MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 277d7f450268aeb4e7fe942f70a9df63aa429d703e9400370f0621a438e918bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 9 File information Comments

SHA256 hash:	277d7f450268aeb4e7fe942f70a9df63aa429d703e9400370f0621a438e918bf
SHA3-384 hash:	3fb656a7f042514e1c4ec09edb522151ca9081ac05ecf8e410a124a019692f3e685a8fe9a9cf49557af3a60eb8998321
SHA1 hash:	c43316ddcb51e143ab53f996587c23ea4985f6ea
MD5 hash:	1995a54dba0e05d80903d3d210c1e3da
humanhash:	bacon-sink-neptune-wyoming
File name:	277d7f450268aeb4e7fe942f70a9df63aa429d703e9400370f0621a438e918bf
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	161'792 bytes
First seen:	2024-02-05 16:28:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	635c15b66e88a1fa7fca2c7e4ca14acf (2 x LummaStealer)
ssdeep	3072:7ZEsdw9MDdPyebt3JM0sknMIYIAsfJJ4MfehihzynMT0bLbF9OTwSG:1Esde4JfaIV/4KehQznLwSG
Threatray	28 similar samples on MalwareBazaar
TLSH	T11DF36B15B5D1C031E5770A3205F4D670AE3DBA302AA25AEF2B550BBE6F316C09724F6B
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4504/4/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	Viuleeenz
Tags:	exe LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

282

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1995a54dba0e05d80903d3d210c1e3da

Verdict:

Malicious activity

Analysis date:

2023-01-09 07:32:09 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0c6fd1f6-f4bd-4076-942a-14bbcfdf18db

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/474766/

Detection(s):

Win.Malware.Lumma-10013228-0

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/65c10cd50b80a4072892f0d2/reports/5856b7ea-3fec-4345-aeb0-67a82f77a7fb/overview

Verdict:

Malicious

Labled as:

Infostealer/LummaC2

Link:

https://www.hybrid-analysis.com/sample/277d7f450268aeb4e7fe942f70a9df63aa429d703e9400370f0621a438e918bf

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

LummaC2 Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6de2ed24-7bbc-44d3-94f9-923dc7d4336c

Result

Threat name:

LummaC Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1386979

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Query firmware table information (likely to detect VMs)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/277d7f450268aeb4e7fe942f70a9df63aa429d703e9400370f0621a438e918bf

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/277d7f450268aeb4e7fe942f70a9df63aa429d703e9400370f0621a438e918bf/

Threat name:

Win32.Trojan.SpyNoon

Status:

Malicious

First seen:

2023-01-04 05:22:43 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

31 of 38 (81.58%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=e56x6ricncxljz76sqxxbko7movefhlqh2kaanypayq2iohjdc7q._file

Verdict:

malicious

LummaStealer

3419f8887e6f4a2e3520510e30a24c383364e26930329d911c2c40207dab096b

LummaStealer

6513d3ca0604ec33242e2dd8bcabe29fe62cb2acabada15ad959fc6d7cef576f

LummaStealer

72d6cd338baba81b7cef1bcd1ea4eed199adcce0ac57fe1e674527ad7258ea8d

LummaStealer

781b268a96c09be7b60c94eb48f0343e56b79bbf2a86e05b0547bd095784f4dc

LummaStealer

7bd7346f3ef17dd2c0cc405b6754ddcd7effd90619b94a1715fa90f9a5fea9ac

LummaStealer

7d359b225b46708af6be5f37ee7c1c8f7f2106d0aa0dc1964773ac677e9aa2cb

LummaStealer

81b16b8e152322da3b81e7703e430c77d3f06e53b0ba24a5a82e0c3e371c9a21

LummaStealer

c516fc3286df7ec543273f5cce533a9d356c56ab014c2d92337ba420712da32c

LummaStealer

c837a63ce5b9c5828fbf262e570947fbdc78ef081411f1cd0f22bd534ef55788

LummaStealer

+ 18 additional samples on MalwareBazaar

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma spyware stealer

Link:

https://tria.ge/reports/240205-ty8brseacm/

Behaviour

Accesses cryptocurrency files/wallets, possible credential harvesting

Reads user/profile data of web browsers

Malware Config

C2 Extraction:

195.123.226.91

Unpacked files

SH256 hash:

277d7f450268aeb4e7fe942f70a9df63aa429d703e9400370f0621a438e918bf

MD5 hash:

1995a54dba0e05d80903d3d210c1e3da

SHA1 hash:

c43316ddcb51e143ab53f996587c23ea4985f6ea

Detections:

win_lumma_w1

win_lumma_auto

win_lumma_a0

win_lumma_simple_strings

Detect_lumma_stealer

INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs

Link:

https://www.unpac.me/results/48a0aed1-5470-4cbd-9cda-f2298aa4f353/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/277d7f450268aeb4e7fe942f70a9df63aa429d703e9400370f0621a438e918bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of MFA browser extension IDs.

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	win_lumma Create hunting rule
Author:	GovCERT.ch
Description:	Matches unpacked Lumma stealer samples

Rule name:	win_lumma_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lumma.

Rule name:	win_lumma_simple_strings Create hunting rule
Author:	Matthew @ Embee_Research

Rule name:	win_lumma_w1 Create hunting rule
Author:	Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/474766/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample