MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 160f3f5a8e6d232991af14dc37273c9fd323a32b729fb25a9e0e2347df48e564. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 160f3f5a8e6d232991af14dc37273c9fd323a32b729fb25a9e0e2347df48e564
SHA3-384 hash: bb462c9fce17e98ec26e56f3a12617f515f7c238762dfdcdad0c7c35b847d78738b4b28bcc16a0163eb14767701d3e2d
SHA1 hash: 681cfaad65942d98567701748ba6e00884653004
MD5 hash: fbb1a5a91d11b72d5d8a5a0c970d92e7
humanhash: muppet-finch-louisiana-twelve
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:634'644 bytes
First seen:2023-11-21 14:10:53 UTC
Last seen:2023-11-21 15:18:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 07286002366b685c5ccfd72109e4be70 (1 x LummaStealer)
ssdeep 12288:Rl9nJFDHipj2HoVqcgPjfHlHnBbhPOW4SF+3I/SUK1:Rl9JdMj2IivhVhx1Fl/SUK1
Threatray 432 similar samples on MalwareBazaar
TLSH T111D4C0BA30BE082BF3FB06755155C2698A722F131A37736FD77A2D970790293D988D12
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter jstrosch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
352
Origin country :
US US
Vendor Threat Intelligence
Malware family:
dridex
Create hunting rule
ID:
1
File name:
9c5cfeef20ffb0c9e3621eb83fd30e9f
Verdict:
Malicious activity
Analysis date:
2023-11-21 13:20:12 UTC
Tags:
banker dridex trojan opendir lumma stealer loader
Link:
https://app.any.run/tasks/e1d2e846-2c50-41de-b6f1-87cc11291fb9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/459553/
Detection(s):
PUA.Win.Packer.Ep-7
Create hunting rule

PUA.Win.Packer.Embedpe-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending an HTTP POST request
Reading critical registry keys
Sending a custom TCP request
Stealing user critical data
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/655cba8915cd82a1c9990880/reports/0f984f8b-dee8-4a63-9496-6563f90fd168/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/160f3f5a8e6d232991af14dc37273c9fd323a32b729fb25a9e0e2347df48e564
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LummaC2 Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f59e940-c119-4650-8116-dabea033f838
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1345841
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to behave differently if execute on a Russian/Kazak computer
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/160f3f5a8e6d232991af14dc37273c9fd323a32b729fb25a9e0e2347df48e564
Detection:
lumma
Create hunting rule
Link:
https://mwdb.cert.pl/sample/160f3f5a8e6d232991af14dc37273c9fd323a32b729fb25a9e0e2347df48e564/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2023-11-18 17:31:47 UTC
File Type:
PE (Exe)
AV detection:
22 of 23 (95.65%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cyht6wuonurstenpctodojz4t7jshizlokp3ewu6byrupx2i4vsa._file
Verdict:
malicious
Similar samples:
160f3f5a8e6d232991af14dc37273c9fd323a32b729fb25a9e0e2347df48e564
LummaStealer
20ec1d947dbe9f6a854c738dbba273cdaf8754e2505f43aab3fd7c17ea4ec23b
LummaStealer
47abb3bb4a3141078898a6bee161b07764856979ca662986a7f1c124dd1656f9
LummaStealer
9238c171562445544ce308adc17671989161094ce95d984bda7c3a7d8b92136b
LummaStealer
ac619e70e1f674bb4cb371b25ecaf913cdb7acc9f4130a1ff301ffa84ad86f76
LummaStealer
e335d891303b61d78a65a5758c2007b2aaf7bc829a9f5f436ad8d4d4d3262d5b
LummaStealer
e6001e502a2913ee4a5f96c0203a146d84e41844675d3d65041e79aca532f20a
LummaStealer
+ 422 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/231121-rhbazsff8x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
6ea68faa273c5b905e41b90f4e23abfc44f7d278616a18a9d0b5ed85dcf07c5b
MD5 hash:
8df474104878a397340c230a02565cae
SHA1 hash:
b5dcdb06542e0b855402c55a782b2adb246faf25
Link:
https://www.unpac.me/results/e7b78be6-9f20-4245-86c7-68015bae7750/
SH256 hash:
160f3f5a8e6d232991af14dc37273c9fd323a32b729fb25a9e0e2347df48e564
MD5 hash:
fbb1a5a91d11b72d5d8a5a0c970d92e7
SHA1 hash:
681cfaad65942d98567701748ba6e00884653004
Link:
https://www.unpac.me/results/e7b78be6-9f20-4245-86c7-68015bae7750/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.29
Link:
https://yomi.yoroi.company/submissions/160f3f5a8e6d232991af14dc37273c9fd323a32b729fb25a9e0e2347df48e564

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 160f3f5a8e6d232991af14dc37273c9fd323a32b729fb25a9e0e2347df48e564

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/459553/

Comments