MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc35b0641c3c85446892311031369a42990c019c7b143b875be5c683e83ff3ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc35b0641c3c85446892311031369a42990c019c7b143b875be5c683e83ff3ce
SHA3-384 hash: 2007e5ae9c8caab870b0e04470c3b3eee0fd8bc3ceeb90f5635e80a0b9ba81e7806fc89fe7a809089c3eb7a32b262d2e
SHA1 hash: cf5665241bc0ea70d7856ea75b812619cb31fb94
MD5 hash: b3834900eea7e3c2bae3ab65bb78664a
humanhash: social-alpha-tennessee-bakerloo
File name:b3834900eea7e3c2bae3ab65bb78664a.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:4'122'560 bytes
First seen:2024-12-10 06:11:26 UTC
Last seen:2025-03-05 08:21:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c35b1b659c725982ad4cef172637ca20 (1 x LummaStealer)
ssdeep 98304:SwPl/Lc5I2RmFZWMHs7cfzj0BQxmr1rzPcnUpQ0gmlq/Hf:Bt/LchcLs8zj0BQ2rzUX0gvHf
TLSH T111162384ADCDA2B1EE7CB8AA38471366CF9141D728744DAD734A2609235F7847FED0E4
TrID 52.9% (.EXE) Win32 Executable (generic) (4504/4/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:185-215-113-209 exe LummaStealer signed

Code Signing Certificate

Organisation:IBM USA
Issuer:IBM USA
Algorithm:sha512WithRSAEncryption
Valid from:2024-05-26T15:20:14Z
Valid to:2026-06-10T00:00:00Z
Serial number: 34dd621e6c0b1444b819139493d93372
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 5dd64715599474ae66d57dda087e9b8ed5874fa653f654d1e3d1c3a2f9d20d6d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
384
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729
Verdict:
Malicious activity
Analysis date:
2024-11-17 16:34:17 UTC
Tags:
amadey botnet stealer loader stealc themida lumma exfiltration purecrypter rdp
Link:
https://app.any.run/tasks/c51cdfbb-a4f0-4989-9c82-292892d0b287

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Lumma.926.12463.4789.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6757dbbb48182d168557654e
Tags:
packed virus zusy
Result
Verdict:
Malware
Maliciousness:

Behaviour
Behavior that indicates a threat
DNS request
Connection attempt
Sending a custom TCP request
Sending a UDP request
Query of malicious DNS domain
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
mpress net packed packed packed packer_detected zusy
Link:
https://www.filescan.io/uploads/6757dbb73aca1b2adf9d120d/reports/e2d6952e-4c6b-4f31-9297-f2131da4e737/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/cc35b0641c3c85446892311031369a42990c019c7b143b875be5c683e83ff3ce
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dfab7ef6-4505-4433-87bd-fa9a7ee687e3
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1572165
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
LummaC encrypted strings found
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cc35b0641c3c85446892311031369a42990c019c7b143b875be5c683e83ff3ce
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc35b0641c3c85446892311031369a42990c019c7b143b875be5c683e83ff3ce/
Threat name:
Win32.Trojan.LummaC
Create hunting rule
Status:
Malicious
First seen:
2024-11-17 16:57:29 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zq23aza4hscui2esgeidcnu2ikmqyam4pmkdxb234xdih2b76pha._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/241210-gx7ydswlc1/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bdc73759-5708-4ca4-ad99-8c91f26b2a0a
Unpacked files
SH256 hash:
5094565abc62a5964ee0410cad747de65054e82d71d0b9a99460304967926b8f
MD5 hash:
a1db03af2fd1055a8687db05e0cdcf27
SHA1 hash:
f7556c2e059e5ebe1c136f664f06c51cb176e6d2
Detections:
LummaStealer
Create hunting rule
INDICATOR_EXE_Packed_MPress
Create hunting rule
Link:
https://www.unpac.me/results/56fab61e-0e1f-47fa-8583-8bf0fd52e6c9/
SH256 hash:
cc35b0641c3c85446892311031369a42990c019c7b143b875be5c683e83ff3ce
MD5 hash:
b3834900eea7e3c2bae3ab65bb78664a
SHA1 hash:
cf5665241bc0ea70d7856ea75b812619cb31fb94
Link:
https://www.unpac.me/results/56fab61e-0e1f-47fa-8583-8bf0fd52e6c9/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cc35b0641c3c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/cc35b0641c3c85446892311031369a42990c019c7b143b875be5c683e83ff3ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:mpress_2_xx_x86
Create hunting rule
Author:Kevin Falcoz
Description:MPRESS v2.XX x86 - no .NET
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:TeslaCryptPackedMalware
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe cc35b0641c3c85446892311031369a42990c019c7b143b875be5c683e83ff3ce

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3338517/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3338722/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (Unrestricted:true)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System ShellSHELL32.dll::SHGetFileInfoW

Comments