MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4bc3f962d0b16cd40870324c2418b102680aca46ee4ab0b08ec19e3d4b86986. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4bc3f962d0b16cd40870324c2418b102680aca46ee4ab0b08ec19e3d4b86986
SHA3-384 hash: 9aca4884e8a17238ba7d8618724eac6e40aac41aa594db77db8b3eb685d2ca57257b61dfbc9a5556ce2ba4a30428a776
SHA1 hash: e2522424e4c0a34b83b0dd9769db8c5b01e289e9
MD5 hash: 400af20bb680795b1a047b588d8f1b26
humanhash: burger-wisconsin-mars-nitrogen
File name:400af20bb680795b1a047b588d8f1b26
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'004'544 bytes
First seen:2024-10-13 04:39:49 UTC
Last seen:2024-10-13 05:37:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 285f07c66f98861b92460fa57c11d967 (4 x LummaStealer, 3 x Vidar, 1 x Stealc)
ssdeep 24576:YRjxaXu0Nvce4l/4dZjXdjUUyFUXeVea4jNkvKpgJ6vtZWVnX:YJxaXu0NvT4OdjU/v94R1pgJ6vtZWVX
TLSH T1F225DF1179C08036DB3325320AA9EB769ABEF8701B2956CF17E81A7E5F385C15B3461F
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter zbetcheckin
Tags:32 exe LummaStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
372
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://www.mediafire.com/file/94i882uvbhq5bs3/907.7z/file
Verdict:
Malicious activity
Analysis date:
2024-10-12 17:51:54 UTC
Tags:
loader evasion socks5systemz proxy
Link:
https://app.any.run/tasks/8be4647a-bba0-4153-86bf-5fe355e74232

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Steam.37704.7315.20407.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=670b4f24707bcd8537fb35f5
Tags:
Malware
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/670b4f239f3db0abfed3664b/reports/a5632af9-280a-4e85-94f5-600a2d87fc79/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/f4bc3f962d0b16cd40870324c2418b102680aca46ee4ab0b08ec19e3d4b86986
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9379ae56-87c9-4b8e-bdf0-47086499d29e
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1532402
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found evasive API chain checking for user administrative privileges
Found malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f4bc3f962d0b16cd40870324c2418b102680aca46ee4ab0b08ec19e3d4b86986
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4bc3f962d0b16cd40870324c2418b102680aca46ee4ab0b08ec19e3d4b86986/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2024-10-12 17:39:40 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6s6d7frnbmlm2qehamsmeqmlcatiblfen3skwcyi5qm6hvfyngda._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery stealer
Link:
https://tria.ge/reports/241013-fajfvatenn/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Lumma Stealer, LummaC
Malware Config
C2 Extraction:
https://drawwyobstacw.sbs
https://condifendteu.sbs
https://ehticsprocw.sbs
https://vennurviot.sbs
https://resinedyw.sbs
https://enlargkiw.sbs
https://allocatinow.sbs
https://mathcucom.sbs
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/189628ef-442e-4add-b93e-d94f171503b1
Unpacked files
SH256 hash:
e2e450f069c30508580d5fad85a44f659d1b813b672f0f9a0eef36c332846e6e
MD5 hash:
4191b55e440510c0781eac7a8bd8a9a8
SHA1 hash:
04c6a0939cb6187ad2ef060fb2b50c37d20c2df0
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/2d35a4a0-151d-4a02-bb14-5e56274949aa/
Parent samples :
e872fb46fab0d28820724db2eeb713034898a37fd329c864c3ce6d81bc9f5a77
f4bc3f962d0b16cd40870324c2418b102680aca46ee4ab0b08ec19e3d4b86986
6d3923f52801695b6549c3a022fd108c31b8121f5ea83f05332c8dd6943ba227
SH256 hash:
f4bc3f962d0b16cd40870324c2418b102680aca46ee4ab0b08ec19e3d4b86986
MD5 hash:
400af20bb680795b1a047b588d8f1b26
SHA1 hash:
e2522424e4c0a34b83b0dd9769db8c5b01e289e9
Link:
https://www.unpac.me/results/2d35a4a0-151d-4a02-bb14-5e56274949aa/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f4bc3f962d0b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f4bc3f962d0b16cd40870324c2418b102680aca46ee4ab0b08ec19e3d4b86986

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe f4bc3f962d0b16cd40870324c2418b102680aca46ee4ab0b08ec19e3d4b86986

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3232473/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments


Avatar
zbet commented on 2024-10-13 04:39:50 UTC

url : hxxp://cache.ussc.org/player/670a8ccf0c6f9_LofiseNose.exe