MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7974f447cff586aecce3343ee40dd9f4ed5a8c2f55f4e0d43ae72ce70e3f832. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f7974f447cff586aecce3343ee40dd9f4ed5a8c2f55f4e0d43ae72ce70e3f832
SHA3-384 hash: 606958125832a39ddf63185d736815062ae294d4a2ae4b1460ca3dca8cfd32cf839eeb6525a3894a6aa55fb91d1e2628
SHA1 hash: c2285d4321904858faa49e25ed0ccc5585c3f7db
MD5 hash: 6ca069ae5432153bf3b0bb46d70eca7c
humanhash: ten-sad-blue-arizona
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'945'024 bytes
First seen:2024-11-01 13:18:18 UTC
Last seen:2024-11-01 15:19:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:9za3hPHxhSIm0hUNIxLa3OhRDurJcMMui/DU24c:9ORPHxhSIm0hUNIxG38uFnMuv2
TLSH T11ED54B52B50EB1CBD48E13749417CE825D7D47BA5B2189C3A878ACBE7DA3CC015FAC26
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:exe LummaStealer


Avatar
Bitsight
url: http://185.215.113.16/luma/random.exe

Intelligence

File Origin
# of uploads :
24
# of downloads :
422
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
7eb366bfc51461411e33b0a660e6e43193089b8cc30b4efa49ce1a00da442d1f.zip
Verdict:
Malicious activity
Analysis date:
2024-11-01 13:15:20 UTC
Tags:
arch-exec lumma stealer loader amadey botnet stealc themida rdp
Link:
https://app.any.run/tasks/dd2dd9db-47b5-4058-9821-5fa613a8e05f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.18160.9548.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6724d54a49e92a05dde23e93
Tags:
vmdetect autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Connection attempt to an infection source
Behavior that indicates a threat
DNS request
Connection attempt
Sending a custom TCP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm anti-vm evasive fingerprint packed packed packer_detected
Link:
https://www.filescan.io/uploads/6724d5477b6de3d3d357176f/reports/022c0108-1bf9-4f34-a97e-2ab694f73b17/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/f7974f447cff586aecce3343ee40dd9f4ed5a8c2f55f4e0d43ae72ce70e3f832
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e7aea980-2540-4b4a-a93f-3329775e8c76
Result
Threat name:
LummaC, Amadey, Credential Flusher, Lumm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1546718
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Excessive usage of taskkill to terminate processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546718 Sample: file.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 100 92 thumbystriw.store 2->92 94 presticitpo.store 2->94 96 30 other IPs or domains 2->96 116 Suricata IDS alerts for network traffic 2->116 118 Found malware configuration 2->118 120 Antivirus detection for dropped file 2->120 122 17 other signatures 2->122 9 skotes.exe 4 28 2->9         started        14 file.exe 2 2->14         started        16 43dba844a0.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 dnsIp5 108 185.215.113.43, 49945, 49956, 49984 WHOLESALECONNECTIONSNL Portugal 9->108 110 31.41.244.11, 49962, 80 AEROEXPRESS-ASRU Russian Federation 9->110 76 C:\Users\user\AppData\Local\Temp\...\num.exe, PE32 9->76 dropped 78 C:\Users\user\AppData\...\9738b9b606.exe, PE32 9->78 dropped 80 C:\Users\user\AppData\...\858718fb40.exe, PE32 9->80 dropped 90 7 other malicious files 9->90 dropped 170 Creates multiple autostart registry keys 9->170 172 Hides threads from debuggers 9->172 174 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->174 20 43dba844a0.exe 9->20         started        24 858718fb40.exe 9->24         started        27 9738b9b606.exe 9->27         started        37 2 other processes 9->37 112 necklacedmny.store 188.114.97.3, 443, 49704, 49705 CLOUDFLARENETUS European Union 14->112 114 185.215.113.16, 49712, 49990, 50004 WHOLESALECONNECTIONSNL Portugal 14->114 82 C:\Users\...\LP2A14SBVUXWGBVIOLP0TT01Z.exe, PE32 14->82 dropped 84 C:\...\K551H67HTD2P65T4EQYI1P5K0MAWMZ.exe, PE32 14->84 dropped 176 Query firmware table information (likely to detect VMs) 14->176 178 Tries to evade debugger and weak emulator (self modifying code) 14->178 180 Tries to detect virtualization through RDTSC time measurements 14->180 182 LummaC encrypted strings found 14->182 29 K551H67HTD2P65T4EQYI1P5K0MAWMZ.exe 4 14->29         started        31 LP2A14SBVUXWGBVIOLP0TT01Z.exe 14->31         started        86 C:\...\VBHOV4FW23DCTSQZRD9H9CQXU6QPN.exe, PE32 16->86 dropped 88 C:\...\BV63EWQMG9LXAT3GOBBELDMX3JAW0J.exe, PE32 16->88 dropped 184 Tries to harvest and steal ftp login credentials 16->184 186 Tries to harvest and steal browser information (history, passwords, etc) 16->186 188 Tries to steal Crypto Currency Wallets 16->188 190 Binary is likely a compiled AutoIt script file 18->190 192 Excessive usage of taskkill to terminate processes 18->192 194 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->194 33 firefox.exe 18->33         started        35 taskkill.exe 18->35         started        39 5 other processes 18->39 file6 signatures7 process8 dnsIp9 70 C:\Users\user\...\PK58MMAWKU2LTN3JZ1XD.exe, PE32 20->70 dropped 72 C:\Users\user\...\3ZIGAFM2RHRBLZAQ1.exe, PE32 20->72 dropped 124 Antivirus detection for dropped file 20->124 126 Multi AV Scanner detection for dropped file 20->126 128 Query firmware table information (likely to detect VMs) 20->128 148 2 other signatures 20->148 41 3ZIGAFM2RHRBLZAQ1.exe 20->41         started        44 PK58MMAWKU2LTN3JZ1XD.exe 20->44         started        98 185.215.113.206 WHOLESALECONNECTIONSNL Portugal 24->98 130 Hides threads from debuggers 24->130 132 Tries to detect sandboxes / dynamic malware analysis system (registry check) 24->132 134 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 24->134 136 Binary is likely a compiled AutoIt script file 27->136 138 Excessive usage of taskkill to terminate processes 27->138 46 taskkill.exe 27->46         started        54 5 other processes 27->54 74 C:\Users\user\AppData\Local\...\skotes.exe, PE32 29->74 dropped 140 Detected unpacking (changes PE section rights) 29->140 142 Machine Learning detection for dropped file 29->142 144 Tries to evade debugger and weak emulator (self modifying code) 29->144 48 skotes.exe 29->48         started        146 Tries to detect virtualization through RDTSC time measurements 31->146 50 WerFault.exe 19 16 31->50         started        100 youtube.com 142.250.185.174 GOOGLEUS United States 33->100 102 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 33->102 106 5 other IPs or domains 33->106 56 2 other processes 33->56 52 conhost.exe 35->52         started        104 185.208.159.121 SIMPLECARRER2IT Switzerland 37->104 58 4 other processes 39->58 file10 signatures11 process12 signatures13 150 Machine Learning detection for dropped file 41->150 152 Modifies windows update settings 41->152 154 Disables Windows Defender Tamper protection 41->154 168 3 other signatures 41->168 156 Tries to detect sandboxes and other dynamic analysis tools (window names) 44->156 158 Hides threads from debuggers 44->158 160 Tries to detect sandboxes / dynamic malware analysis system (registry check) 44->160 60 conhost.exe 46->60         started        162 Antivirus detection for dropped file 48->162 164 Detected unpacking (changes PE section rights) 48->164 166 Tries to evade debugger and weak emulator (self modifying code) 48->166 62 conhost.exe 54->62         started        64 conhost.exe 54->64         started        66 conhost.exe 54->66         started        68 conhost.exe 54->68         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f7974f447cff586aecce3343ee40dd9f4ed5a8c2f55f4e0d43ae72ce70e3f832
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f7974f447cff586aecce3343ee40dd9f4ed5a8c2f55f4e0d43ae72ce70e3f832/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-11-01 13:19:05 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
16 of 38 (42.11%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=66lu6rd475mgv3gognb64qg5t5hnlkgc6vpu4dkdvzzm44hd7aza._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
lummastealer
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery evasion stealer
Link:
https://tria.ge/reports/241101-qkjjps1cre/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://necklacedmny.store/api
https://founpiuer.store/api
https://navygenerayk.store/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9b1507b4-954a-4492-b8c3-34e90a8b6447
Unpacked files
SH256 hash:
7546bb97d166d476bf4e6a0996fc1d04d0208a688585de6f12316b6a53d3e3da
MD5 hash:
2ceb7ef9ce29baf7ada2e493de03f352
SHA1 hash:
9c4fa9bbedd7571f430e124be39ebb3ad075012a
Link:
https://www.unpac.me/results/1dacdc89-0e1b-4a24-8bb2-95b138a344d5/
SH256 hash:
f7974f447cff586aecce3343ee40dd9f4ed5a8c2f55f4e0d43ae72ce70e3f832
MD5 hash:
6ca069ae5432153bf3b0bb46d70eca7c
SHA1 hash:
c2285d4321904858faa49e25ed0ccc5585c3f7db
Link:
https://www.unpac.me/results/1dacdc89-0e1b-4a24-8bb2-95b138a344d5/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f7974f447cff/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f7974f447cff586aecce3343ee40dd9f4ed5a8c2f55f4e0d43ae72ce70e3f832

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe f7974f447cff586aecce3343ee40dd9f4ed5a8c2f55f4e0d43ae72ce70e3f832

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3245480/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments