MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbccc8952710a8a50655f4fe3a880c8373411b7ec40e54aabd7eaff3f1d0137b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fbccc8952710a8a50655f4fe3a880c8373411b7ec40e54aabd7eaff3f1d0137b
SHA3-384 hash: fb502b6e9f5ee87d71fe2c8d8b8618c9e298164a46094d9f7c3e49e134a51b545b89edf8a5404e830c70f45c4d1f9871
SHA1 hash: 5b7bbf5bc80f4b3863c263d1aed620faa4612c9d
MD5 hash: d330c09503e6c3d51cd2d3435de0795a
humanhash: friend-indigo-india-summer
File name:Update_1.65.4 (1).msi
Download: download sample
Signature LummaStealer
Create hunting rule
File size:9'924'608 bytes
First seen:2024-12-30 18:24:28 UTC
Last seen:2024-12-31 01:47:07 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:0uVUeJYJMd0rWLhjx5YHU+tYERMN2fr/pa/3pqnLtAPLMgzWS3W9i4EzP:lV6WLR+tYiyURmpML6DMgzJsc
TLSH T1C8A63331B2C33711D98501768253972C903E5F062B50F9CABBA672A43737BA4B1E5EED
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter 1ZRR4H
Tags:LummaStealer msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
148
Origin country :
CL CL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6772e5801bb06b8884799d6e
Tags:
shellcode
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
installer
Link:
https://www.filescan.io/uploads/6772e57fbeeed6885020ac9b/reports/7c93eb10-0479-4115-8337-9783233e3eaa/overview
Verdict:
Suspicious
Labled as:
Generik.CMYOQRF trojan
Link:
https://www.hybrid-analysis.com/sample/fbccc8952710a8a50655f4fe3a880c8373411b7ec40e54aabd7eaff3f1d0137b
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/fbccc8952710a8a50655f4fe3a880c8373411b7ec40e54aabd7eaff3f1d0137b
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1582510
Signature
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
LummaC encrypted strings found
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1582510 Sample: Update_1.65.4 (1).msi Startdate: 30/12/2024 Architecture: WINDOWS Score: 100 48 Found malware configuration 2->48 50 Yara detected LummaC Stealer 2->50 52 Sample uses string decryption to hide its real strings 2->52 54 3 other signatures 2->54 9 msiexec.exe 83 43 2->9         started        12 msiexec.exe 3 2->12         started        process3 file4 32 C:\Users\user\AppData\Local\...\ReFB.exe, PE32 9->32 dropped 34 C:\Users\user\AppData\Local\...\QtWebKit4.dll, PE32 9->34 dropped 36 C:\Users\user\AppData\...\QtNetwork4.dll, PE32 9->36 dropped 38 4 other files (2 malicious) 9->38 dropped 14 ReFB.exe 10 9->14         started        process5 file6 40 C:\Users\user\AppData\Roaming\...\ReFB.exe, PE32 14->40 dropped 42 C:\Users\user\AppData\...\QtWebKit4.dll, PE32 14->42 dropped 44 C:\Users\user\AppData\...\QtNetwork4.dll, PE32 14->44 dropped 46 4 other files (2 malicious) 14->46 dropped 74 Found API chain indicative of debugger detection 14->74 76 Switches to a custom stack to bypass stack traces 14->76 78 Found direct / indirect Syscall (likely to bypass EDR) 14->78 18 ReFB.exe 1 14->18         started        signatures7 process8 signatures9 56 Found API chain indicative of debugger detection 18->56 58 Maps a DLL or memory area into another process 18->58 60 Switches to a custom stack to bypass stack traces 18->60 62 Found direct / indirect Syscall (likely to bypass EDR) 18->62 21 cmd.exe 2 18->21         started        process10 file11 30 C:\Users\user\AppData\Local\Temp\ick, PE32 21->30 dropped 64 Injects code into the Windows Explorer (explorer.exe) 21->64 66 Writes to foreign memory regions 21->66 68 Found hidden mapped module (file has been removed from disk) 21->68 70 2 other signatures 21->70 25 explorer.exe 21->25         started        28 conhost.exe 21->28         started        signatures12 process13 signatures14 72 Switches to a custom stack to bypass stack traces 25->72
Score:
6%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/fbccc8952710a8a50655f4fe3a880c8373411b7ec40e54aabd7eaff3f1d0137b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fbccc8952710a8a50655f4fe3a880c8373411b7ec40e54aabd7eaff3f1d0137b/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Suspicious
First seen:
2024-12-30 09:48:13 UTC
File Type:
Binary (Archive)
Extracted files:
16
AV detection:
8 of 23 (34.78%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7pgmrfjhccukkbsv6t7dvcamqnzucg36yqhfjkv5p2x7h4oqcn5q._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery stealer
Link:
https://tria.ge/reports/241230-w2lchsspdq/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://cloudewahsj.shop/api
https://rabidcowse.shop/api
https://noisycuttej.shop/api
https://tirepublicerj.shop/api
https://framekgirus.shop/api
https://wholersorie.shop/api
https://abruptyopsn.shop/api
https://nearycrepso.shop/api
Verdict:
Suspicious
Tags:
stealer lumma_stealer c2 lumma
YARA:
n/a
Link:
https://app.threat.zone/submission/5cb1877d-5a9f-4f28-91e6-f17a23b420a0
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fbccc8952710/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fbccc8952710a8a50655f4fe3a880c8373411b7ec40e54aabd7eaff3f1d0137b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments