MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3419f8887e6f4a2e3520510e30a24c383364e26930329d911c2c40207dab096b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	3419f8887e6f4a2e3520510e30a24c383364e26930329d911c2c40207dab096b
SHA3-384 hash:	9ce1944ee23c6d25a24399a8cdca4a163786b040321990b535681476b4375541b4dc90142e8655d93864e81903851fec
SHA1 hash:	b2e278700ce54f61c29109f2c7a5c0064b955a12
MD5 hash:	868a3a88ff839bf93deb41d1db540e0e
humanhash:	cola-paris-spring-two
File name:	868a3a88ff839bf93deb41d1db540e0e.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	392'704 bytes
First seen:	2023-01-05 07:06:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	143a634d0c15b00ddc8c937b8e7152cc (2 x RedLineStealer, 2 x Gozi, 1 x Amadey)
ssdeep	6144:CQhhLSVZOIvLkzDatb5ccG9AQElk00oxupmLvIBWjT:CkGVYIv115ccC3hoxupmLy
Threatray	42 similar samples on MalwareBazaar
TLSH	T13284AF01F366B7A2DD17817F4915DAE6E3ADB860EA64D62F2358158F3EF0FB08132518
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	7c7cb4b4a4948dc0 (1 x LummaStealer)
Reporter	abuse_ch
Tags:	exe LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

192

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

868a3a88ff839bf93deb41d1db540e0e.exe

Verdict:

Malicious activity

Analysis date:

2023-01-05 07:07:32 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/60edad75-03db-4f12-8e27-eee74c9551c2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/349554/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63b677180e926711fd76fff3/reports/d2550a67-ef33-4540-8e8b-516526f01f96/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7b0439fa-6fc2-4940-96f6-349b83858919

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1145477

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Query firmware table information (likely to detect VMs)

Tries to harvest and steal browser information (history, passwords, etc)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3419f8887e6f4a2e3520510e30a24c383364e26930329d911c2c40207dab096b/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2023-01-04 13:59:48 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 39 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gqm7rcd6n5fc4njakehdbismhazwjytjgazj3ei4fraca7nlbfvq._file

Verdict:

malicious

LummaStealer

141d673bbfc562cb61d72d51a338e07cd2e6bf775075138d3ab814b04ea302d2

LummaStealer

2636a550f44d987a4e313c4661daf5ac630387a68ef8d386421ca73060506388

LummaStealer

483fc85417b647e1100ca61a281e1c2bce0d2a7d66db220f72ec4f1f2d7e2ab9

LummaStealer

4ae22455f6c6d9c69f58283b69e529c73c447fe00839026084ca463f5a96cc41

LummaStealer

781b268a96c09be7b60c94eb48f0343e56b79bbf2a86e05b0547bd095784f4dc

LummaStealer

832962d7bc1997a05b9ace55a18092ae7fb97cd3e75bcb30946a31e4f0bc5feb

LummaStealer

b61cfa94835a1327b882606787e2ed1d1ea273e1327f4541ba358cdadb8c6d39

LummaStealer

c516fc3286df7ec543273f5cce533a9d356c56ab014c2d92337ba420712da32c

LummaStealer

cca58eef57c957c6ebdf123ac6c8f59110688e83459e12821de4e8270ac9232c

LummaStealer

+ 32 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/230105-hxm4nabb78/

Behaviour

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Reads user/profile data of web browsers

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/0c6e7ebc-8736-4c39-8349-e6b7885e6b4d

Unpacked files

SH256 hash:

8c2c2de4ea10cb2da240ee00413e4bceb0b47c0e3c82f05e746a824851902d98

MD5 hash:

f471b4bb5b74f9372c99d963c36694d5

SHA1 hash:

9d2a91862d9507d1d8b501eb91da11f4c7f983a4

Link:

https://www.unpac.me/results/706e61c0-ce06-443a-b403-7fa1f9b0775a/

SH256 hash:

3419f8887e6f4a2e3520510e30a24c383364e26930329d911c2c40207dab096b

MD5 hash:

868a3a88ff839bf93deb41d1db540e0e

SHA1 hash:

b2e278700ce54f61c29109f2c7a5c0064b955a12

Link:

https://www.unpac.me/results/706e61c0-ce06-443a-b403-7fa1f9b0775a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3419f8887e6f4a2e3520510e30a24c383364e26930329d911c2c40207dab096b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/349554/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample