MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b5e8e6f6a6b79c7bfe058f6ab152b46cd04f78d13aa914f9ffc5de5f94dcd11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b5e8e6f6a6b79c7bfe058f6ab152b46cd04f78d13aa914f9ffc5de5f94dcd11
SHA3-384 hash: c82277468fdf020f854896b1b5ad63ef6f4b790f0fc15c107a10d4f689c496bdc64ebc3edb2aaef226c45662b8ee720e
SHA1 hash: f3ee9c2fb5ea8967729aab03c301cf57bf11651f
MD5 hash: a9113967b0fd1ab8469affe5e22e5dda
humanhash: eight-carpet-steak-princess
File name:3b5e8e6f6a6b79c7bfe058f6ab152b46cd04f78d13aa914f9ffc5de5f94dcd11
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'334'464 bytes
First seen:2023-09-05 11:04:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:w7IN9IEbGc1e40SkNd2GRfcyXUs7nNCkbpk:wkJGc1iSkd+V1ktk
Threatray 197 similar samples on MalwareBazaar
TLSH T186559E6132F79704E0BD67345CBE40ED367ABF922721C75EA6452B4F69222C2CE02776
TrID 47.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.4% (.SCR) Windows screen saver (13097/50/3)
6.8% (.EXE) Win64 Executable (generic) (10523/12/4)
4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon babab2b2b2a6e4e4 (2 x LummaStealer)
Reporter adrian__luca
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
https://randsoms.click
Verdict:
Malicious activity
Analysis date:
2023-08-21 11:18:14 UTC
Tags:
lumma stealer amadey trojan
Link:
https://app.any.run/tasks/28a78e0f-4e82-46e7-b6b9-c8ccf04d1192

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/446296/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.7149.14667.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
DNS request
Sending an HTTP GET request
Sending an HTTP POST request
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm fingerprint lolbin obfuscated overlay packed remote stealer
Link:
https://www.filescan.io/uploads/64f70b602a262962b793b14f/reports/3c51a63c-eeb7-4b55-854f-e0c084640991/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/3b5e8e6f6a6b79c7bfe058f6ab152b46cd04f78d13aa914f9ffc5de5f94dcd11
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LummaC2 Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8cf5b6a-1204-480c-b52c-4fb732f3b476
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1303453
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b5e8e6f6a6b79c7bfe058f6ab152b46cd04f78d13aa914f9ffc5de5f94dcd11/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-08-21 11:38:22 UTC
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hnpi433knn44pp7ald3kwfjli3gqj54ncovjct477ro6l6knzuiq._file
Verdict:
malicious
Similar samples:
1695eccf307c90c8999bb6899768b316f344db4f88e5e90ac92b5e55fd903042
LummaStealer
265aa01e804dd1bda8e2f711aa9e80bfa08d0e7e481911e2cf9d2dbc66f2dc7b
LummaStealer
5c180cd34694c91bc7f4ecaf67d4f462f10254d190d181e02a2a2a7e03d44204
LummaStealer
b287c0bc239b434b90eef01bcbd00ff48192b7cbeb540e568b8cdcdc26f90959
LummaStealer
c9094685ae4851fd5a5b886b73c7b07efd9b47ea0bdae3f823d035cf1b3b9e48
LummaStealer
d42fdb11f10e2455d0197dc973cf384fc2f480e596055dcb1994086c8db4a6da
LummaStealer
f13eb672c5400eefce395ca9f5f668e2273748e3c398558e17f4c43ec314ff71
LummaStealer
fe0d21117697c040a60ed2e1fdfd838ec09330e85a9d8505a820afad480318be
LummaStealer
+ 187 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma spyware stealer
Link:
https://tria.ge/reports/230905-m6t1safb53/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Lumma Stealer
Unpacked files
SH256 hash:
e8698d602b5ed94f3ad99848e0be68f8a59f66bb79f9b958dcca7d715c82df5a
MD5 hash:
ef6df56dd3d70b8edbd3efa85dbee24b
SHA1 hash:
0660f49848845cf2a94ea4b99c47c1db5bd7779a
Link:
https://www.unpac.me/results/50fffd5d-9d37-42f2-a9fb-089aa59b86f8/
SH256 hash:
efaeadd3502760df46687b24a2143dcea97124d3ff1705c23b66859b902d2e8a
MD5 hash:
5b177495ce2136bea496bc92332204f5
SHA1 hash:
ad81d9c8e4292209233ef64036a39faa623ed926
Link:
https://www.unpac.me/results/50fffd5d-9d37-42f2-a9fb-089aa59b86f8/
SH256 hash:
607785648095f698c29bcef95644906adaa9bd87483da9b798511f38f03adcf0
MD5 hash:
4fee02bc1922ca101ebe09f73ad9bc5f
SHA1 hash:
9bcea34a7ca94b8baf3dbcdf4718a3357d018b0d
Link:
https://www.unpac.me/results/50fffd5d-9d37-42f2-a9fb-089aa59b86f8/
SH256 hash:
198a65f6a3f780f1a022f030629e8561c31cc555a113f570a566d40d1ee56a05
MD5 hash:
9b3a1b5d3ffe9fb9db6c5aaefa1ae076
SHA1 hash:
0da05e4c72430da0d061a02cd6cf50c41e6bd83a
Link:
https://www.unpac.me/results/50fffd5d-9d37-42f2-a9fb-089aa59b86f8/
SH256 hash:
3b5e8e6f6a6b79c7bfe058f6ab152b46cd04f78d13aa914f9ffc5de5f94dcd11
MD5 hash:
a9113967b0fd1ab8469affe5e22e5dda
SHA1 hash:
f3ee9c2fb5ea8967729aab03c301cf57bf11651f
Link:
https://www.unpac.me/results/50fffd5d-9d37-42f2-a9fb-089aa59b86f8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3b5e8e6f6a6b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b5e8e6f6a6b79c7bfe058f6ab152b46cd04f78d13aa914f9ffc5de5f94dcd11

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_SUSPICIOUS_USNDeleteJournal
Create hunting rule
Author:ditekSHen
Description:Detects executables containing anti-forensic artifcats of deletiing USN change journal. Observed in ransomware
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_LummaStealer
Create hunting rule
Author:ditekSHen
Description:Detects Lumma Stealer
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_lumma_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lumma.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/446296/

Comments