MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a588b424e46c98eaa028762a9a1a1828e38d436240737c811949fd785e2a6fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a588b424e46c98eaa028762a9a1a1828e38d436240737c811949fd785e2a6fa
SHA3-384 hash: d831aca41bcb50901c101828d9cc1992a397cbfb63b8439b76b7c776f82a4420cd085ae20dd315a39d1a62007bbbbbda
SHA1 hash: 45e8a005ddeaff7b21d9d0c4d533b1464ac86fac
MD5 hash: 7b41eed7a3e1921c3d8ee1ca1e7edd05
humanhash: steak-iowa-mexico-winner
File name:mega.txt
Download: download sample
Signature LummaStealer
Create hunting rule
File size:569 bytes
First seen:2024-09-21 15:26:24 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12:0c7YkVtwdoH86dgVLOzynDrCXyLWWRyJ8elk8yWQ5rU8eRu1Md+q+VjM9WEB:0cztH26yizIyJPGgQ+PRtd+VQ9Wm
TLSH T1B6F081BA3350411752A462E8EB4B97F98A3FC57CD5555258C16CD221543B0707E510ED
Magika powershell
Reporter aachum
Tags:LummaStealer ps1


Avatar
iamaachum
https://mega03.b-cdn.net/mega.txt

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
ES ES
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Heur.BZC.PZQ.Boxter.1073.7C49F178.26526.4400.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66ef124f1db25d66857c7aa3
Tags:
Execution Generic Network Stealth Trojan
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin masquerade shell32
Link:
https://www.filescan.io/uploads/66eee5ca3c9389b729ba9bc2/reports/66668937-ee22-4b55-94dd-46c5a14d343d/overview
Verdict:
Malicious
Labled as:
BZC.PZQ.Boxter.1073
Link:
https://www.hybrid-analysis.com/sample/0a588b424e46c98eaa028762a9a1a1828e38d436240737c811949fd785e2a6fa
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1515149
Signature
AI detected suspicious sample
Drops PE files with a suspicious file extension
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Powershell uses Background Intelligent Transfer Service (BITS)
Sigma detected: Search for Antivirus process
Uses an obfuscated file name to hide its real file extension (double extension)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1515149 Sample: mega.txt.ps1 Startdate: 21/09/2024 Architecture: WINDOWS Score: 92 67 mega03.b-cdn.net 2->67 69 NHRyXbJhengeBLRpbWAW.NHRyXbJhengeBLRpbWAW 2->69 77 Multi AV Scanner detection for submitted file 2->77 79 Sigma detected: Search for Antivirus process 2->79 81 Uses an obfuscated file name to hide its real file extension (double extension) 2->81 83 2 other signatures 2->83 9 powershell.exe 1 37 2->9         started        13 svchost.exe 1 1 2->13         started        16 TravellingPositions_nopump.exe 9 2->16         started        18 TravellingPositions_nopump.exe 2->18         started        signatures3 process4 dnsIp5 61 C:\Users\...\TravellingPositions_nopump.exe, PE32 9->61 dropped 89 Powershell uses Background Intelligent Transfer Service (BITS) 9->89 91 Loading BitLocker PowerShell Module 9->91 93 Powershell drops PE file 9->93 20 TravellingPositions_nopump.exe 21 9->20         started        24 conhost.exe 9->24         started        71 mega03.b-cdn.net 89.187.169.3, 443, 49707, 49708 CDN77GB Czech Republic 13->71 73 127.0.0.1 unknown unknown 13->73 63 C:\Users\user\AppData\Roaming\BITF5EA.tmp, Zip 13->63 dropped 26 cmd.exe 16->26         started        28 cmd.exe 18->28         started        file6 signatures7 process8 file9 59 C:\Users\user\AppData\Local\Temp59igeria, COM 20->59 dropped 85 Multi AV Scanner detection for dropped file 20->85 87 Machine Learning detection for dropped file 20->87 30 cmd.exe 2 20->30         started        34 conhost.exe 26->34         started        36 tasklist.exe 26->36         started        38 findstr.exe 26->38         started        46 6 other processes 26->46 40 conhost.exe 28->40         started        42 tasklist.exe 28->42         started        44 findstr.exe 28->44         started        48 6 other processes 28->48 signatures10 process11 file12 65 C:\Users\user\AppData\Local\Temp\...\Idle.pif, PE32 30->65 dropped 95 Drops PE files with a suspicious file extension 30->95 50 Idle.pif 30->50         started        53 cmd.exe 2 30->53         started        55 conhost.exe 30->55         started        57 7 other processes 30->57 signatures13 process14 signatures15 75 Multi AV Scanner detection for dropped file 50->75
Score:
62%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/0a588b424e46c98eaa028762a9a1a1828e38d436240737c811949fd785e2a6fa
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a588b424e46c98eaa028762a9a1a1828e38d436240737c811949fd785e2a6fa/
Threat name:
Script-PowerShell.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2024-09-21 16:01:24 UTC
File Type:
Text
AV detection:
7 of 24 (29.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bjmiwqsoi3ey5kqcq5rktinbqkhdrvbweqdtpsarssp5pbpcu35a._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery execution persistence stealer
Link:
https://tria.ge/reports/240921-w9f3rsxdjp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Lumma Stealer, LummaC
Malware Config
C2 Extraction:
https://chickerkuso.shop/api
Dropper Extraction:
https://mega03.b-cdn.net/mega.zip
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0a588b424e46c98eaa028762a9a1a1828e38d436240737c811949fd785e2a6fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_APT29_WINELOADER_Backdoor
Create hunting rule
Author:daniyyell
Description:Detects APT29's WINELOADER backdoor variant used in phishing campaigns, this rule also detect bad pdf,shtml,htm and vbs or maybe more depends
Reference:https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

PowerShell (PS) ps1 5a417e81c81c4a3642cff634248e01c1a13a584ef343ef6cd3bccee9b4094305

LummaStealer

PowerShell (PS) ps1 0a588b424e46c98eaa028762a9a1a1828e38d436240737c811949fd785e2a6fa

(this sample)

LummaStealer

Executable exe 1c2ec4c72c2f31a327b6ba4dfe27a607d311578e25d96cf34c54845eea986f36

  
Dropping
LummaStealer
  
Dropped by
SHA256 5a417e81c81c4a3642cff634248e01c1a13a584ef343ef6cd3bccee9b4094305
  
Delivery method
Distributed via web download
  
Dropping
SHA256 1c2ec4c72c2f31a327b6ba4dfe27a607d311578e25d96cf34c54845eea986f36
  
Dropping
MD5 cbf6c2a14cba45f95569c9d011219518
  
Dropped by
MD5 8b51f79235d39135dbbde265db8b144a

Comments