MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 122dcaa7922d1debcbf260f35131adbba116bf63739657be9cfb340d136176b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	122dcaa7922d1debcbf260f35131adbba116bf63739657be9cfb340d136176b4
SHA3-384 hash:	3a7a41a39b92ccab752ca99f7ec42a71b5b286ae1796a9dd9b08c1343c2c9eb51a51cb5d5fc65cc2ce38ca3207696083
SHA1 hash:	93e9619e07b94659b4ea7913532fe3d3d9b6ebd0
MD5 hash:	5aaf84e27d4e4d7162be0b5d01aa2f98
humanhash:	bulldog-tennis-island-video
File name:	file
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	417'792 bytes
First seen:	2024-02-01 17:27:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c33a7b4022bd29f9ba900fe89020dcf9 (1 x RedLineStealer, 1 x LummaStealer, 1 x Vidar)
ssdeep	12288:HM4Wfkfme36XE9I/+HPjfn/KrEbBd470cMT:R7b3MEy/+HP7n/IUn470V
Threatray	21 similar samples on MalwareBazaar
TLSH	T166941251B6E2C737F6B785706C35DAD0662BBCAB23A4489F7095771B2E731C188A0783
TrID	39.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.5% (.SCR) Windows screen saver (13097/50/3) 13.3% (.EXE) Win64 Executable (generic) (10523/12/4) 8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	afa1a1a1a1a181aa (1 x LummaStealer)
Reporter	Bitsight
Tags:	exe LummaStealer

Bitsight

Sample downloaded from http://82.147.84.194/0.exe

Intelligence

File Origin

# of uploads :

# of downloads :

468

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/474081/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

fingerprint packed

Link:

https://www.filescan.io/uploads/65bbd4a819fc3809141ac8e9/reports/3058d555-c7d1-4047-ae51-a5a6d1c56f67/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/122dcaa7922d1debcbf260f35131adbba116bf63739657be9cfb340d136176b4

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/5d672821-b9e8-481c-8a0c-8e2a26e496c3

Result

Threat name:

LummaC

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1385081

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/122dcaa7922d1debcbf260f35131adbba116bf63739657be9cfb340d136176b4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/122dcaa7922d1debcbf260f35131adbba116bf63739657be9cfb340d136176b4/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2024-02-01 17:28:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ciw4vj4sfuo6xs7smdzvcmnnxoqrnp3doolfppu47m2a2e3bo22a._file

Verdict:

malicious

LummaStealer

334723749423829b3bec1b3d29bd20f6e6c086042223c1838f30ab4544636019

LummaStealer

6eb059db599f4264f5faf4d183ae69eb0d8b1310a11afd775e312d392f69ebd5

LummaStealer

7c8cba80f25133b472a18ef8e8661d9d31340e491d02fb1d33823651204c9831

LummaStealer

cf5d6c68811f37d9ae1a9cc62abc1987fdd8900d271fdaa01d4a84853d7db10d

LummaStealer

dfd80794ff8c069f103102973dca681d18609a2d95128662ea1ebbdb521cfcda

LummaStealer

f69080393c3812537a1f9c367a023d1e8f4cb12ce33fc17eb0a1a6930a8b39cc

LummaStealer

+ 11 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/240201-v1zm3sdafl/

Behaviour

Program crash

Unpacked files

SH256 hash:

0377e73b447103084fee96e43e52fa2b75e840d6087a171cbb3d17e65dc73bb9

MD5 hash:

68193abadacd46ed734449b20be9ad38

SHA1 hash:

382dfe5f1a492918c3ca518e2f69d6891a1b6b81

Link:

https://www.unpac.me/results/594a9358-f2d9-4b42-ae26-4155e8beea44/

SH256 hash:

122dcaa7922d1debcbf260f35131adbba116bf63739657be9cfb340d136176b4

MD5 hash:

5aaf84e27d4e4d7162be0b5d01aa2f98

SHA1 hash:

93e9619e07b94659b4ea7913532fe3d3d9b6ebd0

Link:

https://www.unpac.me/results/594a9358-f2d9-4b42-ae26-4155e8beea44/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/122dcaa7922d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/122dcaa7922d1debcbf260f35131adbba116bf63739657be9cfb340d136176b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2754985/

Cape

https://www.capesandbox.com/analysis/474081/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample