MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d85b8c29f62c729a56624097db2fde365369d8a205b92c5d75d3628fddad851b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d85b8c29f62c729a56624097db2fde365369d8a205b92c5d75d3628fddad851b
SHA3-384 hash: 88622c657894da00a437917fe839ca786d3746a110159467ae01ac7942e607e16a5ac2a2c530fa0724e75dfa2d03a30f
SHA1 hash: c30655c84d8dc5085ca624aacf43e84b5fdcf9e1
MD5 hash: 41f1ce7bec40639fa7250d725aa0e3cb
humanhash: berlin-zulu-mississippi-orange
File name:MinecraftAi.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'293'824 bytes
First seen:2024-11-10 11:24:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d6f98113c66df43b5da38ac2d17d2067 (3 x LummaStealer)
ssdeep 24576:s8iOWBzCMenFGciGcEbkx5WQWjSL9G53sBms8:sHO4wnMc1ox5WheT/
Threatray 6 similar samples on MalwareBazaar
TLSH T15B55D694FE78D482FA88C97FF90053F82C1707D04F6046E77DBA99143AA6D7240A77A9
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter aachum
Tags:exe LummaStealer


Avatar
iamaachum
https://github.com/ChubyGer/minecraft-ai/blob/main/MinecraftAi.exe

Lumma C2:
https://pragapin.sbs/api
https://repostebhu.sbs/api
https://thinkyyokej.sbs/api
https://ducksringjk.sbs/api
https://explainvees.sbs/api
https://brownieyuz.sbs/api
https://rottieud.sbs/api
https://tamedgeesy.sbs/api
https://relalingj.sbs/api
https://steamcommunity.com/profiles/76561199724331900
https://marshal-zhukov.com/api

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'235
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MinecraftAi.exe
Verdict:
No threats detected
Analysis date:
2024-11-10 11:52:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/50b75620-0bbd-4441-ba6e-c45e54ba6510

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.25964.576.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673098586c614f3030a3fdaf
Tags:
malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Behavior that indicates a threat
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/6730980fddd275bc606b7237/reports/9de5f49f-7bc2-4d07-8b99-7192b9eb5df8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/d85b8c29f62c729a56624097db2fde365369d8a205b92c5d75d3628fddad851b
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a9201a07-f1a2-43f2-954f-a87cb6664861
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1553140
Signature
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d85b8c29f62c729a56624097db2fde365369d8a205b92c5d75d3628fddad851b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d85b8c29f62c729a56624097db2fde365369d8a205b92c5d75d3628fddad851b/
Threat name:
Win32.Trojan.LummaC
Create hunting rule
Status:
Malicious
First seen:
2024-11-10 11:25:05 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3bnyykpwfrzjuvtcicl5wl66gzjwtwfcaw4syxlv2nri7xnnqunq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
2806b7e515048d1a620b70f50e2a638ffa4ef35502405e2c02e5098d71da65b6
LummaStealer
6a618026ba93793a3a4b4068b4ced7d69bbf8fa9ebce4d1b4f61ca5a4711f79a
LummaStealer
ca00cf9b91b318e686cc93dba7466690338f8b2ad1ae49d1d3e4cb53adf7618b
LummaStealer
d85b8c29f62c729a56624097db2fde365369d8a205b92c5d75d3628fddad851b
LummaStealer
error
LummaStealer
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/241110-nh9xrsypal/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4618184e-5d5a-4eb9-a09f-7e14f6da2e0c
Unpacked files
SH256 hash:
fd2df3bbb68861001b3a94de05db181a0d59f9d82f53ceafe76028870306ba42
MD5 hash:
afb20a37f8d1c7e5d93ef36b00ac12eb
SHA1 hash:
d110990ac0b7d39ba2c03801ab2433b590c9d1d8
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/4135fb9e-cc67-46cd-ad30-97b9a6028138/
SH256 hash:
d85b8c29f62c729a56624097db2fde365369d8a205b92c5d75d3628fddad851b
MD5 hash:
41f1ce7bec40639fa7250d725aa0e3cb
SHA1 hash:
c30655c84d8dc5085ca624aacf43e84b5fdcf9e1
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/4135fb9e-cc67-46cd-ad30-97b9a6028138/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d85b8c29f62c729a56624097db2fde365369d8a205b92c5d75d3628fddad851b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Lumma
Create hunting rule
Author:kevoreilly
Description:Lumma Payload
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe d85b8c29f62c729a56624097db2fde365369d8a205b92c5d75d3628fddad851b

(this sample)

  
Link
https://tria.ge/241110-ndmlnsvndw
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetFileAttributesA

Comments