MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d24f15f69b1c0cad05c7a16b2e73f45afdb1f6f1caae7658eeaa97b7b8953e56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d24f15f69b1c0cad05c7a16b2e73f45afdb1f6f1caae7658eeaa97b7b8953e56
SHA3-384 hash: 676c9fc1d3e602ce2464f5549ad3ab338067504516cc7fd3eee843714cab5fa8ab636f77f865add3dc23a51abd84f321
SHA1 hash: 3bac8ce3881f4a9284788f432aae6f1376e115f8
MD5 hash: 6611d1f2c4796567a6bbe5310af5a369
humanhash: hamper-xray-alabama-carolina
File name:divz.mp4
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'420'444 bytes
First seen:2025-01-23 05:45:33 UTC
Last seen:2025-01-28 08:21:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 994f18cb9978574a2203372470f204bc (7 x LummaStealer, 6 x Emmenhtal)
ssdeep 24576:sU7LpZrGd9HQvRU7LpZrGd9HQvGU7LpZrGd9HQvBU7LpZrGd9HQv:sUmd9HQpUmd9HQuUmd9HQJUmd9HQ
TLSH T1FD656BB17A488D31EEE322B8296D757B5A3CFCA50F2061C763E417DD99716D06A3038B
TrID 46.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
25.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.5% (.EXE) Win64 Executable (generic) (10522/11/4)
5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
File icon (PE):PE icon
dhash icon 10f079f892ea78b0 (18 x Emmenhtal, 7 x LummaStealer, 4 x CoinMiner)
Reporter lontze7
Tags:Emmenhtal EmmenhtalLoader exe LummaStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
536
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://gets-quant.oss-ap-southeast-7.aliyuncs.com/divz.mp4
Verdict:
No threats detected
Analysis date:
2025-01-23 12:13:54 UTC
Tags:
loader
Link:
https://app.any.run/tasks/df07346a-2fbb-4965-866f-e39052c24942

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
ditekSHen.MALWARE.Win.Trojan.FakeCaptcha-Downloader.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6791dcd4e708b6e7a3b027dc
Tags:
injection
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm fingerprint masquerade microsoft_visual_cc overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/6791d7a00eee786a60c04ac3/reports/be4d254a-60a7-4ea5-b16e-42aae46108cc/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d24f15f69b1c0cad05c7a16b2e73f45afdb1f6f1caae7658eeaa97b7b8953e56
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MustardSandwich
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5265918e-0c88-4de9-b314-494dd52d9c61
Result
Threat name:
Emmenhtal Loader
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1597301
Signature
Malicious sample detected (through community Yara rule)
Yara detected Emmenhtal Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1597301 Sample: divz.mp4.exe Startdate: 23/01/2025 Architecture: WINDOWS Score: 56 10 Malicious sample detected (through community Yara rule) 2->10 12 Yara detected Emmenhtal Loader 2->12 6 divz.mp4.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
Score:
24%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/d24f15f69b1c0cad05c7a16b2e73f45afdb1f6f1caae7658eeaa97b7b8953e56
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d24f15f69b1c0cad05c7a16b2e73f45afdb1f6f1caae7658eeaa97b7b8953e56/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2jhrl5u3dqgk2bohufvs447ull63d5xrzkxhmwhovkl3poevhzla._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250123-ggab7avpaz/
Behaviour
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4ffb8caf-51d6-4eae-9932-e01fcf6e3bad
Unpacked files
SH256 hash:
d24f15f69b1c0cad05c7a16b2e73f45afdb1f6f1caae7658eeaa97b7b8953e56
MD5 hash:
6611d1f2c4796567a6bbe5310af5a369
SHA1 hash:
3bac8ce3881f4a9284788f432aae6f1376e115f8
Detections:
Emmenhtal
Create hunting rule
win_Emmenhtal_w0
Create hunting rule
Link:
https://www.unpac.me/results/86912b1b-0d0c-4e4a-ba7e-214aadcd7beb/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:EmmenHTAl
Create hunting rule
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:IDATDropper
Create hunting rule
Author:NDA0E
Description:Detects files containing embedded JavaScript; the JS executes a PowerShell command which either downloads IDATLoader in an archive, or an executable (not IDATLoader) which is loaded into memory. The modified PE will only run if it's executed as an HTML Application (.hta).
Rule name:MALWARE_Win_FakeCaptcha_Downloader
Create hunting rule
Author:ditekshen
Description:Detects downloader executables dropped by fake captcha
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_Emmenhtal_w0
Create hunting rule
Author:cert-orangecyberdefense

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe d24f15f69b1c0cad05c7a16b2e73f45afdb1f6f1caae7658eeaa97b7b8953e56

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3410871/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationapi-ms-win-security-sddl-l1-1-0.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
api-ms-win-security-sddl-l1-1-0.dll::ConvertStringSidToSidW
api-ms-win-security-base-l1-1-0.dll::CopySid
api-ms-win-security-base-l1-1-0.dll::CreateWellKnownSid
api-ms-win-security-base-l1-1-0.dll::EqualPrefixSid
api-ms-win-security-base-l1-1-0.dll::GetLengthSid
COM_BASE_APICan Download & Execute componentsapi-ms-win-core-com-l1-1-0.dll::CLSIDFromProgID
api-ms-win-core-com-l1-1-0.dll::CoCreateInstance
api-ms-win-core-com-l1-1-0.dll::CoInitializeSecurity
SECURITY_BASE_APIUses Security Base APIapi-ms-win-security-base-l1-1-0.dll::AddAccessAllowedAce
api-ms-win-security-base-l1-1-0.dll::AddAce
api-ms-win-security-base-l1-1-0.dll::AdjustTokenPrivileges
api-ms-win-security-base-l1-1-0.dll::GetAclInformation
api-ms-win-security-base-l1-1-0.dll::GetTokenInformation
api-ms-win-security-base-l1-1-0.dll::ImpersonateLoggedOnUser
WIN32_PROCESS_APICan Create Process and Threadsapi-ms-win-core-processthreads-l1-1-0.dll::OpenProcessToken
api-ms-win-core-processthreads-l1-1-0.dll::OpenThreadToken
api-ms-win-core-processthreads-l1-1-1.dll::SetProcessMitigationPolicy
api-ms-win-core-synch-l1-1-0.dll::OpenSemaphoreW
api-ms-win-core-memory-l1-1-0.dll::WriteProcessMemory
api-ms-win-core-handle-l1-1-0.dll::CloseHandle
WIN_BASE_APIUses Win Base APIapi-ms-win-core-processthreads-l1-1-0.dll::TerminateProcess
ntdll.dll::NtQueryInformationProcess
api-ms-win-core-libraryloader-l1-2-0.dll::LoadLibraryExW
api-ms-win-core-libraryloader-l1-2-1.dll::LoadLibraryW
WIN_BASE_IO_APICan Create Filesapi-ms-win-core-memory-l1-1-0.dll::CreateFileMappingW
ntdll.dll::NtCreateFile
api-ms-win-core-file-l1-1-0.dll::CreateFileW
api-ms-win-core-file-l1-1-0.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account Informationapi-ms-win-security-lsalookup-l2-1-0.dll::LookupAccountNameW
api-ms-win-security-lsalookup-l2-1-0.dll::LookupAccountSidW
api-ms-win-security-lsalookup-l2-1-0.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryapi-ms-win-core-registry-l1-1-0.dll::RegCreateKeyExW
api-ms-win-core-registry-l1-1-0.dll::RegDeleteKeyExW
api-ms-win-core-registry-l1-1-0.dll::RegGetValueW
api-ms-win-core-registry-l1-1-0.dll::RegOpenKeyExW
api-ms-win-core-registry-l1-1-0.dll::RegQueryInfoKeyW
api-ms-win-core-registry-l1-1-0.dll::RegQueryValueExW

Comments