MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2a2430866d3186a75e84da8443e4b306aaa91527e4e8856c1a7f7e217aade81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2a2430866d3186a75e84da8443e4b306aaa91527e4e8856c1a7f7e217aade81
SHA3-384 hash: bd69406ecda4968e3ea55193e7f4dab2133c912da30499878a597c4c55f08e52ce7936abc76cad93f779e93da17310ea
SHA1 hash: f3499e38acaf1837c7b3d7289dd6627f5f7b3e3f
MD5 hash: a2b2889063a7a3f9785253f937ee6fe4
humanhash: social-lima-victor-monkey
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:11'134'263 bytes
First seen:2024-09-26 19:04:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash df453def9d4f8f1453a5fa51c6608cfc (2 x LummaStealer)
ssdeep 196608:MqlTl1VkwhYYQtjMfgkqixuPZfbaKMlaE+GVaCUGhZPRU74fk7:MWl164YP8dHnhHU74G
Threatray 6 similar samples on MalwareBazaar
TLSH T196B6BF30B38AC536D9960670893DABEF217DBE361B2551CBB2D46D2D18712D32732E63
TrID 45.9% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
33.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
8.4% (.EXE) Win64 Executable (generic) (10523/12/4)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:exe LummaStealer


Avatar
Bitsight
url: http://147.45.44.104/yuop/66f5a53dda014_crypt.exe#es

Intelligence

File Origin
# of uploads :
1
# of downloads :
467
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-09-26 19:06:39 UTC
Tags:
lumma stealer loader
Link:
https://app.any.run/tasks/6e71b98b-d9a8-46a2-a547-305415a96431

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Fragtor.641264.4345.20571.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f5b063c5ef4567b6c9e13a
Tags:
Execution Generic Network Stealth Exploit Gumen Tori Sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Сreating synchronization primitives
Sending an HTTP GET request to an infection source
Creating a file in the %temp% subdirectories
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Behavior that indicates a threat
Connection attempt to an infection source
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug bash dotnet epmicrosoft_visual_cc evasive expand fingerprint lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/66f5b0603b87ff03b25c02a0/reports/59b31521-f49b-42b8-af62-7c00347528dc/overview
Verdict:
Malicious
Labled as:
Fragtor.Generic
Link:
https://www.hybrid-analysis.com/sample/e2a2430866d3186a75e84da8443e4b306aaa91527e4e8856c1a7f7e217aade81
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/de1596a2-d906-46f5-b0d0-13d4c20ba37c
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1519693
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Contains functionality to prevent local Windows debugging
Found malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519693 Sample: file.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 33 vozmeatillu.shop 2->33 35 stogeneratmns.shop 2->35 37 10 other IPs or domains 2->37 47 Suricata IDS alerts for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 13 other signatures 2->53 9 file.exe 2 2->9         started        signatures3 process4 signatures5 55 Suspicious powershell command line found 9->55 57 Contains functionality to prevent local Windows debugging 9->57 12 powershell.exe 15 22 9->12         started        process6 dnsIp7 45 147.45.44.131, 49730, 80 FREE-NET-ASFREEnetEU Russian Federation 12->45 29 C:\Users\user\AppData\...\uy2pimwz.cmdline, Unicode 12->29 dropped 31 C:\Users\user\AppData\Local\...\uy2pimwz.0.cs, Unicode 12->31 dropped 59 Writes to foreign memory regions 12->59 61 Suspicious execution chain found 12->61 63 Compiles code for process injection (via .Net compiler) 12->63 65 2 other signatures 12->65 17 csc.exe 3 12->17         started        20 RegAsm.exe 12->20         started        23 conhost.exe 12->23         started        file8 signatures9 process10 dnsIp11 27 C:\Users\user\AppData\Local\...\uy2pimwz.dll, PE32 17->27 dropped 25 cvtres.exe 1 17->25         started        39 ballotnwu.site 104.21.2.13, 443, 49741 CLOUDFLARENETUS United States 20->39 41 gutterydhowi.shop 104.21.4.136, 443, 49732 CLOUDFLARENETUS United States 20->41 43 6 other IPs or domains 20->43 file12 process13
Score:
10%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/e2a2430866d3186a75e84da8443e4b306aaa91527e4e8856c1a7f7e217aade81
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e2a2430866d3186a75e84da8443e4b306aaa91527e4e8856c1a7f7e217aade81/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-09-26 18:46:25 UTC
File Type:
PE (Exe)
Extracted files:
30
AV detection:
12 of 24 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4kregcdg2mmgu5pijwueipslgbvkvekspzhiqvwbu736ef5k32aq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
1d03b3ff5866b8064fc703327278785e0e582aa46e79eecad9c4a7fff1ad0a90
LummaStealer
3f8f0d64baf178553077b5ec1285f71f9c0d8ee8526f1f2a40a52f7ee69fa233
LummaStealer
c05186378739dc98ff28f86388680fa3bdceab20d6e648e5d8fdd27bd938413b
LummaStealer
e2a2430866d3186a75e84da8443e4b306aaa91527e4e8856c1a7f7e217aade81
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery execution stealer
Link:
https://tria.ge/reports/240926-xrgr1swcnh/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Downloads MZ/PE file
Lumma Stealer, LummaC
Malware Config
C2 Extraction:
https://reinforcenh.shop/api
https://stogeneratmns.shop/api
https://fragnantbui.shop/api
https://drawzhotdog.shop/api
https://vozmeatillu.shop/api
https://offensivedzvju.shop/api
https://ghostreedmnu.shop/api
https://gutterydhowi.shop/api
https://ptramidermsnqj.shop/api
https://ballotnwu.site/api
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ca1f8fd7-ade3-441f-be19-26b7ef1a717d
Unpacked files
SH256 hash:
0135780ff5cc614eb25c04ebd80a54f2e2674893db168ef298e0cbe8c3a21334
MD5 hash:
b8d91575c65ff45847e5d59149cedd07
SHA1 hash:
d2aa8282764eaa0993191e34b11505702f027281
Link:
https://www.unpac.me/results/0e7d080d-4b45-4464-b776-8faa819b8325/
SH256 hash:
96fa6c055fe0e1b0b03110136c3dcb26adfcf04da68b74c2f62f75bfe12a392c
MD5 hash:
4b86263d488046d315a85b2400dc2849
SHA1 hash:
a4c48144f7ff296adebcfb581cc6207d921dcc5f
Link:
https://www.unpac.me/results/0e7d080d-4b45-4464-b776-8faa819b8325/
SH256 hash:
d95de79f5363eafb41338bc0eb13b0f78c9d6a218b888ed1baa3f4270e50f2d2
MD5 hash:
fe9892e96d371c11e5c6d6a14f2cb282
SHA1 hash:
51a892ee33b1c6ffcac9e54386303cfda67a46a8
Link:
https://www.unpac.me/results/0e7d080d-4b45-4464-b776-8faa819b8325/
SH256 hash:
913693d5577aec98ed7863d38f1a733ff07d4ef56e9252fb96259ab5e2f2d0c5
MD5 hash:
b71cf61b8990c6bf555704d1e528c0a2
SHA1 hash:
f43b5dd591ff025ea60c502e0ac5ce8f86fe7d95
Link:
https://www.unpac.me/results/0e7d080d-4b45-4464-b776-8faa819b8325/
SH256 hash:
7f91a9d01d816e9f9f4c5e9db01d606bfade8909d365e975df8b491698a7938f
MD5 hash:
ff59cce1a578af16649f5c938aa08b55
SHA1 hash:
dea2880cb446e1493d7fa2ed73c24497b5016216
Link:
https://www.unpac.me/results/0e7d080d-4b45-4464-b776-8faa819b8325/
SH256 hash:
6bf63fcf87a0f7f2a9c224ddbcc2ede8c67026405ff5847477bb3a414c61ff9b
MD5 hash:
4eb3c247d831754d22da3f2727ae1e24
SHA1 hash:
f8ca2c13102010758eb205827f4edd5eb89fe755
Link:
https://www.unpac.me/results/0e7d080d-4b45-4464-b776-8faa819b8325/
SH256 hash:
766549020d020b2dd987c3cecfff72df0e6a69d85b5c33497a7af14f60aedfaf
MD5 hash:
d26fb6a1bd96f452f6862bd792c494d0
SHA1 hash:
7f7158092510cb059509efae31ad2bec15ae88fc
Link:
https://www.unpac.me/results/0e7d080d-4b45-4464-b776-8faa819b8325/
SH256 hash:
b487125207a7aafd80c3e07e567e4f268f6bc0c6cbb67800ec4b95c7f52ef5cb
MD5 hash:
327daea1dc64721772c3aa276df42e59
SHA1 hash:
a3d215d55ced5c4b657e9413d537fad97b628d08
Link:
https://www.unpac.me/results/0e7d080d-4b45-4464-b776-8faa819b8325/
SH256 hash:
69699eebe26aea8af5a0a47f140ca86ae661d8bc55b52da0313478dd77adcd1d
MD5 hash:
ac0d67d325cd1ca8330d33b4f339f916
SHA1 hash:
77d3f94e38e487a71ce322c8f59f2f8f9e7b8103
Link:
https://www.unpac.me/results/0e7d080d-4b45-4464-b776-8faa819b8325/
SH256 hash:
faba9cf64a6e48534f349f19d3a324c20107b97e71211b694791c6b21de386ba
MD5 hash:
afaedfddbd2c24d6b1e8728db943feb7
SHA1 hash:
64ffb0112e4623e878436e66fd44bc0745699213
Link:
https://www.unpac.me/results/0e7d080d-4b45-4464-b776-8faa819b8325/
SH256 hash:
2ab8dcb1a0410f5c2dcdb2961060363531fc0ed0a8081ed2b33c634af88d2d86
MD5 hash:
81e24a0a82d83e1e36a6d0f23496ee75
SHA1 hash:
a52caea54d7e93ab1dc20e23fc97a045e298dbce
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/0e7d080d-4b45-4464-b776-8faa819b8325/
SH256 hash:
dbd984631be07f63ad00b2598c90b910a7802b1a6c3a4adb0546f582e7933f27
MD5 hash:
4ca396ce6bed892b161faf0ca31b6ba0
SHA1 hash:
413cdb3f6b8138656a55d2ff8ed88c883444de22
Link:
https://www.unpac.me/results/0e7d080d-4b45-4464-b776-8faa819b8325/
SH256 hash:
54fc8f9b5f7e9c5fd0dbcbe9871bbc0e29e3a3fddade3e9a67affcee2377b452
MD5 hash:
a43db9e454b01ebb99cd39cfb5571706
SHA1 hash:
747b24dff8518068dcadb521a712a89706255e87
Link:
https://www.unpac.me/results/0e7d080d-4b45-4464-b776-8faa819b8325/
SH256 hash:
92dc4bd2511efdc7c041517bdaffe2c23d251a177caaf8eea7b7c6e09cae49a5
MD5 hash:
a4e1ff2e4c9d1868aa35449d03a0d8f3
SHA1 hash:
2a412f15cef801c3fe9b8b4ad0d4c90c0697958c
Link:
https://www.unpac.me/results/0e7d080d-4b45-4464-b776-8faa819b8325/
SH256 hash:
8128a049e43f58aa1798f33afcedfa8765b7967750ef6e6d3b51398fc6d37d4e
MD5 hash:
8e098d3f95bcd9e5a6887ffeea259b5b
SHA1 hash:
b8708836962f813118f7293f6dce8aabbe48f0c1
Link:
https://www.unpac.me/results/0e7d080d-4b45-4464-b776-8faa819b8325/
SH256 hash:
8e91826d44a846a115427aa8e66c5b3cc4f7d1d901ba571742d8c25e220dc910
MD5 hash:
8555f6c0f5f97adfb22e2f0d8fe3906d
SHA1 hash:
a8ee9cbf1be6b71b9222f87af23f0bdfe3c609b2
Link:
https://www.unpac.me/results/0e7d080d-4b45-4464-b776-8faa819b8325/
SH256 hash:
e2a2430866d3186a75e84da8443e4b306aaa91527e4e8856c1a7f7e217aade81
MD5 hash:
a2b2889063a7a3f9785253f937ee6fe4
SHA1 hash:
f3499e38acaf1837c7b3d7289dd6627f5f7b3e3f
Detections:
DOTNET_SingleFileHost_Bundled_App
Create hunting rule
Link:
https://www.unpac.me/results/0e7d080d-4b45-4464-b776-8faa819b8325/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e2a2430866d3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e2a2430866d3186a75e84da8443e4b306aaa91527e4e8856c1a7f7e217aade81

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe e2a2430866d3186a75e84da8443e4b306aaa91527e4e8856c1a7f7e217aade81

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3193004/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetSidSubAuthorityCount
ADVAPI32.dll::GetSidSubAuthority
ADVAPI32.dll::RevertToSelf
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CreateStreamOnHGlobal
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::SetKernelObjectSecurity
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
ADVAPI32.dll::SetThreadToken
KERNEL32.dll::VirtualAllocExNuma
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::GetActiveProcessorGroupCount
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::CreateFileMappingA
KERNEL32.dll::GetWindowsDirectoryW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegGetValueW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW

Comments