MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6dd0dd427bffe49a2598c892cbf8b9959838026d9d2763b299c45c15581dc6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6dd0dd427bffe49a2598c892cbf8b9959838026d9d2763b299c45c15581dc6e
SHA3-384 hash: fc9fd8e8011800f06e8260ff7679e8acaba23571d2679ba794f2d96ac07eb7e49d76e9457b8448921fcd6c58e7bafc23
SHA1 hash: 8d3cddf30d8ae3cc7da5f1fde44180fa026b6ede
MD5 hash: 55c30b715e999d9484985547ac05830d
humanhash: victor-magazine-edward-grey
File name:55c30b715e999d9484985547ac05830d.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:3'018'752 bytes
First seen:2024-11-09 09:27:51 UTC
Last seen:2024-11-09 11:19:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:HfbSGW+BKXA8qjI+MSocqYTh2m0b+CydTcGVKIjxQx:/bpW+BKw8cI+MSXDoxmCAKmxQ
Threatray 22 similar samples on MalwareBazaar
TLSH T1ADD53966B44671CBD08F1778952BCE839A6D42F94B1148C39A6CA4BB7EB7CC113F6C24
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
396
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
55c30b715e999d9484985547ac05830d.exe
Verdict:
Malicious activity
Analysis date:
2024-11-09 10:20:00 UTC
Tags:
lumma stealer possible-phishing stealc loader
Link:
https://app.any.run/tasks/ba560dd6-1b90-48de-bd0f-8e454bb8ffd2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.4093.17914.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=672f2b651621f8e41b8eef52
Tags:
extens virus gates spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
DNS request
Connection attempt to an infection source
Behavior that indicates a threat
Connection attempt
Sending a custom TCP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected
Link:
https://www.filescan.io/uploads/672f2b2ece6c55443a7cf6e5/reports/49a937ab-d9f6-4e41-bf8e-25caa4033f3c/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/c6dd0dd427bffe49a2598c892cbf8b9959838026d9d2763b299c45c15581dc6e
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/86e0ead5-8bc3-4e5b-892a-93966e686a12
Result
Threat name:
LummaC, Stealc
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1552756
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c6dd0dd427bffe49a2598c892cbf8b9959838026d9d2763b299c45c15581dc6e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6dd0dd427bffe49a2598c892cbf8b9959838026d9d2763b299c45c15581dc6e/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2024-11-08 06:32:45 UTC
File Type:
PE (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y3oq3vbhx77etiszrseszp4ltfmyhabg3hjhmozjtrc4cvmb3rxa._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
081f9e0a9e65b22dab9c5c5205399607ad96383bbaaf9b3b9374579fcccdd324
LummaStealer
15952521ff76d233a2a4ab1700dc4a27933d34bcd59a3f9525497a6acd768d1d
LummaStealer
5dfde1e8d6497d390932513c76a7ca843048a3bc54a4a28e951d849f111d2bec
LummaStealer
6b22d26911eb66569332d90e75f680c8247ecaa68c7e774a6890853120c584f3
LummaStealer
99fbb34df65b1c9f794e9f9df7bfc442c6711b15e33bc5a0b6bb16865f25f1ee
LummaStealer
9eaaf032ee84ab135ec907c0261d7e4d37494ca00fc0f9b7b04546748de5f3ee
LummaStealer
aef3d9251396a26931cbd3017f03bec1a47891a071b0814d87d32f3ba11acd07
LummaStealer
bb33cfadd7bfc13899d4955532e7e3594b39083d83c3774688f98455ed4da3be
LummaStealer
c6dd0dd427bffe49a2598c892cbf8b9959838026d9d2763b299c45c15581dc6e
LummaStealer
error
LummaStealer
fdef385c18f52c3ecfe3a8c2b71274cd7110cf15ac134d79d97874481646cd77
LummaStealer
+ 12 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery evasion stealer
Link:
https://tria.ge/reports/241109-lfdqfasbpm/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://navygenerayk.store/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f01dc7f4-c60d-4447-8324-67da3f48a1ab
Unpacked files
SH256 hash:
0d8280e9d7f0ca6a42a8e9c502b2198acd19ce0c5cbe143ada265798fd0a248f
MD5 hash:
e03dd2131606072b005bc7ac129aa2c1
SHA1 hash:
f1b758d8c128906d6cf3c04c125d5470006e23b9
Link:
https://www.unpac.me/results/72904ffc-9c97-4299-ba6c-25e043206603/
SH256 hash:
c6dd0dd427bffe49a2598c892cbf8b9959838026d9d2763b299c45c15581dc6e
MD5 hash:
55c30b715e999d9484985547ac05830d
SHA1 hash:
8d3cddf30d8ae3cc7da5f1fde44180fa026b6ede
Link:
https://www.unpac.me/results/72904ffc-9c97-4299-ba6c-25e043206603/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c6dd0dd427bffe49a2598c892cbf8b9959838026d9d2763b299c45c15581dc6e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe c6dd0dd427bffe49a2598c892cbf8b9959838026d9d2763b299c45c15581dc6e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3255222/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3273368/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments