MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4a388cc151fa56379f9ac6ef8b7851b6750c2ecfc2c8f6904ac6002865c4f30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4a388cc151fa56379f9ac6ef8b7851b6750c2ecfc2c8f6904ac6002865c4f30
SHA3-384 hash: 07ac149c26167cdbe518a8f85b3f3c5c99d07cd666f70f0a22d6e539fa2b014258e86a6310fe14c6c4f278efafcd1506
SHA1 hash: 767e39aa9f02592d4234f38a21ea9a0e5aa66c62
MD5 hash: 6e3dc1be717861da3cd7c57e8a1e3911
humanhash: zulu-moon-dakota-kansas
File name:QGFQTHIU.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:5'682'380 bytes
First seen:2025-01-17 11:28:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 07c4dc6e132c507bcef10998173e3c81 (3 x DanaBot, 2 x LummaStealer, 1 x Rhadamanthys)
ssdeep 98304:UK/ZoaSs+bgcPlK+rSN2xeELJ4g1x3+FbdYapMDrEPxiJVwJyHLcnP6WfwCA+D://uVs+bH9K+OGeIBSHqDIPI7WOLyyWfF
Threatray 1 similar samples on MalwareBazaar
TLSH T17546127677E414F9C4BA47BBE6818171FE74B24D3721617E8AA4852C2F3B92864BF301
TrID 72.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
13.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.EXE) OS/2 Executable (generic) (2029/13)
2.5% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
File icon (PE):PE icon
dhash icon b2e1b496a6cada72 (13 x LummaStealer, 12 x AsyncRAT, 8 x Rhadamanthys)
Reporter NDA0E
Tags:dllHijack exe HIjackLoader IDATLoader LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
413
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4500005767-INVOICE.pdf.lnk
Verdict:
Malicious activity
Analysis date:
2025-01-09 18:12:39 UTC
Tags:
loader lumma stealer
Link:
https://app.any.run/tasks/969aeb9c-17fd-4821-b4a7-b3791e75ab8b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=678a3f024487910100dfc791
Tags:
autorun dropper virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a window
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Connection attempt
Transferring files using the Background Intelligent Transfer Service (BITS)
Enabling the 'hidden' option for recently created files
Launching a process
DNS request
Behavior that indicates a threat
Sending a custom TCP request
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm anti-vm CAB crypto crypto evasive expand explorer fingerprint fingerprint installer keylogger lolbin microsoft_visual_cc overlay packed packed packer_detected rat remote rundll32 runonce
Link:
https://www.filescan.io/uploads/678a3f07ba38081b4a1a5ad6/reports/3c4381d6-c0aa-4d4f-91b2-6ecfdc0f2554/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/d4a388cc151fa56379f9ac6ef8b7851b6750c2ecfc2c8f6904ac6002865c4f30
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/26f16f71-4b74-4417-9510-288bee81ca82
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1593636
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
LummaC encrypted strings found
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1593636 Sample: QGFQTHIU.exe Startdate: 17/01/2025 Architecture: WINDOWS Score: 100 66 clamfluffys.click 2->66 68 wholersorie.shop 2->68 70 8 other IPs or domains 2->70 80 Suricata IDS alerts for network traffic 2->80 82 Found malware configuration 2->82 84 Antivirus detection for URL or domain 2->84 86 7 other signatures 2->86 11 QGFQTHIU.exe 8 2->11         started        14 msn.exe 1 2->14         started        signatures3 process4 file5 64 C:\Windows\Temp\...\QGFQTHIU.exe, PE32+ 11->64 dropped 17 QGFQTHIU.exe 18 11->17         started        104 Maps a DLL or memory area into another process 14->104 106 Found direct / indirect Syscall (likely to bypass EDR) 14->106 21 cmd.exe 2 14->21         started        signatures6 process7 file8 44 C:\Windows\Temp\...\msncore.dll, PE32 17->44 dropped 46 C:\Windows\Temp\...\msn.exe, PE32 17->46 dropped 48 C:\Windows\Temp\...\msidcrl40.dll, PE32 17->48 dropped 52 3 other files (2 malicious) 17->52 dropped 74 Multi AV Scanner detection for dropped file 17->74 23 msn.exe 8 17->23         started        50 C:\Users\user\AppData\Local\Temp\imch, PE32 21->50 dropped 76 Injects code into the Windows Explorer (explorer.exe) 21->76 78 Writes to foreign memory regions 21->78 27 explorer.exe 21->27         started        29 conhost.exe 21->29         started        signatures9 process10 file11 56 C:\Users\user\AppData\Roaming\...\msncore.dll, PE32 23->56 dropped 58 C:\Users\user\AppData\Roaming\...\msn.exe, PE32 23->58 dropped 60 C:\Users\user\AppData\...\msidcrl40.dll, PE32 23->60 dropped 62 2 other files (1 malicious) 23->62 dropped 98 Switches to a custom stack to bypass stack traces 23->98 100 Found direct / indirect Syscall (likely to bypass EDR) 23->100 31 msn.exe 1 23->31         started        102 System process connects to network (likely due to code injection or exploit) 27->102 signatures12 process13 signatures14 108 Maps a DLL or memory area into another process 31->108 110 Switches to a custom stack to bypass stack traces 31->110 34 cmd.exe 4 31->34         started        process15 file16 54 C:\Users\user\AppData\Local\Temp\xmr, PE32 34->54 dropped 88 Injects code into the Windows Explorer (explorer.exe) 34->88 90 Writes to foreign memory regions 34->90 92 Found hidden mapped module (file has been removed from disk) 34->92 94 3 other signatures 34->94 38 explorer.exe 34->38         started        42 conhost.exe 34->42         started        signatures17 process18 dnsIp19 72 steamcommunity.com 104.102.49.254, 443, 49740, 49794 AKAMAI-ASUS United States 38->72 96 Switches to a custom stack to bypass stack traces 38->96 signatures20
Score:
85%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d4a388cc151fa56379f9ac6ef8b7851b6750c2ecfc2c8f6904ac6002865c4f30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4a388cc151fa56379f9ac6ef8b7851b6750c2ecfc2c8f6904ac6002865c4f30/
Threat name:
Win32.Exploit.LummaC
Create hunting rule
Status:
Malicious
First seen:
2025-01-09 13:44:18 UTC
File Type:
PE+ (Exe)
Extracted files:
477
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2sryrtavd6swg6pzvrxprn4fdntvbqxm7qwi62ievrqafbs4j4ya._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
12df5f413434f02531f88b0727b96ae8d4ed3c278fc81583dbfd4c0145b43e74
LummaStealer
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery stealer
Link:
https://tria.ge/reports/250117-nlkgaawlhr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://cloudewahsj.shop/api
https://rabidcowse.shop/api
https://noisycuttej.shop/api
https://tirepublicerj.shop/api
https://framekgirus.shop/api
https://wholersorie.shop/api
https://abruptyopsn.shop/api
https://nearycrepso.shop/api
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/66b4c13f-a022-4c48-838c-7d4bf1d4c5cd
Unpacked files
SH256 hash:
f73e3f3d3fea1a556b8a91680c13b3969136c2abdf9121604b9389bdd1fc58e9
MD5 hash:
ac97328f67d0877e526fb6ac131bf4be
SHA1 hash:
9f61ffe3f3ca2463929bfea3292ffe9ca003af18
Link:
https://www.unpac.me/results/4ed6525c-9575-4a71-8042-21a14a6bebbb/
SH256 hash:
cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03
MD5 hash:
43143abb001d4211fab627c136124a44
SHA1 hash:
edb99760ae04bfe68aaacf34eb0287a3c10ec885
Link:
https://www.unpac.me/results/4ed6525c-9575-4a71-8042-21a14a6bebbb/
SH256 hash:
6dc7275f2143d1de0ca66c487b0f2ebff3d4c6a79684f03b9619bf23143ecf74
MD5 hash:
537915708fe4e81e18e99d5104b353ed
SHA1 hash:
128ddb7096e5b748c72dc13f55b593d8d20aa3fb
Detections:
win_isfb_a5
Create hunting rule
Link:
https://www.unpac.me/results/4ed6525c-9575-4a71-8042-21a14a6bebbb/
Parent samples :
d4a388cc151fa56379f9ac6ef8b7851b6750c2ecfc2c8f6904ac6002865c4f30
5ef116f58aa4abf04c51fd00feaea17ad3101756531ed2211e870b695a935a19
001ed28bb197b4a9ae1d113dfe44d3db21518c610b18229a49b5bbdd8a59f3a3
SH256 hash:
257e6489f5b733f2822f0689295a9f47873be3cec5f4a135cd847a2f2c82a575
MD5 hash:
ef66829b99bbfc465b05dc7411b0dcfa
SHA1 hash:
c6f6275f92053b4b9fa8f2738ed3e84f45261503
Link:
https://www.unpac.me/results/4ed6525c-9575-4a71-8042-21a14a6bebbb/
SH256 hash:
0abf68b8409046a1555d48ac506fd26fda4b29d8d61e07bc412a4e21de2782fd
MD5 hash:
54ee6a204238313dc6aca21c7e036c17
SHA1 hash:
531fd1c18e2e4984c72334eb56af78a1048da6c7
Link:
https://www.unpac.me/results/4ed6525c-9575-4a71-8042-21a14a6bebbb/
SH256 hash:
d4a388cc151fa56379f9ac6ef8b7851b6750c2ecfc2c8f6904ac6002865c4f30
MD5 hash:
6e3dc1be717861da3cd7c57e8a1e3911
SHA1 hash:
767e39aa9f02592d4234f38a21ea9a0e5aa66c62
Link:
https://www.unpac.me/results/4ed6525c-9575-4a71-8042-21a14a6bebbb/
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d4a388cc151f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

aad0f1ff851fac74a3f90d796e989dd48e195811613cf0bbce102328241bd498

LummaStealer

Executable exe d4a388cc151fa56379f9ac6ef8b7851b6750c2ecfc2c8f6904ac6002865c4f30

(this sample)

  
Dropped by
SHA256 aad0f1ff851fac74a3f90d796e989dd48e195811613cf0bbce102328241bd498
  
URLhaus
https://urlhaus.abuse.ch/url/3395010/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3403543/
  
URLhaus
https://urlhaus.abuse.ch/url/3403545/
  
URLhaus
https://urlhaus.abuse.ch/url/3403547/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
ADVAPI32.dll::CreateWellKnownSid
ADVAPI32.dll::SetEntriesInAclW
ADVAPI32.dll::SetEntriesInAclA
ADVAPI32.dll::SetNamedSecurityInfoW
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoInitializeSecurity
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::IsWellKnownSid
ADVAPI32.dll::SetSecurityDescriptorDacl
ADVAPI32.dll::SetSecurityDescriptorGroup
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::SetProcessShutdownParameters
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_APICan Encrypt FilesADVAPI32.dll::DecryptFileW
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.dll::CryptAcquireContextW
ADVAPI32.dll::CryptCreateHash
ADVAPI32.dll::CryptGetHashParam
ADVAPI32.dll::CryptHashData
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::ChangeServiceConfigW
ADVAPI32.dll::ControlService
ADVAPI32.dll::OpenSCManagerW
ADVAPI32.dll::OpenServiceW
ADVAPI32.dll::QueryServiceConfigW
ADVAPI32.dll::QueryServiceStatus
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments