MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f82d15eed385a7a913b98a28bce9b27a7e3611e1c0c4d9fa65741d3fdd76d23c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f82d15eed385a7a913b98a28bce9b27a7e3611e1c0c4d9fa65741d3fdd76d23c
SHA3-384 hash: 4aadb02c69f04a2a606ec482fbb2774730d2cc795cf752d86b94fe6ae8f70cd89711c7414edfadec98c5ecb258825f91
SHA1 hash: 79b7f01af68b13036a493e25c83d80457a654c4c
MD5 hash: bf866d9b4395b3c819a4cd3fd639c412
humanhash: lamp-muppet-november-lamp
File name:f82d15eed385a7a913b98a28bce9b27a7e3611e1c0c4d9fa65741d3fdd76d23c.msi
Download: download sample
Signature LummaStealer
Create hunting rule
File size:89'869'824 bytes
First seen:2025-02-04 13:17:37 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:BWVw9CW/3bB1B68jRGRdJFqisNA6IwEU7dwq3LnEpF2UOrZ+c4CGFyzodK2aZq9:BW5SrB6uRG6iQIu5LEzVON+vCjVY
Threatray 7 similar samples on MalwareBazaar
TLSH T11A18231277F941F1E1BFD1359A77A627E6767C264B3186CF02903A1E0F36AD09A39312
TrID 53.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
39.2% (.MSP) Windows Installer Patch (44509/10/5)
7.0% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:5-45-94-186 5-61-50-177 5-61-58-167 LummaStealer msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a214ab2dcee78dd81953bc
Tags:
virus
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-vm explorer fingerprint fingerprint hacktool lolbin obfuscated onedrivestandaloneupdater remote runonce wix
Link:
https://www.filescan.io/uploads/67a213a4e605f0e54e289ad2/reports/1920de5a-0560-4ae3-861f-e8bc074b6ea4/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f82d15eed385a7a913b98a28bce9b27a7e3611e1c0c4d9fa65741d3fdd76d23c
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/f82d15eed385a7a913b98a28bce9b27a7e3611e1c0c4d9fa65741d3fdd76d23c
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
suspicious
Classification:
troj
Score:
38 / 100
Link:
https://www.joesandbox.com/analysis/1606490
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Multi AV Scanner detection for submitted file
Queries random domain names (often used to prevent blacklisting and sinkholes)
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1606490 Sample: w2U4fIIBs1.msi Startdate: 04/02/2025 Architecture: WINDOWS Score: 38 70 tse1.mm.bing.net 2->70 72 mm-mm.bing.net.trafficmanager.net 2->72 74 2 other IPs or domains 2->74 84 Suricata IDS alerts for network traffic 2->84 86 Multi AV Scanner detection for submitted file 2->86 88 Yara detected LummaC Stealer 2->88 90 Queries random domain names (often used to prevent blacklisting and sinkholes) 2->90 10 msiexec.exe 13 28 2->10         started        13 msiexec.exe 15 2->13         started        15 msiexec.exe 15 2->15         started        17 msiexec.exe 14 2->17         started        signatures3 process4 file5 52 C:\Windows\Installer\MSIAFAD.tmp, PE32 10->52 dropped 54 C:\Windows\Installer\MSIAEE1.tmp, PE32 10->54 dropped 56 C:\Windows\Installer\MSIAEA2.tmp, PE32 10->56 dropped 62 3 other files (none is malicious) 10->62 dropped 19 msiexec.exe 10 10->19         started        22 msiexec.exe 1 1 10->22         started        25 msiexec.exe 10->25         started        28 2 other processes 10->28 58 C:\Users\user\AppData\Local\...\MSIF78C.tmp, PE32 13->58 dropped 60 C:\Users\user\AppData\Local\...\MSIF75C.tmp, PE32 13->60 dropped 64 9 other files (none is malicious) 13->64 dropped 66 11 other files (none is malicious) 15->66 dropped 68 11 other files (none is malicious) 17->68 dropped process6 dnsIp7 42 C:\Users\user\AppData\...\OneDriveSetup.exe, PE32+ 19->42 dropped 30 OneDriveSetup.exe 5 5 19->30         started        92 Creates autostart registry keys with suspicious names 22->92 94 Creates an autostart registry key pointing to binary in C:\Windows 22->94 32 OneDriveSetup.exe 3 5 22->32         started        78 45urhm0ldgxb.live 149.154.153.2, 443, 49753 EDIS-AS-EUAT European Union 25->78 80 gx6xly9rp6vl.live 45.155.37.158, 443, 49769 SHOCK-1US Netherlands 25->80 82 37 other IPs or domains 25->82 34 OneDriveSetup.exe 28->34         started        file8 signatures9 process10 process11 36 OneDriveSetup.exe 505 1291 30->36         started        dnsIp12 76 13.74.129.92, 443, 49737, 49738 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->76 44 C:\...\OneDriveTelemetryExperimental.dll, PE32+ 36->44 dropped 46 C:\...\OneDriveStandaloneUpdater.exe (copy), PE32+ 36->46 dropped 48 C:\Users\user\AppData\Local\...\OneDrive.exe, PE32+ 36->48 dropped 50 252 other files (none is malicious) 36->50 dropped 40 wermgr.exe 36->40         started        file13 process14
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/f82d15eed385a7a913b98a28bce9b27a7e3611e1c0c4d9fa65741d3fdd76d23c
Gathering data
Threat name:
Win64.Trojan.Bumbleloader
Create hunting rule
Status:
Malicious
First seen:
2024-12-25 17:31:32 UTC
File Type:
Binary (Archive)
Extracted files:
48
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7awrl3wtqwt2se5zriulz2nspj7dmepbydcnt6tfoqot7xlw2i6a._file
Verdict:
malicious
Label(s):
bumblebee
Create hunting rule
Similar samples:
47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84
LummaStealer
4b8efb9033cc4a918b63c036c0c26909c416502fbc385505c55f3c00d35829ea
LummaStealer
bdb79800e4177b59b3830ae7cc996a41fc2b560593e7b51e02408c062f8d4449
LummaStealer
bf445dc49cc3be5d0fe8510d716fd540cb3b3c4ab4050c870fc240041c3af990
LummaStealer
error
LummaStealer
f82d15eed385a7a913b98a28bce9b27a7e3611e1c0c4d9fa65741d3fdd76d23c
LummaStealer
Result
Malware family:
bumblebee
Create hunting rule
Score:
  10/10
Tags:
family:bumblebee botnet:2 discovery loader persistence privilege_escalation
Link:
https://tria.ge/reports/250204-qj2znaymfj/
Behaviour
Checks SCSI registry key(s)
Modifies Control Panel
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Checks installed software on the system
Checks system information in the registry
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Adds Run key to start application
Blocklisted process makes network request
Downloads MZ/PE file
Enumerates connected drives
Event Triggered Execution: Image File Execution Options Injection
BumbleBee
Bumblebee family
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ee5ff0b6-e8c6-433b-8af4-5206be71b9f6
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments