MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3098a9c50afcd478c3eeb9b12b3794109c0f3652263bcaf8b0077c413188e4da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3098a9c50afcd478c3eeb9b12b3794109c0f3652263bcaf8b0077c413188e4da
SHA3-384 hash: c54ebc44e0247aa7e134ae1d324cbeb16d8640310a965c7992cda0660b9068fab15213926375a843f949b9294cebd02e
SHA1 hash: 98d8b2509628ab131345992f2d43241913d12557
MD5 hash: 5697159735d484d2d4fff3ef06aa6f62
humanhash: north-rugby-table-august
File name:re5.mp4
Download: download sample
Signature LummaStealer
Create hunting rule
File size:540'101 bytes
First seen:2024-12-31 08:16:05 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:application/octet-stream
ssdeep 6144:dKqpsbLbkARe7CepXY5eUfdemme0629ecUT5sgIqevBReYbC:HQsu
Threatray 2'448 similar samples on MalwareBazaar
TLSH T10AB4B0465A730614D87DC974EEDBCA282071BDC84C0587AE4ACDB43530AB5B87ED6AFC
Magika zip
Reporter lontze7
Tags:hta LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
FR FR
Vendor Threat Intelligence
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6773aa2374a2bd296e24b6a5
Tags:
obfuscate xtreme mirai shell
Result
Verdict:
Clean
File Type:
HTA File
Link:
https://app.docguard.net/3098a9c50afcd478c3eeb9b12b3794109c0f3652263bcaf8b0077c413188e4da/results/dashboard
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/6773a87f24c66757ceb6c7e9/reports/827adede-be0a-4f3b-96f3-beeea1c4bf3c/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/3098a9c50afcd478c3eeb9b12b3794109c0f3652263bcaf8b0077c413188e4da
Result
Verdict:
UNKNOWN
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1582681
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Download and Execute IEX
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Download and Execute Pattern
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582681 Sample: re5.mp4.hta Startdate: 31/12/2024 Architecture: WINDOWS Score: 100 36 t1.awagama2.org 2->36 38 permissiblene.click 2->38 40 klipvumisui.shop 2->40 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 13 other signatures 2->54 11 mshta.exe 1 2->11         started        signatures3 process4 signatures5 64 Suspicious powershell command line found 11->64 14 powershell.exe 18 11->14         started        process6 signatures7 68 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->68 70 Found many strings related to Crypto-Wallets (likely being stolen) 14->70 72 Bypasses PowerShell execution policy 14->72 74 Found suspicious powershell code related to unpacking or dynamic code loading 14->74 17 powershell.exe 15 16 14->17         started        21 conhost.exe 14->21         started        process8 dnsIp9 34 t1.awagama2.org 188.114.97.3, 443, 49707 CLOUDFLARENETUS European Union 17->34 46 Injects a PE file into a foreign processes 17->46 23 powershell.exe 17->23         started        27 conhost.exe 17->27         started        signatures10 process11 dnsIp12 42 permissiblene.click 188.114.96.3, 443, 49983, 49984 CLOUDFLARENETUS European Union 23->42 44 klipvumisui.shop 104.21.37.128, 443, 49993 CLOUDFLARENETUS United States 23->44 56 Query firmware table information (likely to detect VMs) 23->56 58 Found many strings related to Crypto-Wallets (likely being stolen) 23->58 60 Tries to harvest and steal ftp login credentials 23->60 62 2 other signatures 23->62 29 powershell.exe 21 23->29         started        signatures13 process14 signatures15 66 Loading BitLocker PowerShell Module 29->66 32 conhost.exe 29->32         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3098a9c50afcd478c3eeb9b12b3794109c0f3652263bcaf8b0077c413188e4da/
Threat name:
Binary.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-12-29 17:55:51 UTC
File Type:
Binary
AV detection:
4 of 23 (17.39%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gcmktrik7tkhrq7oxgyswn4uccoa6nssey54v6fqa56ecmmi4tna._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
1fb9f279263c252a09f12b69c7238c18d2325f7cf7250ebe24ad9149abe62cf4
LummaStealer
424fbe09e0b7cb5600027b7469330a2809957bdbda04cf34e51dce3edcf9eb18
LummaStealer
7d99d26ac33c17b7038ae35b3bcf82f416bf8676e485603a043fe6272872b254
LummaStealer
8abb86b3dd80c4d37387eb28a3c96efc7c0ef1675337aeb8e5599e8e3140ee66
LummaStealer
a08e7d5f23bd08b42488c2e37110a1d2cc9339c41f7d7567ae95bdd469c01b9e
LummaStealer
error
LummaStealer
f34ab3c978462c0d763304689c493c9ebb1da5fc6a5aeac13c1a81cb5080a9e6
LummaStealer
+ 2'438 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery execution
Link:
https://tria.ge/reports/241231-kapp3stqeq/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3098a9c50afcd478c3eeb9b12b3794109c0f3652263bcaf8b0077c413188e4da

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

HTML Application (hta) hta 3098a9c50afcd478c3eeb9b12b3794109c0f3652263bcaf8b0077c413188e4da

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3382835/
  
URLhaus
https://urlhaus.abuse.ch/url/3384076/
  
URLhaus
https://urlhaus.abuse.ch/url/3384297/

Comments