MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2bd2ba1f6d31950c1cb3da043adcfe1f90e67d2ceab30a420c61e7d4ca075c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2bd2ba1f6d31950c1cb3da043adcfe1f90e67d2ceab30a420c61e7d4ca075c4
SHA3-384 hash: 6297b6b2364255538b07dafdef0f84801bb540637c02d37d1bf900e3a9588fca16caf53b70e3edc771d8900b9c3e8427
SHA1 hash: 8b75ce7c1cf0ec4fddb0f28ea04b233eb99efa76
MD5 hash: 0c381c2ec5177f64bed8da59eabe980c
humanhash: river-grey-princess-table
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:3'008'512 bytes
First seen:2024-10-28 05:25:13 UTC
Last seen:2024-10-28 07:19:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:3+21cDBfqwB6O25dVOjrs2SENsIZRz6eyOMb35T2:3+ycBfqwB6OuOjrvSExRzeOMbp2
Threatray 7 similar samples on MalwareBazaar
TLSH T1A7D55BA2A504B2CFD49A17B8A927DDC7585D03F8472048C3ADADB57E7E73CC522B5C28
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:exe LummaStealer


Avatar
Bitsight
url: http://185.215.113.16/luma/random.exe

Intelligence

File Origin
# of uploads :
21
# of downloads :
3'373
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2024-10-28 05:29:49 UTC
Tags:
lumma stealer themida exfiltration loader
Link:
https://app.any.run/tasks/bd21daee-7d4c-4dab-8ae8-918e31318750

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.5171.28735.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=671f206ea75e41aa672283a7
Tags:
Shellcode
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Connection attempt to an infection source
Behavior that indicates a threat
DNS request
Connection attempt
Sending a custom TCP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected
Link:
https://www.filescan.io/uploads/671f206a3a8e01910c8ca6ea/reports/2478d7c9-0c7e-4d55-a786-2e639e93d283/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/e2bd2ba1f6d31950c1cb3da043adcfe1f90e67d2ceab30a420c61e7d4ca075c4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c2736c47-f7ed-41fe-b4d5-2bd04eac8b7f
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1543563
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e2bd2ba1f6d31950c1cb3da043adcfe1f90e67d2ceab30a420c61e7d4ca075c4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e2bd2ba1f6d31950c1cb3da043adcfe1f90e67d2ceab30a420c61e7d4ca075c4/
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2024-10-28 05:26:07 UTC
File Type:
PE (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4k6sxipw2mmvbqolhwqehlop4h4q4z6sz2vtbjbayyph2tfaoxca._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
0c758d04a07b2b2edbde835ad766ba81e2c4b3dcf31b7fbb58f779c85bb69290
LummaStealer
19bd761990c86d5b2ec8776e31874449845bc0a38cc137f65739fea6d0adadc9
LummaStealer
284a987cc517735bd1a235f6d869649e04b7ab20505b1edb9fe55d090ddec969
LummaStealer
678052dd7d25f56d1ff5f3d66b5d63d407c013a60d1070fc4e21f4cba66b3303
LummaStealer
8b5edd0e5fa82341d230811e5885fdb3de8537fc8416e3a13a2ec32542fa61f0
LummaStealer
error
LummaStealer
fb441142b7c68401a527f50b57be4cc3b3008a895a0dd89de4c1521e91e78e34
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery evasion stealer
Link:
https://tria.ge/reports/241028-f4ve7syqhp/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://crisiwarny.store/api
https://necklacedmny.store/api
https://founpiuer.store/api
https://navygenerayk.store/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d48d17ed-75b2-4116-a8d3-d784eda7ea83
Unpacked files
SH256 hash:
a6ba608d3d54c2b243207c3d5f4255357f52422e0b64e1ddfb7d8e4cc9342f90
MD5 hash:
df4fd07c22f34f82294f89a8e3caec9f
SHA1 hash:
12157a374de6806dac0a55a7dacdb461e80ffe7a
Link:
https://www.unpac.me/results/02e10012-4a8d-4f7f-8fbf-e0cf3252adf0/
SH256 hash:
e2bd2ba1f6d31950c1cb3da043adcfe1f90e67d2ceab30a420c61e7d4ca075c4
MD5 hash:
0c381c2ec5177f64bed8da59eabe980c
SHA1 hash:
8b75ce7c1cf0ec4fddb0f28ea04b233eb99efa76
Link:
https://www.unpac.me/results/02e10012-4a8d-4f7f-8fbf-e0cf3252adf0/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e2bd2ba1f6d3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe e2bd2ba1f6d31950c1cb3da043adcfe1f90e67d2ceab30a420c61e7d4ca075c4

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3245480/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments