MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d002a44cf998112f91a5a11bfde4320ab66cd0d21bab15b908827165df5b4fb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d002a44cf998112f91a5a11bfde4320ab66cd0d21bab15b908827165df5b4fb6
SHA3-384 hash: 6d24c41732e4894f7f821fe970897b07a98c09e5dc203426e92c28a3b714c111e6007ce8ebf6ebc17be7682d8d62f92d
SHA1 hash: a87e810985eb35b5350808a3adc7deb93971b454
MD5 hash: b46936cffdc42cdae5d2ac630d4d2ea3
humanhash: ink-pip-shade-twenty
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:3'000'320 bytes
First seen:2024-10-31 01:06:59 UTC
Last seen:2024-10-31 01:13:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:1Mhgt9ax/IZHpQjwUKKDGlRfq25v4hSmtafwLf/zVCHXhBo6+t4PnRzx+OZunF/p:1MS2x/SHp8AsS8a0KNPRx+OsBdCUwe/
Threatray 1 similar samples on MalwareBazaar
TLSH T1A6D52952B51565CBD8CA16788627DD827DAE03BE0B2108D3D969A4BE7E63CC113FDC2C
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:exe LummaStealer


Avatar
Bitsight
url: http://185.215.113.16/luma/random.exe

Intelligence

File Origin
# of uploads :
21
# of downloads :
738
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-10-31 01:09:12 UTC
Tags:
lumma stealer loader amadey botnet stealc themida
Link:
https://app.any.run/tasks/37b273ed-79e5-4018-854e-a4e7eb017854

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.21104.1880.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6722d83d8d23d90491321a24
Tags:
autorun spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Connection attempt to an infection source
Behavior that indicates a threat
DNS request
Connection attempt
Sending a custom TCP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/d002a44cf998112f91a5a11bfde4320ab66cd0d21bab15b908827165df5b4fb6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c693193a-dcb2-446c-934d-1cde56a083f9
Result
Threat name:
LummaC, Amadey, Credential Flusher, Lumm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1545799
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates a Windows Service pointing to an executable in C:\Windows
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Hides threads from debuggers
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545799 Sample: file.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 96 thumbystriw.store 2->96 98 presticitpo.store 2->98 100 8 other IPs or domains 2->100 124 Suricata IDS alerts for network traffic 2->124 126 Found malware configuration 2->126 128 Antivirus detection for dropped file 2->128 130 21 other signatures 2->130 9 skotes.exe 3 31 2->9         started        14 file.exe 2 2->14         started        16 svchost.exe 4 2 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 114 185.215.113.43, 49964, 49977, 80 WHOLESALECONNECTIONSNL Portugal 9->114 116 154.216.17.34, 49982, 80 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 9->116 118 31.41.244.11 AEROEXPRESS-ASRU Russian Federation 9->118 76 C:\Users\user\AppData\Local\Temp\...\num.exe, PE32 9->76 dropped 78 C:\Users\user\AppData\...\9fee9e49cf.exe, PE32 9->78 dropped 80 C:\Users\user\AppData\...\fc0b992f89.exe, PE32 9->80 dropped 90 9 other malicious files 9->90 dropped 168 Creates multiple autostart registry keys 9->168 170 Hides threads from debuggers 9->170 190 2 other signatures 9->190 20 b6ea789a1a.exe 9->20         started        23 fc0b992f89.exe 9->23         started        26 configuredInstallerEXE.exe 2 2 9->26         started        39 2 other processes 9->39 120 necklacedmny.store 188.114.97.3, 443, 49704, 49705 CLOUDFLARENETUS European Union 14->120 122 185.215.113.16, 49712, 80 WHOLESALECONNECTIONSNL Portugal 14->122 82 C:\Users\user\...\RYM16770HTK1NZSZ1PW5P28.exe, PE32 14->82 dropped 84 C:\Users\...\8SZZEZ7G49OJ4AUNR04YUJXCEXW8.exe, PE32 14->84 dropped 172 Query firmware table information (likely to detect VMs) 14->172 174 Found many strings related to Crypto-Wallets (likely being stolen) 14->174 176 Tries to evade debugger and weak emulator (self modifying code) 14->176 192 3 other signatures 14->192 29 8SZZEZ7G49OJ4AUNR04YUJXCEXW8.exe 4 14->29         started        31 RYM16770HTK1NZSZ1PW5P28.exe 9 1 14->31         started        86 C:\Windows\...\ThreadRestartTerminal.dll, PE32+ 16->86 dropped 88 C:\Windows\...\RemotePrinterSecurity.dll, PE32+ 16->88 dropped 178 Benign windows process drops PE files 16->178 180 Creates a Windows Service pointing to an executable in C:\Windows 16->180 182 Adds a directory exclusion to Windows Defender 16->182 33 cmd.exe 1 16->33         started        35 cmd.exe 16->35         started        184 Found strings related to Crypto-Mining 18->184 186 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->186 188 Tries to harvest and steal browser information (history, passwords, etc) 18->188 37 firefox.exe 18->37         started        file6 signatures7 process8 dnsIp9 132 Multi AV Scanner detection for dropped file 20->132 134 Query firmware table information (likely to detect VMs) 20->134 150 2 other signatures 20->150 102 185.215.113.206 WHOLESALECONNECTIONSNL Portugal 23->102 152 3 other signatures 23->152 104 telegram.org 149.154.167.99 TELEGRAMRU United Kingdom 26->104 106 www.google.com 142.250.185.68 GOOGLEUS United States 26->106 108 grabify.link 104.26.9.202 CLOUDFLARENETUS United States 26->108 92 C:\Windows\...\BackupOfflineDownload.dll, PE32+ 26->92 dropped 136 Creates a Windows Service pointing to an executable in C:\Windows 26->136 94 C:\Users\user\AppData\Local\...\skotes.exe, PE32 29->94 dropped 138 Antivirus detection for dropped file 29->138 140 Detected unpacking (changes PE section rights) 29->140 154 2 other signatures 29->154 41 skotes.exe 29->41         started        156 6 other signatures 31->156 142 Adds a directory exclusion to Windows Defender 33->142 44 powershell.exe 23 33->44         started        46 conhost.exe 33->46         started        48 powershell.exe 35->48         started        50 conhost.exe 35->50         started        110 prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 GOOGLEUS United States 37->110 112 127.0.0.1 unknown unknown 37->112 56 2 other processes 37->56 144 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 39->144 146 Binary is likely a compiled AutoIt script file 39->146 148 Found direct / indirect Syscall (likely to bypass EDR) 39->148 52 taskkill.exe 39->52         started        54 taskkill.exe 39->54         started        58 4 other processes 39->58 file10 signatures11 process12 signatures13 158 Antivirus detection for dropped file 41->158 160 Detected unpacking (changes PE section rights) 41->160 162 Machine Learning detection for dropped file 41->162 166 4 other signatures 41->166 164 Loading BitLocker PowerShell Module 44->164 60 conhost.exe 44->60         started        62 WmiPrvSE.exe 44->62         started        64 conhost.exe 48->64         started        66 conhost.exe 52->66         started        68 conhost.exe 54->68         started        70 conhost.exe 58->70         started        72 conhost.exe 58->72         started        74 conhost.exe 58->74         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d002a44cf998112f91a5a11bfde4320ab66cd0d21bab15b908827165df5b4fb6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d002a44cf998112f91a5a11bfde4320ab66cd0d21bab15b908827165df5b4fb6/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-10-31 01:08:12 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2abkithztais7enfuen73zbsbk3gzugsdovrloiiqjywlx23j63a._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
amadey
Create hunting rule
Similar samples:
d002a44cf998112f91a5a11bfde4320ab66cd0d21bab15b908827165df5b4fb6
LummaStealer
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery evasion stealer
Link:
https://tria.ge/reports/241031-bgm1dswbnh/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://necklacedmny.store/api
https://founpiuer.store/api
https://navygenerayk.store/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0fc46ed4-ad51-477d-aba3-f5e19a52e592
Unpacked files
SH256 hash:
4485fdec76e4e8f929112a63316f56f1b5c76a51e09ee2fe18168fb3f98781ac
MD5 hash:
2a2b9bb2383e8abecd14119b547f35fe
SHA1 hash:
e18b857abf0a1b9bc67161756bc1ee248f4f156c
Link:
https://www.unpac.me/results/6c2251c8-ee6e-4730-8ab8-b157b76cff93/
SH256 hash:
d002a44cf998112f91a5a11bfde4320ab66cd0d21bab15b908827165df5b4fb6
MD5 hash:
b46936cffdc42cdae5d2ac630d4d2ea3
SHA1 hash:
a87e810985eb35b5350808a3adc7deb93971b454
Link:
https://www.unpac.me/results/6c2251c8-ee6e-4730-8ab8-b157b76cff93/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d002a44cf998/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d002a44cf998112f91a5a11bfde4320ab66cd0d21bab15b908827165df5b4fb6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe d002a44cf998112f91a5a11bfde4320ab66cd0d21bab15b908827165df5b4fb6

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3245480/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments