MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 e2a10e6ec4d01407e45a75a7b4a548fadc616c9c1b3b7cff3c97e9d0ab7d00b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
LunaStealer
Vendor detections: 9
| SHA256 hash: | e2a10e6ec4d01407e45a75a7b4a548fadc616c9c1b3b7cff3c97e9d0ab7d00b1 |
|---|---|
| SHA3-384 hash: | 7db398766a3de6715158d417ea198ad1c69c6b9af2fb41993c28354db53d1b1a8fc504062226447f6bdde2af18339a78 |
| SHA1 hash: | a3c2884784a57ec71c1d7a483b00961be6178922 |
| MD5 hash: | f90ddc5371d068ace98a8d730332885d |
| humanhash: | ceiling-south-video-william |
| File name: | 9D8D941E.exe |
| Download: | download sample |
| Signature | LunaStealer |
| File size: | 17'365'185 bytes |
| First seen: | 2025-01-25 01:06:05 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 72c4e339b7af8ab1ed2eb3821c98713a (50 x BlankGrabber, 26 x PythonStealer, 7 x LunaStealer) |
| ssdeep | 393216:dv2L+CSX+AGKyy1m1Nq3IHm7HmBY4kRdozChF9AbVJtE:dzRZycm1Nc6BYXRdozC12Vo |
| TLSH | T15507334176A004FAF4AA293FD597C91A8736FE811BB0D3DF463412AA0DB36F1097617B |
| TrID | 70.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 12.9% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 2.5% (.ICL) Windows Icons Library (generic) (2059/9) 2.4% (.EXE) OS/2 Executable (generic) (2029/13) |
| Magika | pebin |
| Reporter |  kafan_shengui |
| Tags: | exe LunaStealer |
Intelligence
File Origin
# of uploads :
1
# of downloads :
594
Origin country :
USVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://bazaar.abuse.ch/browse/
Verdict:
Malicious activity
Analysis date:
2025-01-25 01:37:05 UTC
Tags:
evasion github stealer python arch-exec luna discord
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Gathering data
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Delayed reading of the file
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a process
Reading critical registry keys
Launching the process to change network settings
Сreating synchronization primitives
Stealing user critical data
Forced shutdown of a browser
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
expand lolbin microsoft_visual_cc overlay packed packer_detected
Result
Verdict:
UNKNOWN
Verdict:
Unknown
Result
Threat name:
Python Stealer, Luna Grabber, Luna Logge
Detection:
malicious
Classification:
troj
Score:
88 / 100
Signature
Antivirus / Scanner detection for submitted sample
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Yara detected Generic Python Stealer
Yara detected Luna Grabber
Yara detected Luna Logger
Yara detected WIFI Password Stealer
Behaviour
Behavior Graph:
Score:
99%
Verdict:
Malware
File Type:
PE
Threat name:
Win64.Trojan.Generic
Status:
Suspicious
First seen:
2025-01-24 22:15:47 UTC
File Type:
PE+ (Exe)
Extracted files:
1425
AV detection:
11 of 24 (45.83%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
n/a
Score:
8/10
Tags:
discovery execution persistence privilege_escalation pyinstaller spyware stealer upx
Behaviour
Detects videocard installed
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Internet Connection Discovery
System Network Configuration Discovery: Wi-Fi Discovery
UPX packed file
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
c1de4bfe57dc4a5be8c72c865d617dc39dfd8162fcd2ce1fac9f401cf9efb504
MD5 hash:
ad2c4784c3240063eeaa646fd59be62c
SHA1 hash:
5efab563725781ab38a511e3f26e0406d5d46e8d
SH256 hash:
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153
MD5 hash:
862f820c3251e4ca6fc0ac00e4092239
SHA1 hash:
ef96d84b253041b090c243594f90938e9a487a9a
SH256 hash:
e2a10e6ec4d01407e45a75a7b4a548fadc616c9c1b3b7cff3c97e9d0ab7d00b1
MD5 hash:
f90ddc5371d068ace98a8d730332885d
SHA1 hash:
a3c2884784a57ec71c1d7a483b00961be6178922
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | BLOWFISH_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for Blowfish constants |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerCheck__QueryInfo |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerException__ConsoleCtrl |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerException__SetConsoleCtrl |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | Glasses |
|---|---|
| Author: | Seth Hardy |
| Description: | Glasses family |
| Rule name: | GlassesCode |
|---|---|
| Author: | Seth Hardy |
| Description: | Glasses code features |
| Rule name: | golang_bin_JCorn_CSC846 |
|---|---|
| Author: | Justin Cornwell |
| Description: | CSC-846 Golang detection ruleset |
| Rule name: | ldpreload |
|---|---|
| Author: | xorseed |
| Reference: | https://stuff.rop.io/ |
| Rule name: | MD5_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for MD5 constants |
| Rule name: | pe_detect_tls_callbacks |
|---|
| Rule name: | PyInstaller |
|---|---|
| Author: | @bartblaze |
| Description: | Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious. |
| Rule name: | RANSOMWARE |
|---|---|
| Author: | ToroGuitar |
| Rule name: | RIPEMD160_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for RIPEMD-160 constants |
| Rule name: | SEH__vectored |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | SHA1_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for SHA1 constants |
| Rule name: | SHA512_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for SHA384/SHA512 constants |
| Rule name: | Sus_Obf_Enc_Spoof_Hide_PE |
|---|---|
| Author: | XiAnzheng |
| Description: | Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP) |
| Rule name: | upxHook |
|---|---|
| Author: | @r3dbU7z |
| Description: | Detect artifacts from 'upxHook' - modification of UPX packer |
| Reference: | https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/ |
| Rule name: | upx_largefile |
|---|---|
| Author: | k3nr9 |
| Rule name: | vmdetect |
|---|---|
| Author: | nex |
| Description: | Possibly employs anti-virtualization techniques |
| Rule name: | WHIRLPOOL_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for WhirlPool constants |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
No further information available
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (FORCE_INTEGRITY) | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| AUTH_API | Manipulates User Authorization | ADVAPI32.dll::ConvertSidToStringSidW ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW |
| SECURITY_BASE_API | Uses Security Base API | ADVAPI32.dll::GetTokenInformation |
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::CreateProcessW ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDriveTypeW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineW KERNEL32.dll::GetCommandLineA |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetConsoleCtrlHandler KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::FindFirstFileW KERNEL32.dll::RemoveDirectoryW KERNEL32.dll::SetDllDirectoryW |
| WIN_USER_API | Performs GUI Actions | USER32.dll::PeekMessageW USER32.dll::CreateWindowExW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.