MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e15756ff075c124c1027c8b42fce5bbd8d100a4c7c10c624cbc6b28281dce9e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e15756ff075c124c1027c8b42fce5bbd8d100a4c7c10c624cbc6b28281dce9e5
SHA3-384 hash: dc72a0401de494a0067a2ee990a9bbb52e83fb34259a6e2eaa7cd73d7c975d5bf88ad156caa0fc3f8bf43625aba42913
SHA1 hash: c8fc866edd5606f74608b92263fbdc11b65aa946
MD5 hash: ef9e0173d57f5bb644bd002f04d124bc
humanhash: bravo-four-golf-juliet
File name:SentraX.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'033'728 bytes
First seen:2025-04-27 23:27:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d6937b39d566e5795f3eb7422ac303be (21 x LummaStealer, 2 x DarkCloud, 1 x CoinMiner)
ssdeep 24576:znCen7hIFoMyoD6sTz1U8nAUHN2IFoMyoD6sTz1U8nAUHN:zdn7hIFou2uYUH0IFou2uYUH
Threatray 58 similar samples on MalwareBazaar
TLSH T108250228D25A90EAE56742735F443305F4B37C33D76869BF61E0E3312A96BC80EB9791
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Yuyuko_Saigyouji
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
418
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Samples.zip
Verdict:
Malicious activity
Analysis date:
2025-04-27 23:03:55 UTC
Tags:
arch-exec loader lumma stealer telegram
Link:
https://app.any.run/tasks/0f2085fb-2192-4627-9b85-6587d2520182

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4489/
Detection(s):
Win.Packed.Zusy-10044253-0
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680ebe2ccc5fb3600cc39349
Tags:
malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt entropy microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/680ebd89218c4a98ade42edb/reports/cc47e303-a995-46c9-9bc7-df060b0ad49d/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/e15756ff075c124c1027c8b42fce5bbd8d100a4c7c10c624cbc6b28281dce9e5
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9b3f2dad-cceb-4fe1-b724-6833f46b100e
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1675710
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e15756ff075c124c1027c8b42fce5bbd8d100a4c7c10c624cbc6b28281dce9e5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e15756ff075c124c1027c8b42fce5bbd8d100a4c7c10c624cbc6b28281dce9e5/
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-04-27 23:28:17 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
15 of 24 (62.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4flvn7yhlqjeyebhzc2c7ts3xwgracsmpqimmjgly2zifao45hsq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
1ebb9e35517e07efff9c34bf861b373da69d370e33c07b44bac3cf71aed7c71d
LummaStealer
7d745640a79e20c5bf838275fd690edef71279806c672cc007675625fd1c6ddc
LummaStealer
8064b05b68f87a7bf759983a0d614648fd61faf3f2465aabea0e6895c3432809
LummaStealer
e15756ff075c124c1027c8b42fce5bbd8d100a4c7c10c624cbc6b28281dce9e5
LummaStealer
e39c3d6055dcadfdb324148efaea077d62e87818ed400c454edc37a0a43d2a4d
LummaStealer
e9d60be071ec458d7174d18b71b6b2fb925c61f662a447e8419fc11f9aab1a21
LummaStealer
ee0947c688ad5b9f2d1c802f19430179392b3253fed7473c6f7efccce25c0377
LummaStealer
error
LummaStealer
+ 48 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery stealer
Link:
https://tria.ge/reports/250427-3f2kyawpt8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://mediaflowq.run/aeui
https://geographys.run/eirq
https://woodpeckersd.run/glsk
https://tropiscbs.live/iuwxx
https://cartograhphy.top/ixau
https://biosphxere.digital/tqoa
https://topographky.top/xlak
https://climatologfy.top/kbud
https://vigorbridgoe.top/banb
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/aa8e093f-46b1-4375-83d1-650fb8fa52e5
Unpacked files
SH256 hash:
e15756ff075c124c1027c8b42fce5bbd8d100a4c7c10c624cbc6b28281dce9e5
MD5 hash:
ef9e0173d57f5bb644bd002f04d124bc
SHA1 hash:
c8fc866edd5606f74608b92263fbdc11b65aa946
Link:
https://www.unpac.me/results/9248bd52-b8e6-4df5-b6a5-c30f31574ab4/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e15756ff075c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e15756ff075c124c1027c8b42fce5bbd8d100a4c7c10c624cbc6b28281dce9e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/4489/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW

Comments


Avatar
commented on 2025-04-27 23:30:57 UTC

LummaStealer