MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00053bf64ec3040b73c84979799768dba9a03c5f0d2f73512977c7030e29dd49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00053bf64ec3040b73c84979799768dba9a03c5f0d2f73512977c7030e29dd49
SHA3-384 hash: cd17c9987280a492148a012bbcabc9a58055e9fc97636c9388ad79616187bb2206ccb3cd4bbb1c874592bbd81b304df5
SHA1 hash: 8daa76666366781a4c057a0c6191bdf97d9277d7
MD5 hash: 50d3fe24b4b57469167b40234893b668
humanhash: florida-summer-jig-cold
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:668'160 bytes
First seen:2023-09-12 19:32:31 UTC
Last seen:2023-09-12 23:19:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5719bc293157bac53be8c9a8dd7ed0eb (1 x LummaStealer, 1 x RedLineStealer)
ssdeep 12288:7Zg188alukx+SVnDkzvkzaNasKbk9ma8lE4JSWj0k0Bupjeeeeeeeeeeieeeeee3:7SpatVngzvkiQaEzkB6MxF
Threatray 15 similar samples on MalwareBazaar
TLSH T1EFE4CFF274D443E1FA6F453803728D64AAE03A5277DD248B61381EC8492B5F3796FA27
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe LummaStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc17799268_667305233?hash=IwZ8VZSm1R6poDSVmCjMBWvPwtTOZjN00hLIt20AnZP&dl=X47BBpvy39XAmpGvpAPzZxZ3QV8ZssYZktFDfFk2wpg&api=1&no_preview=1#cryp

Intelligence

File Origin
# of uploads :
3
# of downloads :
348
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-09-12 19:32:52 UTC
Tags:
lumma stealer
Link:
https://app.any.run/tasks/56b46c18-85c2-4e30-bf6a-3f626b40450f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448257/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.16843.21466.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Gathering data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/6500bcee25e2ece4df6bb89c/reports/f45a2748-f25b-4f26-b66a-de8f00fdb502/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/00053bf64ec3040b73c84979799768dba9a03c5f0d2f73512977c7030e29dd49
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LummaC2 Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/900fbaeb-b2e6-4943-a39f-7a20567f97cd
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1308494
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1308494 Sample: file.exe Startdate: 14/09/2023 Architecture: WINDOWS Score: 96 17 Snort IDS alert for network traffic 2->17 19 Found malware configuration 2->19 21 Antivirus detection for URL or domain 2->21 23 5 other signatures 2->23 6 file.exe 13 2->6         started        process3 dnsIp4 15 worldtopnews.fun 172.67.133.72, 49700, 49701, 80 CLOUDFLARENETUS United States 6->15 9 WerFault.exe 23 9 6->9         started        11 WerFault.exe 2 9 6->11         started        13 conhost.exe 6->13         started        process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00053bf64ec3040b73c84979799768dba9a03c5f0d2f73512977c7030e29dd49/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-09-12 19:33:06 UTC
File Type:
PE (Exe)
AV detection:
19 of 22 (86.36%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aactx5soymcaw46ijf4xtf3i3ou2apc7buxxgujjo7dqgdrj3veq._file
Verdict:
malicious
Similar samples:
1cc7feaee823df0807c49341b9f4f0e58a4c021e8bc974af7bf5eb02fe09731e
LummaStealer
59692df75cd335b1fa5026307c90367db2a8f2bb96503857784135597a1bc4dc
LummaStealer
6846828546f5883942cb40ad28958a9cde3b54b1838851e8b52d33fcbdeae3c7
LummaStealer
70c0dffaef2ee48f0e296939cbc1c5782f753e29d820d6b5aac8b0af7d36f4a8
LummaStealer
8770a893bc2ac58f0cdc6fc5c9b1499819215a26fbaf7b0915d3d75fefdae0dc
LummaStealer
8caa206b184827dd7558de412bae56e0cf7bf575bb192a1cdd6781e8e20fb816
LummaStealer
bd3ae41147c48bcea273f742ae19c229ad76c4a75895253e01a58bd4f3c2b9d1
LummaStealer
be532f3c9322f0b96eac8a3f6871e5542f7b3c4760219fb0e94a1b8201ba709e
LummaStealer
c42b0d200c2022fba3332dd1078cf1412ba37eb52bd74acf7edb4672b1d0f330
LummaStealer
ea6ec9be3aea67056e4564a9b3ce8d6e92eda54db32e710043de98d7d65ffd54
LummaStealer
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230912-x9hr2afb5t/
Behaviour
Program crash
Unpacked files
SH256 hash:
00053bf64ec3040b73c84979799768dba9a03c5f0d2f73512977c7030e29dd49
MD5 hash:
50d3fe24b4b57469167b40234893b668
SHA1 hash:
8daa76666366781a4c057a0c6191bdf97d9277d7
Link:
https://www.unpac.me/results/9cf0adfa-0adb-4220-8f39-eb6c54fd6051/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/00053bf64ec3040b73c84979799768dba9a03c5f0d2f73512977c7030e29dd49

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:win_lumma_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lumma.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/448257/

Comments