MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 229385fbe03dd8ab9489ee1f0f4a5916b89be800aa27b7d563b63080211235a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 229385fbe03dd8ab9489ee1f0f4a5916b89be800aa27b7d563b63080211235a9
SHA3-384 hash: f9dfe26da8f87b22b3c63efe88c502847e2bcc7846ff8c08ac1bb9139c0af1dcbf361ecdd79e7aaf4745c7d6941bd719
SHA1 hash: dfda3628a9b8971a043fafab4c6ee95c8b4cd5cc
MD5 hash: be4f493e0b615fa9df3216132c14f763
humanhash: idaho-undress-ceiling-skylark
File name:92.255.57_2.112.ps1
Download: download sample
Signature LummaStealer
Create hunting rule
File size:539'177 bytes
First seen:2025-01-14 07:25:32 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12288:cG34WzRsAX2h7dVI42CoeUJ2z6m20sFqwg2:cGdyZPIvLJ2z20sFFg2
Threatray 2 similar samples on MalwareBazaar
TLSH T1B4B47D3140533C5E3F6E2ECAA4006DC00C9D39A7BA14D154AEC992B6B2BD53B5E6D9FC
Magika powershell
Reporter JAMESWT_WT
Tags:92-255-57-112 booking LummaStealer ps1 Spam-ITA

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PowerShell.Obfus-9.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6786118f4487910100dec215
Tags:
virus
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
confuserex net obfuscated
Link:
https://www.filescan.io/uploads/67861193f6ef415507daf25d/reports/45552692-6d6c-45a7-a740-993c5ada6900/overview
Verdict:
Malicious
Labled as:
PowerShell/Agent.CDT trojan
Link:
https://www.hybrid-analysis.com/sample/229385fbe03dd8ab9489ee1f0f4a5916b89be800aa27b7d563b63080211235a9
Result
Verdict:
UNKNOWN
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1590524
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/229385fbe03dd8ab9489ee1f0f4a5916b89be800aa27b7d563b63080211235a9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/229385fbe03dd8ab9489ee1f0f4a5916b89be800aa27b7d563b63080211235a9/
Threat name:
Script-PowerShell.Trojan.LummaC
Create hunting rule
Status:
Malicious
First seen:
2025-01-13 17:14:16 UTC
File Type:
Text
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ekjyl67ahxmkxfej5ypq6sszc24jx2aavit3pvldwyyiaiisgwuq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
2abcdd856020c9a5a7dcb9d73d2fb175a598fed6bc62b6dbabbb128ce658e17f
LummaStealer
error
LummaStealer
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250114-h9hpps1mew/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/229385fbe03dd8ab9489ee1f0f4a5916b89be800aa27b7d563b63080211235a9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

PowerShell (PS) ps1 229385fbe03dd8ab9489ee1f0f4a5916b89be800aa27b7d563b63080211235a9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3399030/
  
Delivery method
Distributed via web download

Comments