MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2806b7e515048d1a620b70f50e2a638ffa4ef35502405e2c02e5098d71da65b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2806b7e515048d1a620b70f50e2a638ffa4ef35502405e2c02e5098d71da65b6
SHA3-384 hash: aa3908582e2880e2935223f6caeaad96d359cdde27076a4fb282f60d849fb547c00d445c4bcc140fab688c45ce7e9531
SHA1 hash: 2802f9140dd6263b18ab9ea25629cd85ea154176
MD5 hash: cc2c231cac4c1b4026dad5a8e2aa619d
humanhash: wyoming-ceiling-carpet-bulldog
File name:but3.ps1
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'944 bytes
First seen:2024-11-10 08:14:57 UTC
Last seen:2024-11-14 11:15:51 UTC
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 48:Isy1P3TZLpoWaFY4c/1M4+yR0L4mMJPXDFrDuNywLdcyybrX:OPd42
Threatray 8 similar samples on MalwareBazaar
TLSH T1D3412459B38CD82487C452154D1EB444F26A466E213375F462CDF560ECB51FC7A7A218
Magika powershell
Reporter JAMESWT_WT
Tags:LummaStealer notion-ramchhaya-com ps1 repostebhu-sbs

Intelligence

File Origin
# of uploads :
2
# of downloads :
97
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.2206.26322.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67306bbf1621f8e41b8f1481
Tags:
ransomware dropper virus
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
persistence
Link:
https://www.filescan.io/uploads/67306b86b3a9c717edb06b5b/reports/a0e25f91-33fb-4262-8d31-942b96ad9d8a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/2806b7e515048d1a620b70f50e2a638ffa4ef35502405e2c02e5098d71da65b6
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1553045
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Powershell drops PE file
Powershell uses Background Intelligent Transfer Service (BITS)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1553045 Sample: but3.ps1 Startdate: 10/11/2024 Architecture: WINDOWS Score: 100 26 zanymarkedjz.fun 2->26 28 repostebhu.sbs 2->28 30 sufusioticarchi.b-cdn.net 2->30 38 Suricata IDS alerts for network traffic 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 7 other signatures 2->44 7 powershell.exe 1 38 2->7         started        11 sftpc.exe 2->11         started        13 sftpc.exe 2->13         started        15 svchost.exe 1 1 2->15         started        signatures3 process4 dnsIp5 24 C:\Users\user\AppData\Roaming\...\sftpc.exe, PE32 7->24 dropped 52 Found many strings related to Crypto-Wallets (likely being stolen) 7->52 54 Powershell uses Background Intelligent Transfer Service (BITS) 7->54 56 Found suspicious powershell code related to unpacking or dynamic code loading 7->56 66 2 other signatures 7->66 18 sftpc.exe 7->18         started        22 conhost.exe 7->22         started        58 Query firmware table information (likely to detect VMs) 11->58 60 Tries to harvest and steal ftp login credentials 11->60 62 Tries to harvest and steal browser information (history, passwords, etc) 11->62 64 Tries to steal Crypto Currency Wallets 13->64 34 sufusioticarchi.b-cdn.net 169.150.247.37, 443, 49733, 49734 SPIRITTEL-ASUS United States 15->34 36 127.0.0.1 unknown unknown 15->36 file6 signatures7 process8 dnsIp9 32 repostebhu.sbs 104.21.14.17, 443, 49741, 49742 CLOUDFLARENETUS United States 18->32 46 Query firmware table information (likely to detect VMs) 18->46 48 Found many strings related to Crypto-Wallets (likely being stolen) 18->48 50 Tries to steal Crypto Currency Wallets 18->50 signatures10
Score:
73%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/2806b7e515048d1a620b70f50e2a638ffa4ef35502405e2c02e5098d71da65b6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2806b7e515048d1a620b70f50e2a638ffa4ef35502405e2c02e5098d71da65b6/
Threat name:
Script-PowerShell.Trojan.Powdow
Create hunting rule
Status:
Malicious
First seen:
2024-11-09 23:02:12 UTC
File Type:
Text (PowerShell)
AV detection:
7 of 38 (18.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fadlpzivasgruyqlod2q4ktdr75e542vajaf4lac4uey24o2mw3a._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
ca00cf9b91b318e686cc93dba7466690338f8b2ad1ae49d1d3e4cb53adf7618b
LummaStealer
caaf3aa8cf4db7b12a8d55186c30227c290a45a4c039c625ba0299a8b4db22d4
LummaStealer
d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417
LummaStealer
error
LummaStealer
f7112f236e9bae2fa1ca721ee1979d55c530944e6dfa42bc58b25072f2fa1025
LummaStealer
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/241110-j5jxmswmej/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Adds Run key to start application
Executes dropped EXE
Malware Config
Dropper Extraction:
https://sufusioticArchi.b-cdn.net/narubu.zip
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2806b7e515048d1a620b70f50e2a638ffa4ef35502405e2c02e5098d71da65b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:SUSP_PowerShell_Base64_Decode
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects PowerShell code to decode Base64 data. This can yield many FP

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments