jershmagersh · April 6, 2025 14:12
diff --git a/lumma_llm.yar b/lumma_llm.yar
 rule Lumma_Stealer_Core {
    meta:
        description = "Detects Lumma Stealer core functionality"
        author = "Binary Ninja Analysis"
        date = "2024"
        malware_type = "stealer"
        reference = "Lumma Stealer Analysis"

    strings:
        // MurmurHash2-like constant used in API hashing
        $hash_const = {68 95 1E 5B}  // push 0x5bd1e995
        
        // Distinctive API hash values for NSS functions
        $nss_hash1 = {B9 EE 5F 05 00} // mov ecx, 0x59f5ee
        $nss_hash2 = {B9 C4 9E 9A F8} // mov ecx, 0xf89a9ec4
        $nss_hash3 = {B9 C3 27 E9 E3} // mov ecx, 0xe3e927c3

        // Common file paths and DLL names
        $path1 = "c:\\ProgramData\\freebl3.dll" ascii wide
        $path2 = "c:\\ProgramData\\softokn3.dll" ascii wide
        $path3 = "c:\\ProgramData\\mozglue.dll" ascii wide
        $path4 = "c:\\ProgramData\\nss3.dll" ascii wide
        $path5 = "c:\\ProgramData\\winrarupd.zip" ascii wide
        
        // Browser profile targeting strings
        $browser1 = "%localappdata%\\Google\\Chrome\\User Data" ascii wide
        $browser2 = "%localappdata%\\Microsoft\\Edge\\User Data" ascii wide
        $browser3 = "%appdata%\\Mozilla\\Firefox\\Profiles" ascii wide
        
        // Crypto wallet targeting strings
        $wallet1 = "%appdata%\\Exodus\\exodus.wallet" ascii wide
        $wallet2 = "%appdata%\\Ethereum" ascii wide
        $wallet3 = "%appdata%\\Electrum\\wallets" ascii wide

        // Distinctive code patterns
        // API hash computation function pattern
        $hash_func = {
            55                      // push ebp
            8B EC                   // mov ebp, esp
            83 E4 F8               // and esp, 0xfffffff8
            56                     // push esi
            57                     // push edi
            E8 ?? ?? ?? ??        // call sub_40501f
            E8 ?? ?? ?? ??        // call sub_401061
            85 C0                  // test eax, eax
        }

        // Firefox credential theft pattern
        $firefox_pattern = {
            68 04 01 00 00         // push 0x104
            E8 ?? ?? ?? ??        // call allocate_string_buffer
            8B ?? ?? ?? ?? ??     // mov reg32, [data_42d464]
            FF ??                  // call reg32
        }

    condition:
        uint16(0) == 0x5A4D and      // PE file
        filesize < 5MB and           // Reasonable size for stealer
        (
            // Core functionality identification
            (2 of ($hash_const, $hash_func, $firefox_pattern)) and
            
            // NSS function hashing
            (2 of ($nss_hash*)) and
            
            // File paths and targeting
            (3 of ($path*)) and
            (2 of ($browser*)) and
            (2 of ($wallet*))
        )
 }
	rule Lumma_Stealer_Core {
	meta:
	description = "Detects Lumma Stealer core functionality"
	author = "Binary Ninja Analysis"
	date = "2024"
	malware_type = "stealer"
	reference = "Lumma Stealer Analysis"

	strings:
	// MurmurHash2-like constant used in API hashing
	$hash_const = {68 95 1E 5B} // push 0x5bd1e995

	// Distinctive API hash values for NSS functions
	$nss_hash1 = {B9 EE 5F 05 00} // mov ecx, 0x59f5ee
	$nss_hash2 = {B9 C4 9E 9A F8} // mov ecx, 0xf89a9ec4
	$nss_hash3 = {B9 C3 27 E9 E3} // mov ecx, 0xe3e927c3

	// Common file paths and DLL names
	$path1 = "c:\\ProgramData\\freebl3.dll" ascii wide
	$path2 = "c:\\ProgramData\\softokn3.dll" ascii wide
	$path3 = "c:\\ProgramData\\mozglue.dll" ascii wide
	$path4 = "c:\\ProgramData\\nss3.dll" ascii wide
	$path5 = "c:\\ProgramData\\winrarupd.zip" ascii wide

	// Browser profile targeting strings
	$browser1 = "%localappdata%\\Google\\Chrome\\User Data" ascii wide
	$browser2 = "%localappdata%\\Microsoft\\Edge\\User Data" ascii wide
	$browser3 = "%appdata%\\Mozilla\\Firefox\\Profiles" ascii wide

	// Crypto wallet targeting strings
	$wallet1 = "%appdata%\\Exodus\\exodus.wallet" ascii wide
	$wallet2 = "%appdata%\\Ethereum" ascii wide
	$wallet3 = "%appdata%\\Electrum\\wallets" ascii wide

	// Distinctive code patterns
	// API hash computation function pattern
	$hash_func = {
	55 // push ebp
	8B EC // mov ebp, esp
	83 E4 F8 // and esp, 0xfffffff8
	56 // push esi
	57 // push edi
	E8 ?? ?? ?? ?? // call sub_40501f
	E8 ?? ?? ?? ?? // call sub_401061
	85 C0 // test eax, eax
	}

	// Firefox credential theft pattern
	$firefox_pattern = {
	68 04 01 00 00 // push 0x104
	E8 ?? ?? ?? ?? // call allocate_string_buffer
	8B ?? ?? ?? ?? ?? // mov reg32, [data_42d464]
	FF ?? // call reg32
	}

	condition:
	uint16(0) == 0x5A4D and // PE file
	filesize < 5MB and // Reasonable size for stealer
	(
	// Core functionality identification
	(2 of ($hash_const, $hash_func, $firefox_pattern)) and

	// NSS function hashing
	(2 of ($nss_hash*)) and

	// File paths and targeting
	(3 of ($path*)) and
	(2 of ($browser*)) and
	(2 of ($wallet*))
	)
	}