MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 134162ed5422ce094f4c36c11e97ea4357b88ac0bc1d42e0a30777489c41f1d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 134162ed5422ce094f4c36c11e97ea4357b88ac0bc1d42e0a30777489c41f1d0
SHA3-384 hash: 6d7dfb59df0a9d1843e65922e15baef13d11be71abf4bb4f5d179404eb4221d1d45d7584afb57bb57e656fb827b82abe
SHA1 hash: ef70e96878268de3d6174d7c772ca3db4a82c470
MD5 hash: e28caeb7f200cb9e09493e31c3946e3a
humanhash: juliet-steak-oranges-island
File name:e28caeb7f200cb9e09493e31c3946e3a.bin
Download: download sample
Signature LummaStealer
Create hunting rule
File size:3'259'392 bytes
First seen:2023-07-26 15:23:46 UTC
Last seen:2023-07-26 16:35:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:pRseyJEgrFWTMY5BlcpYpXJKo9ZkqEwvpxTGNJ:JyJEhpcQXQRqhxcJ
Threatray 2'365 similar samples on MalwareBazaar
TLSH T1DCE5330D1D27D23AC69A4F35A7F50E4CBBF5B39618243A99FC58121FAC728E19C9C325
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 762769496363734b (1 x RedLineStealer, 1 x LummaStealer)
Reporter abuse_ch
Tags:bin exe LummaStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
277
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e28caeb7f200cb9e09493e31c3946e3a.bin
Verdict:
Malicious activity
Analysis date:
2023-07-26 15:29:12 UTC
Tags:
lumma
Link:
https://app.any.run/tasks/d3df2e49-3aaa-4568-a444-68a22937049b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/434051/
Detection(s):
SecuriteInfo.com.Win32.KeyloggerX-gen.9534.27594.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/134162ed5422ce094f4c36c11e97ea4357b88ac0bc1d42e0a30777489c41f1d0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fb12af2a-896a-4b41-b1ca-7dddbbdeb9a1
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1280425
Signature
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1280425 Sample: Xfp85ho1xn.exe Startdate: 26/07/2023 Architecture: WINDOWS Score: 76 31 Antivirus / Scanner detection for submitted sample 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Machine Learning detection for sample 2->35 37 2 other signatures 2->37 7 Xfp85ho1xn.exe 15 4 2->7         started        process3 dnsIp4 29 files.catbox.moe 108.181.20.35, 443, 49701 ASN852CA Canada 7->29 27 C:\Users\user\AppData\...\Xfp85ho1xn.exe.log, ASCII 7->27 dropped 39 Injects a PE file into a foreign processes 7->39 12 cmd.exe 1 7->12         started        15 cmd.exe 1 7->15         started        17 Xfp85ho1xn.exe 7->17         started        file5 signatures6 process7 signatures8 41 Uses ipconfig to lookup or modify the Windows network settings 12->41 19 conhost.exe 12->19         started        21 ipconfig.exe 1 12->21         started        23 conhost.exe 15->23         started        25 ipconfig.exe 1 15->25         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/134162ed5422ce094f4c36c11e97ea4357b88ac0bc1d42e0a30777489c41f1d0/
Threat name:
Win32.Spyware.Seraph
Create hunting rule
Status:
Malicious
First seen:
2023-07-26 14:10:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cnawf3kuelhast2mg3ar5f7kinl3rcwaxqoufyfda53urhcb6hia._file
Verdict:
malicious
Similar samples:
379d1597e3930745f2652d746d6671a801390d86e16c8694e0ff46132d915aba
LummaStealer
4203d4bec77286094dae9822544155fa2f46f5fc12bc7766b8691ca2c3a219b3
LummaStealer
4dc5588ac49fa183824ab585b69a491fd45d1d3b2b01f052adc5062b356e7434
LummaStealer
b3174f733fd844023c76b997e21311287dd47342db80a1ccd97deadb6f3dd85a
LummaStealer
bb90c8c39ba60347b2d5f2a73a11f9c1f9f7e16251ca3098e4c087257bcce09b
LummaStealer
bcd079ed77301cc5f6a0443ccb3c5b4fe4a4b660ad61d5bcc40f0224c8c2da63
LummaStealer
bcf619de91d54b32858baabce229d3073a02f0f090c9190c5e80cd8f74d82561
LummaStealer
d0130399fd404226ae5b90897e8e3affe29b7d34081ee1bf11ecb3750ca342c5
LummaStealer
d24cac5596825fe9f802f9aa40201452c16f40fea1b4c46b5a23423c13d7f180
LummaStealer
e190e4156d84f4311c5a4b10471bc3465847d6f8aee11a3d7598ca70733a0b71
LummaStealer
+ 2'355 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma stealer
Link:
https://tria.ge/reports/230726-ss2rcseb41/
Behaviour
Gathers network information
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Lumma Stealer
Unpacked files
SH256 hash:
134162ed5422ce094f4c36c11e97ea4357b88ac0bc1d42e0a30777489c41f1d0
MD5 hash:
e28caeb7f200cb9e09493e31c3946e3a
SHA1 hash:
ef70e96878268de3d6174d7c772ca3db4a82c470
Link:
https://www.unpac.me/results/05ded953-6b70-476a-bd19-f43243db0a71/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/134162ed5422ce094f4c36c11e97ea4357b88ac0bc1d42e0a30777489c41f1d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 134162ed5422ce094f4c36c11e97ea4357b88ac0bc1d42e0a30777489c41f1d0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2690336/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/434051/

Comments