MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35de04e339d38073cb60f31b07e58326953236f1e72a2a023bb699619f7493d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35de04e339d38073cb60f31b07e58326953236f1e72a2a023bb699619f7493d8
SHA3-384 hash: 979b49d14b2c5090caba398796185d9d72e8309ebce1b3ac5e7fe81e7db67d3996ca615c768698f33b7d8b5359e7e286
SHA1 hash: 3074bd72eee6000e7e9ef7dfee24e3d27d9c550f
MD5 hash: 7102d2f457071b2c66c6c0ec3035ae7e
humanhash: beryllium-alpha-maryland-stream
File name:7102d2f457071b2c66c6c0ec3035ae7e
Download: download sample
Signature LummaStealer
Create hunting rule
File size:667'648 bytes
First seen:2023-10-26 10:42:08 UTC
Last seen:2023-10-26 12:57:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 66bc811ac894535ffcee36d78d1ccd29 (2 x LummaStealer, 1 x 1ms0rryMiner)
ssdeep 12288:89lnaoj5V1hCbwgNX3x02IvNYATdvoISl47lN5R/:AaobrC1NHx0do7MlN5F
Threatray 129 similar samples on MalwareBazaar
TLSH T1CAE4B005B714E022F133AA70A7E8952202D8F8E7D794D1DBA4ADF2A5FB017BD95F0172
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe LummaStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
331
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
New Text Document.exe
Verdict:
Malicious activity
Analysis date:
2023-10-26 10:42:32 UTC
Tags:
loader lumma stealer sinkhole opendir miner redline stealc smoke amadey botnet trojan formbook spyware
Link:
https://app.any.run/tasks/508e68d0-92ee-4acc-a572-6f74ac7e5826

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/456516/
Detection(s):
SecuriteInfo.com.BackDoor.Andromeda.1877.12089.2114.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP POST request
Reading critical registry keys
Stealing user critical data
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
explorer greyware lolbin
Link:
https://www.filescan.io/uploads/653a42b74ebf05ac3f3a437f/reports/f64cf4b9-5abe-4ed9-a07b-e5f95d342734/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/35de04e339d38073cb60f31b07e58326953236f1e72a2a023bb699619f7493d8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LummaC2 Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6f158c14-96ff-4bcd-a38e-14077b7a6607
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1332616
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to behave differently if execute on a Russian/Kazak computer
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/35de04e339d38073cb60f31b07e58326953236f1e72a2a023bb699619f7493d8
Detection:
lumma
Create hunting rule
Link:
https://mwdb.cert.pl/sample/35de04e339d38073cb60f31b07e58326953236f1e72a2a023bb699619f7493d8/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2023-10-26 10:43:05 UTC
File Type:
PE (Exe)
AV detection:
20 of 23 (86.96%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gxpajyzz2oahhs3a6mnqpzmde2ktenxr44vcuar3w2mwdh3uspma._file
Verdict:
malicious
Similar samples:
00d26d8524ce924c37cbccc10d05f829b39c03037ce1b3e4d5d265d8c2993b26
LummaStealer
295daf4708da6e3b7613e4ea7637739054656332c3dfdfb0499431ef267e6a39
LummaStealer
3ff3e11128ead9eca87a33ac9bc9453cb8450212c0a002bd464243188a3d2f03
LummaStealer
8529faac16f00963245b1d07e39b4903dfd99a591b82420b5e98782ae1187477
LummaStealer
94f90d551dfd3fc18c3fc5dd7c4b279b2ebc71bbb2df9619731fc1a796c8173a
LummaStealer
9648c6034468d7ee150c2b9b2ce088c14793e1ddf235d596ce14ef754e7d1e9f
LummaStealer
f14a2ea59f53b770192ee6e9b6f0c0c9ef614d53411aca619194490f16f1dabd
LummaStealer
+ 119 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/231026-mr8wdsed3s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
35de04e339d38073cb60f31b07e58326953236f1e72a2a023bb699619f7493d8
MD5 hash:
7102d2f457071b2c66c6c0ec3035ae7e
SHA1 hash:
3074bd72eee6000e7e9ef7dfee24e3d27d9c550f
Link:
https://www.unpac.me/results/f94b6fbd-cbb8-45cc-8ea1-75d24fb7e9f0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/35de04e339d38073cb60f31b07e58326953236f1e72a2a023bb699619f7493d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 35de04e339d38073cb60f31b07e58326953236f1e72a2a023bb699619f7493d8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2726033/
Cape
Cape
https://www.capesandbox.com/analysis/456516/

Comments


Avatar
zbet commented on 2023-10-26 10:42:09 UTC

url : hxxp://h171145.srv22.test-hf.su/202.exe