MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddac3b2f0fa734edf2a07db0ceec19c3926b9423314e3138dc29a0568a1cdcd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LunaLogger

Vendor detections: 11

Intelligence 11 IOCs YARA 23 File information Comments

SHA256 hash:	ddac3b2f0fa734edf2a07db0ceec19c3926b9423314e3138dc29a0568a1cdcd9
SHA3-384 hash:	c6e59ddb8e87210bb5e42ac9868b343dae2b3410a926f294348db7d70616670e238778eded2219058cbcbc57131c74c1
SHA1 hash:	17150815e194897c348f588db8eacc915f4d4974
MD5 hash:	9bbee5d6aa4567f3f38c3e499041df6a
humanhash:	berlin-island-east-mockingbird
File name:	TS-240518-Luna6.exe
Download:	download sample
Signature	LunaLogger Create hunting rule
File size:	17'691'625 bytes
First seen:	2024-05-18 02:33:50 UTC
Last seen:	2024-05-18 03:24:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f4f2e2b03fe5666a721620fcea3aea9b (15 x BlankGrabber, 10 x PythonStealer, 6 x CrealStealer)
ssdeep	393216:Qv90+5SYzTh2Jp5M4urEUWjpPafIE5PKk9buK+x:u9PJTh6dbpafIbkEK+
Threatray	93 similar samples on MalwareBazaar
TLSH	T1DB0733D927701890F996503B956BC8019777FCB257A8C35F0AF832A62F437E08D3AE65
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	kafan_shengui
Tags:	exe LunaLogger

Intelligence

File Origin

# of uploads :

# of downloads :

325

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ddac3b2f0fa734edf2a07db0ceec19c3926b9423314e3138dc29a0568a1cdcd9.exe

Verdict:

Malicious activity

Analysis date:

2024-05-18 16:43:50 UTC

Tags:

evasion python discord discordgrabber generic stealer

Link:

https://app.any.run/tasks/1831f257-1f7b-4c4e-9522-0c6cc28c4800

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win64.Evo-gen.8492.21444.UNOFFICIAL

Gathering data

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Restart of the analyzed sample

Using the Windows Management Instrumentation requests

Creating a file

DNS request

Connection attempt

Delayed reading of the file

Sending a custom TCP request

Creating a window

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

expand lolbin overlay packed packed packed packed pyinstaller pyinstaller python

Link:

https://www.filescan.io/uploads/66481400bc04dffa921e86a4/reports/f4b6a60c-d5f3-4f87-b92e-26bdcba8eb69/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ddac3b2f0fa734edf2a07db0ceec19c3926b9423314e3138dc29a0568a1cdcd9

Result

Verdict:

MALICIOUS

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/a67fb2c8-83bf-4a64-a734-f78a99913df8

Result

Threat name:

Luna Logger

Detection:

malicious

Classification:

troj

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1443688

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected Luna Logger

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ddac3b2f0fa734edf2a07db0ceec19c3926b9423314e3138dc29a0568a1cdcd9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ddac3b2f0fa734edf2a07db0ceec19c3926b9423314e3138dc29a0568a1cdcd9/

Threat name:

Win64.Trojan.LunaLogger

Status:

Malicious

First seen:

2024-05-10 22:29:55 UTC

File Type:

PE+ (Exe)

Extracted files:

1573

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3wwdwlypu42o34vapwym53azyojgxfbdgfhdcog4fgqfncq43tmq._file

Verdict:

unknown

LunaLogger

215fbdf1d0e7183bda896248c954a58d05b15e0e39e9e00d3814f4362fcff0ad

LunaLogger

51d9264e591df98e96eb17cc0fc735cbcd32a4448c2c5497d51924ad95fc9a6d

LunaLogger

a2bc5f647723f5af00feb34d1dd7bc73942207416f5a49425baceab8f251d473

LunaLogger

a879fcea4ce6f6041ffc6271c261cf6fc09ec21ac118db277572ddf7b08e8708

LunaLogger

c0aace14aa0063bbe33249fd42bc296974a9bb41cae186e1cdd1c28cbe77973a

LunaLogger

db700864811a1de2e51bcd01a28b480f4b3cf97d903134a5fe4ab9f8d38f3a35

LunaLogger

+ 83 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

pyinstaller upx

Link:

https://tria.ge/reports/240518-c2fx9agc57/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Loads dropped DLL

UPX packed file

Unpacked files

SH256 hash:

ddac3b2f0fa734edf2a07db0ceec19c3926b9423314e3138dc29a0568a1cdcd9

MD5 hash:

9bbee5d6aa4567f3f38c3e499041df6a

SHA1 hash:

17150815e194897c348f588db8eacc915f4d4974

Detections:

PyInstaller

Link:

https://www.unpac.me/results/6acca7be-e440-48b1-b835-d6dc2ee0f7f2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ddac3b2f0fa734edf2a07db0ceec19c3926b9423314e3138dc29a0568a1cdcd9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	CAS_Malware_Hunting Create hunting rule
Author:	Michael Reinprecht
Description:	DEMO CAS YARA Rules for sample2.exe

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__ConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Glasses Create hunting rule
Author:	Seth Hardy
Description:	Glasses family

Rule name:	GlassesCode Create hunting rule
Author:	Seth Hardy
Description:	Glasses code features

Rule name:	ldpreload Create hunting rule
Author:	xorseed
Reference:	https://stuff.rop.io/

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller.

Rule name:	PyInstaller_Packed_April_2024 Create hunting rule
Author:	NDA0N
Description:	Detects files packed with PyInstaller

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	WHIRLPOOL_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (FORCE_INTEGRITY)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::ConvertSidToStringSidW ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDriveTypeW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineW KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetConsoleCtrlHandler KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::RemoveDirectoryW KERNEL32.dll::SetDllDirectoryW
WIN_USER_API	Performs GUI Actions	USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample