MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9d9907dc50933d56a114c5ddbabbd44bfab3bbbacb7888c9ac5a1592634e862. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 18


Intelligence 18 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9d9907dc50933d56a114c5ddbabbd44bfab3bbbacb7888c9ac5a1592634e862
SHA3-384 hash: d1fdd2451821847734cd5563c7d5f99c106485afc436769e56b5cb8ec78c5192281818465c57da161234c959e060582f
SHA1 hash: 0f260b3cb332f2591e45553b40bbe74c3ec85e0c
MD5 hash: 00bf52a42bd33277e2e28bddca6171f0
humanhash: uniform-twenty-minnesota-enemy
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:3'035'136 bytes
First seen:2024-10-24 15:15:29 UTC
Last seen:2024-10-24 15:16:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:+lQ20TmEhXvSFJ++ZKH3rPQLEw7g7WXxpXk1hE+MH8D4:+lCTmEtvSFJ++Z0QLL7k3E+Mc
Threatray 175 similar samples on MalwareBazaar
TLSH T12FE54B92B505B1CFE88B37749427CD86B96D43BA0B154CC3E83CA4797EA3CC615B6C29
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:exe LummaStealer


Avatar
Bitsight
url: http://185.215.113.16/luma/random.exe

Intelligence

File Origin
# of uploads :
21
# of downloads :
397
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-10-24 15:14:17 UTC
Tags:
lumma stealer loader stealc amadey botnet themida
Link:
https://app.any.run/tasks/1dc4277c-6da2-48a8-acc4-f4d3dc2d3ec4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=671a64b5dc81eadd52dae786
Tags:
Shellcode
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Behavior that indicates a threat
DNS request
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected
Link:
https://www.filescan.io/uploads/671a64b3e03532c8c989301a/reports/5177b3e4-2f55-40bb-8c83-f718f8b8a64f/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/f9d9907dc50933d56a114c5ddbabbd44bfab3bbbacb7888c9ac5a1592634e862
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/28f3a3be-6bf2-468c-8960-f13896a3f6df
Result
Threat name:
LummaC, Amadey, Credential Flusher, Lumm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1541300
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1541300 Sample: file.exe Startdate: 24/10/2024 Architecture: WINDOWS Score: 100 115 studennotediw.store 2->115 117 steamcommunity.com 2->117 119 43 other IPs or domains 2->119 161 Suricata IDS alerts for network traffic 2->161 163 Found malware configuration 2->163 165 Antivirus detection for dropped file 2->165 167 15 other signatures 2->167 11 file.exe 3 2->11         started        16 f30607ff8e.exe 2->16         started        18 f30607ff8e.exe 2->18         started        20 5 other processes 2->20 signatures3 process4 dnsIp5 121 sergei-esenin.com 172.67.206.204, 443, 49705, 49706 CLOUDFLARENETUS United States 11->121 123 steamcommunity.com 104.102.49.254, 443, 49704, 49845 AKAMAI-ASUS United States 11->123 125 185.215.113.16, 49713, 49799, 49857 WHOLESALECONNECTIONSNL Portugal 11->125 95 C:\Users\user\...\I6QEZAJW4P0YF3TSR.exe, PE32 11->95 dropped 97 C:\Users\user\...\I1N47ZPU83UTUQUS6SNGVIO.exe, PE32 11->97 dropped 99 C:\Users\user\...\FYI1P4W3Z689SREG96D.exe, PE32 11->99 dropped 193 Query firmware table information (likely to detect VMs) 11->193 195 Found many strings related to Crypto-Wallets (likely being stolen) 11->195 197 Tries to evade debugger and weak emulator (self modifying code) 11->197 213 2 other signatures 11->213 22 I6QEZAJW4P0YF3TSR.exe 4 11->22         started        26 I1N47ZPU83UTUQUS6SNGVIO.exe 9 1 11->26         started        28 FYI1P4W3Z689SREG96D.exe 13 11->28         started        101 C:\Users\...\9S0P39L5PFK0D7TU1S5ERZW1XZD.exe, PE32 16->101 dropped 103 C:\Users\user\...\99OR8C3IZZWAEM6QX.exe, PE32 16->103 dropped 105 C:\Users\user\...\7DRLRWE3U8NXHSGBBZ7.exe, PE32 16->105 dropped 199 Tries to harvest and steal ftp login credentials 16->199 201 Tries to harvest and steal browser information (history, passwords, etc) 16->201 203 Tries to steal Crypto Currency Wallets 16->203 31 7DRLRWE3U8NXHSGBBZ7.exe 16->31         started        33 99OR8C3IZZWAEM6QX.exe 16->33         started        205 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 18->205 207 Hides threads from debuggers 18->207 209 Tries to detect sandboxes / dynamic malware analysis system (registry check) 18->209 211 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 20->211 35 firefox.exe 20->35         started        37 firefox.exe 20->37         started        39 taskkill.exe 20->39         started        41 4 other processes 20->41 file6 signatures7 process8 dnsIp9 93 C:\Users\user\AppData\Local\...\skotes.exe, PE32 22->93 dropped 169 Antivirus detection for dropped file 22->169 171 Detected unpacking (changes PE section rights) 22->171 173 Machine Learning detection for dropped file 22->173 175 Tries to detect virtualization through RDTSC time measurements 22->175 43 skotes.exe 4 25 22->43         started        177 Modifies windows update settings 26->177 179 Disables Windows Defender Tamper protection 26->179 181 Tries to evade debugger and weak emulator (self modifying code) 26->181 191 2 other signatures 26->191 137 185.215.113.37, 49758, 49899, 80 WHOLESALECONNECTIONSNL Portugal 28->137 183 Multi AV Scanner detection for dropped file 28->183 185 Hides threads from debuggers 28->185 187 Tries to detect sandboxes / dynamic malware analysis system (registry check) 28->187 189 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 31->189 139 youtube-ui.l.google.com 142.250.186.46 GOOGLEUS United States 35->139 141 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 35->141 143 8 other IPs or domains 35->143 48 firefox.exe 35->48         started        50 firefox.exe 35->50         started        52 firefox.exe 37->52         started        54 conhost.exe 39->54         started        56 conhost.exe 41->56         started        58 conhost.exe 41->58         started        60 conhost.exe 41->60         started        62 conhost.exe 41->62         started        file10 signatures11 process12 dnsIp13 127 185.215.113.43, 49782, 49793, 49851 WHOLESALECONNECTIONSNL Portugal 43->127 129 dyna.wikimedia.org 43->129 107 C:\Users\user\AppData\Local\Temp\...\num.exe, PE32 43->107 dropped 109 C:\Users\user\AppData\...\8435e0ee0a.exe, PE32 43->109 dropped 111 C:\Users\user\AppData\...\864bf7d70e.exe, PE32 43->111 dropped 113 5 other malicious files 43->113 dropped 215 Antivirus detection for dropped file 43->215 217 Detected unpacking (changes PE section rights) 43->217 219 Machine Learning detection for dropped file 43->219 221 5 other signatures 43->221 64 f30607ff8e.exe 43->64         started        67 864bf7d70e.exe 43->67         started        69 8435e0ee0a.exe 43->69         started        71 num.exe 43->71         started        131 push.services.mozilla.com 34.107.243.93 GOOGLEUS United States 52->131 133 telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123 GOOGLEUS United States 52->133 135 2 other IPs or domains 52->135 73 firefox.exe 52->73         started        file14 signatures15 process16 signatures17 145 Antivirus detection for dropped file 64->145 147 Multi AV Scanner detection for dropped file 64->147 149 Detected unpacking (changes PE section rights) 64->149 159 3 other signatures 64->159 151 Machine Learning detection for dropped file 67->151 153 Tries to evade debugger and weak emulator (self modifying code) 67->153 155 Hides threads from debuggers 67->155 157 Binary is likely a compiled AutoIt script file 69->157 75 taskkill.exe 69->75         started        77 taskkill.exe 69->77         started        79 taskkill.exe 69->79         started        81 3 other processes 69->81 process18 process19 83 conhost.exe 75->83         started        85 conhost.exe 77->85         started        87 conhost.exe 79->87         started        89 conhost.exe 81->89         started        91 conhost.exe 81->91         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f9d9907dc50933d56a114c5ddbabbd44bfab3bbbacb7888c9ac5a1592634e862
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9d9907dc50933d56a114c5ddbabbd44bfab3bbbacb7888c9ac5a1592634e862/
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2024-10-24 15:16:05 UTC
File Type:
PE (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7hmza7ofbez5k2qrjro5xk55is72wo53vs3yrde2ywqvsjru5bra._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
01be1f6d74db8b1f9e73c5f0261e4412dcdc21a6d59b7c07925a4c26cbbc6860
LummaStealer
0785ad7bb7e17f18665229dc9a772fae8d074c58f8cff680ab848f396bd952f9
LummaStealer
1dbff9fecdd48ef2147a00446d6163e7fae0480af36d72f71b1483ed8f33df92
LummaStealer
64585ba1a93d0bd0af219dbbc455c7e4cc5f8b1a6d46eba6b60c45051692f5c3
LummaStealer
894b2a1e0527fce4d8667b31af4c6f3d2209a0b99e298ed58de7914ad1b8f94d
LummaStealer
98f78dfad939806730b6320f069d01da6cd2b80af742eedd4bddc0727cec27da
LummaStealer
b649fde943868879f85d809bf5e84d9873b1c5ed308941e19cebb3ea6a230aff
LummaStealer
c7c24e8887dd978f70cfce8e2e5f449b49de0012d8cbdfce51c0227cffe94cb7
LummaStealer
d864711368d00560420b7833091ebb6aec0eb533bfc582e102121158eb218e25
LummaStealer
ef8356d61e6803858f00eb94f0fba1e5733d5c50033113c7365f99664b76656c
LummaStealer
error
LummaStealer
+ 165 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery evasion stealer
Link:
https://tria.ge/reports/241024-snhspawclr/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Malware Config
C2 Extraction:
https://clearancek.site
https://licendfilteo.site
https://spirittunek.store
https://bathdoomgaz.store
https://studennotediw.store
https://dissapoiznw.store
https://eaglepawnoy.store
https://mobbipenju.store
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6d757d00-7956-40f7-9233-345a90a8dcce
Unpacked files
SH256 hash:
cf9c54346d7bd38eef729dc4a18f523a87c503fc49596a3c07b575b1477c07a7
MD5 hash:
700b9e8899ab92d80117550750fa6d10
SHA1 hash:
594bcca040ec3ff94a36869f982dc5838703f3e3
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/9438fc9e-44c9-42f6-87ca-84cf8b2c5133/
SH256 hash:
f9d9907dc50933d56a114c5ddbabbd44bfab3bbbacb7888c9ac5a1592634e862
MD5 hash:
00bf52a42bd33277e2e28bddca6171f0
SHA1 hash:
0f260b3cb332f2591e45553b40bbe74c3ec85e0c
Link:
https://www.unpac.me/results/9438fc9e-44c9-42f6-87ca-84cf8b2c5133/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f9d9907dc509/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9d9907dc50933d56a114c5ddbabbd44bfab3bbbacb7888c9ac5a1592634e862

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe f9d9907dc50933d56a114c5ddbabbd44bfab3bbbacb7888c9ac5a1592634e862

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3245480/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments