MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cd1c97c405a01a4f7b54760f30aab6ca71396ca7a473b27fa85320e66f319c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	0cd1c97c405a01a4f7b54760f30aab6ca71396ca7a473b27fa85320e66f319c8
SHA3-384 hash:	9391e6728b0dd18f40faee133812d9016fb672cb07dfb07fc2ac6e361c64d8db95c5e4851bd93b9acf141e1d093791cf
SHA1 hash:	8464c6d258f14f3002407e76359560a53e8b223b
MD5 hash:	e423336a6931c0ef690935458b62d75c
humanhash:	sweet-hawaii-sixteen-april
File name:	e423336a6931c0ef690935458b62d75c.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	1'073'168 bytes
First seen:	2023-02-13 08:27:35 UTC
Last seen:	2023-02-13 10:42:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0992ce2778ae787bb96d086c5eb37d54 (1 x RedLineStealer, 1 x LummaStealer)
ssdeep	6144:Ze7RhGRRskQlJzXahRI5AOZ0Ww/GF5O+xL3q3xSL1TH8x8l3c:07RhGRRsVN555OkruxSBTH8Cls
Threatray	24 similar samples on MalwareBazaar
TLSH	T1BE35BF0F75D2B433C0F21438F8E0AA7B4F3E79A10AE58B6B6B850E6D3F632519571169
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	exe LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

201

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

e423336a6931c0ef690935458b62d75c.exe

Verdict:

No threats detected

Analysis date:

2023-02-13 08:28:49 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/64275099-1edf-4de1-aec1-14819075b5b6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/364889/

Detection(s):

SecuriteInfo.com.Variant.Lazy.296875.25552.30490.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Creating a window

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/68936/overview

Behaviour

MalwareBazaar

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

80%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/63e9f49797e87dd9097e4a00/reports/0dee4150-652c-461d-9999-b55ede1314e8/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/0cd1c97c405a01a4f7b54760f30aab6ca71396ca7a473b27fa85320e66f319c8

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

LummaC2 Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/71bfcc3a-6496-4f5f-81e5-01daa007b255

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.spyw.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1173124

Signature

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0cd1c97c405a01a4f7b54760f30aab6ca71396ca7a473b27fa85320e66f319c8/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-02-13 08:28:08 UTC

File Type:

PE (Exe)

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bti4s7calia2j55vi5qpgcvlnstrhfwkpjdtwj72quza4zxtdhea._file

Verdict:

malicious

LummaStealer

0e5374cb0497bda6bfa5f4587b26826528898cd260186527e3dd112df44abdf7

LummaStealer

147b5d6c844bd5f6962ca6ab96a0ce8103eac401ec77a61f3632e14757c199c2

LummaStealer

3f7646cd60e5f51c13eb35ef9f00d10c66fc309b486498a1978cccc2405d3373

LummaStealer

434a55ad813b1a6b02c52f969ad2101dffb037871b160ee82090383a9961ac07

LummaStealer

9f672ecfe527575cf2b512c9e64799774e4de3340cb0e0f205a78650f575e052

LummaStealer

c2051ed80860178c791220b7ab760d038e03091e4c02395a92eed4aea3872ae7

LummaStealer

ed2fe9ae17f3907311604e9ccd86b64cea278d6cb1ec10e46a3b838e9b0357e2

LummaStealer

+ 14 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230213-kc1kcsca22/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

Unpacked files

SH256 hash:

356959553ae636d3a6eb45fc4d84c122f5dd42979f8071b7709a0918f1ee840f

MD5 hash:

90e09e743c457d352649b141c3e4b2d2

SHA1 hash:

cc2399a65927c03ec04ca52cf9e04cb18ae262dd

Link:

https://www.unpac.me/results/42372025-a000-4c25-9f42-19a092f557ea/

SH256 hash:

0cd1c97c405a01a4f7b54760f30aab6ca71396ca7a473b27fa85320e66f319c8

MD5 hash:

e423336a6931c0ef690935458b62d75c

SHA1 hash:

8464c6d258f14f3002407e76359560a53e8b223b

Link:

https://www.unpac.me/results/42372025-a000-4c25-9f42-19a092f557ea/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0cd1c97c405a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/0cd1c97c405a01a4f7b54760f30aab6ca71396ca7a473b27fa85320e66f319c8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/364889/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample