0f12e6344ec1bc101571ef9
humanhash:	beer-yankee-lithium-oklahoma
File name:	1731456726092a03cc4dc50bb57d677300b5d72f6b1cda63b8d3f53c23ba43247e1ddf535c782.dat-decoded
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	356'112 bytes
First seen:	2024-11-13 00:12:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	6144:dYGQfZuMP44Qw+f5osENySVbhRpRbWzlYUJZX1mR6E9KUOexDdsVZc:dMUg4465oDzizyOXgwUOws
TLSH	T1B5748F06EB7390E1DC83847552DEB33FA97A760443384E87DB5CDFE068A3AA17835946
TrID	42.7% (.EXE) Win32 Executable (generic) (4504/4/1) 19.2% (.EXE) OS/2 Executable (generic) (2029/13) 19.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.9% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	abuse_ch
Tags:	base64-decoded exe LummaStealer

abuse_ch

Malware dropped as base64 encoded payload

Intelligence

File Origin

# of uploads :

# of downloads :

40'693

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1731456726092a03cc4dc50bb57d677300b5d72f6b1cda63b8d3f53c23ba43247e1ddf535c782.dat-decoded.exe

Verdict:

No threats detected

Analysis date:

2024-11-13 00:19:49 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/72b33885-e960-41cc-b77b-238822d442ad

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Packed.Zard-10035522-0

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6735180c0552fd58596baf1d

Tags:

injection stealer virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for synchronization primitives

Searching for the window

Launching the default Windows debugger (dwwin.exe)

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/6733ef17406b5152907f61bf/reports/ed59907d-d9d2-4975-b600-3e8253b91673/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/c24ff50a15372a69690f4c7cd783609e92924ec38f2f42148573d35980f07cd3

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/23d9f6ab-1500-4d5a-881a-a5a972415efe

Result

Threat name:

LummaC

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1554840

Signature

AI detected suspicious sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

LummaC encrypted strings found

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c24ff50a15372a69690f4c7cd783609e92924ec38f2f42148573d35980f07cd3

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c24ff50a15372a69690f4c7cd783609e92924ec38f2f42148573d35980f07cd3/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2024-11-13 00:13:05 UTC

File Type:

PE (Exe)

AV detection:

16 of 24 (66.67%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yjh7kcqvg4vgs2ipjr6npa3at2jjetwdr4xuefefopjvtahqptjq._file

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma discovery stealer

Link:

https://tria.ge/reports/241113-ahr53awrem/

Behaviour

Program crash

System Location Discovery: System Language Discovery

Malware Config

C2 Extraction:

https://moutheventushz.shop/api
https://respectabosiz.shop/api
https://bakedstusteeb.shop/api
https://conceszustyb.shop/api
https://nightybinybz.shop/api
https://standartedby.shop/api
https://mutterissuen.shop/api
https://worddosofrm.shop/api
https://studentyjw.cyou

Verdict:

Malicious

Tags:

Win.Packed.Zard-10035522-0

YARA:

n/a

Link:

https://app.threat.zone/submission/8efa4db0-4501-49ea-a7d0-4694a92c8445

Unpacked files

SH256 hash:

c24ff50a15372a69690f4c7cd783609e92924ec38f2f42148573d35980f07cd3

MD5 hash:

d6cbd563d0f12e6344ec1bc101571ef9

SHA1 hash:

91b10f58461f510dd9b8ffc9fe12cb306ecba034

Detections:

LummaStealer

Link:

https://www.unpac.me/results/d9c1a038-a921-4f7d-8563-9d88b44941e3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.64

Link:

https://yomi.yoroi.company/submissions/c24ff50a15372a69690f4c7cd783609e92924ec38f2f42148573d35980f07cd3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Lumma Create hunting rule
Author:	kevoreilly
Description:	Lumma Payload

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

092a03cc4dc50bb57d677300b5d72f6b1cda63b8d3f53c23ba43247e1ddf535c

LummaStealer

exe c24ff50a15372a69690f4c7cd783609e92924ec38f2f42148573d35980f07cd3

(this sample)

Dropped by

SHA256 092a03cc4dc50bb57d677300b5d72f6b1cda63b8d3f53c23ba43247e1ddf535c

Dropped by

MD5 f10d7a1461cfd0ef08165f13b5da3307

Dropped by

SHA256 092a03cc4dc50bb57d677300b5d72f6b1cda63b8d3f53c23ba43247e1ddf535c

Dropped by

MD5 f10d7a1461cfd0ef08165f13b5da3307

URLhaus

https://urlhaus.abuse.ch/url/3288376/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3288379/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample