MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d76b794d9449d4c8e9f6e02314b4d45d8e3730eae3362ff092cd9d7e1dd90b32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d76b794d9449d4c8e9f6e02314b4d45d8e3730eae3362ff092cd9d7e1dd90b32
SHA3-384 hash: 5a5bc42be77b6bd7934b05e32bb0d122c78e7eb279aeef838910e4f394a22c67c0e6a510704cdd9b8827490b3f18388f
SHA1 hash: 8658498158e60c3122c3b425dcc9d55f97492d47
MD5 hash: d972044e21e7138907086c65fe32ab88
humanhash: floor-william-jersey-failed
File name:d972044e21e7138907086c65fe32ab88.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:411'648 bytes
First seen:2024-04-28 14:57:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c8bbaaa682c013cc75d9e0c38f1112a (30 x Stealc, 3 x Arechclient2, 1 x LummaStealer)
ssdeep 6144:tE6f5WniafjJXT2GApKs2ciiPrpm+ZLt5e1r+JODE:tEO52LjJy1Es2ciiP1m+ZxorMwE
TLSH T1D9949E03B2F47D90E6A646328E1EB6E8365DF9604E55AB27320DBA8F06FD071C1637D1
TrID 60.4% (.EXE) InstallShield setup (43053/19/16)
14.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.8% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0109031329111100 (1 x LummaStealer)
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
324
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d76b794d9449d4c8e9f6e02314b4d45d8e3730eae3362ff092cd9d7e1dd90b32.exe
Verdict:
Malicious activity
Analysis date:
2024-04-28 15:01:44 UTC
Tags:
lumma stealer
Link:
https://app.any.run/tasks/103f4e65-073b-4bd2-a6ce-f8650a0260b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Connection attempt to an infection source
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint packed
Link:
https://www.filescan.io/uploads/662e63c247bfd8641eb92589/reports/4205b48b-2fed-4a78-866e-76571976355b/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/d76b794d9449d4c8e9f6e02314b4d45d8e3730eae3362ff092cd9d7e1dd90b32
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/96101007-a00c-4b24-977c-e900b6d2827c
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1432955
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d76b794d9449d4c8e9f6e02314b4d45d8e3730eae3362ff092cd9d7e1dd90b32
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d76b794d9449d4c8e9f6e02314b4d45d8e3730eae3362ff092cd9d7e1dd90b32/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-04-28 04:35:44 UTC
File Type:
PE (Exe)
Extracted files:
63
AV detection:
22 of 37 (59.46%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=25vxstmujhkmr2pw4arrjngulwhdomhk4m3c74eszwox4hozbmza._file
Verdict:
malicious
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma stealer
Link:
https://tria.ge/reports/240428-sbk3aaae9z/
Behaviour
Program crash
Lumma Stealer
Malware Config
C2 Extraction:
https://strollheavengwu.shop/api
https://productivelookewr.shop/api
https://tolerateilusidjukl.shop/api
https://shatterbreathepsw.shop/api
https://shortsvelventysjo.shop/api
https://incredibleextedwj.shop/api
https://alcojoldwograpciw.shop/api
https://liabilitynighstjsko.shop/api
https://demonstationfukewko.shop/api
Unpacked files
SH256 hash:
4c645945ff1e347aacc3025c467ff39278b635885bfbcdb119d2ac39a9bd556e
MD5 hash:
78faa8aee4e8a1e17f00ab441c3b7363
SHA1 hash:
cc4f7231dfed4e50951464c0dcbe10570d52d0c6
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/14e03682-cc49-42f2-a5d1-5e14d7c21f69/
SH256 hash:
d76b794d9449d4c8e9f6e02314b4d45d8e3730eae3362ff092cd9d7e1dd90b32
MD5 hash:
d972044e21e7138907086c65fe32ab88
SHA1 hash:
8658498158e60c3122c3b425dcc9d55f97492d47
Link:
https://www.unpac.me/results/14e03682-cc49-42f2-a5d1-5e14d7c21f69/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d76b794d9449d4c8e9f6e02314b4d45d8e3730eae3362ff092cd9d7e1dd90b32

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe d76b794d9449d4c8e9f6e02314b4d45d8e3730eae3362ff092cd9d7e1dd90b32

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2797804/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleInputA
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleAliasesA
KERNEL32.dll::GetConsoleProcessList
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::RemoveDirectoryA
KERNEL32.dll::GetTempPathA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
KERNEL32.dll::QueryDosDeviceW

Comments