MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d1a4b9e37868f54e7e7eb98aae0203e2c50b2977170e0006cd3cbcb071c6b94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d1a4b9e37868f54e7e7eb98aae0203e2c50b2977170e0006cd3cbcb071c6b94
SHA3-384 hash: a2e489998131a2966e3b5cb84e1b9651d2143b4422d6701557d7edcc9c37927b29cda66bf643cfbd2b80a2a4bdeb1ceb
SHA1 hash: bf085f00fd0a9cf51e0a580d9819367e345cace4
MD5 hash: 43dd09be1f034e3f7f6232bc7e1d3b80
humanhash: neptune-coffee-red-hawaii
File name:new-riii-1-b.pub.hta
Download: download sample
Signature LummaStealer
Create hunting rule
File size:643'313 bytes
First seen:2025-01-15 14:52:16 UTC
Last seen:2025-01-16 15:20:55 UTC
File type:HTML Application (hta) hta
MIME type:text/plain
ssdeep 6144:3L+/jwnm2CVkpjY2mAIzg53cb3JQQkzxGLOaJQQszxGkJxQkzxGQ7sJGQkzMGFBQ:3L+/jCm2CVkpzmAIze3cbnK8yyKkKEKy
TLSH T149D4925A9B7BD514C4B63D7CF8C503A134A46CCD9489C6C90AFEAC2524870ECBE989FC
Magika unknown
Reporter aachum
Tags:FakeCaptcha FakePub hta LummaStealer


Avatar
iamaachum
https://sos-de-muc-1.exo.io/after/clear/then/continue-ri-1.html => https://fixazo.online/new-riii-1-b.pub

Intelligence

File Origin
# of uploads :
4
# of downloads :
135
Origin country :
ES ES
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6787ef34aa9c8e7858deeade
Tags:
obfuscate xtreme virus
Result
Verdict:
Clean
File Type:
HTA File
Link:
https://app.docguard.net/3d1a4b9e37868f54e7e7eb98aae0203e2c50b2977170e0006cd3cbcb071c6b94/results/dashboard
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/6787cbdca8210c4ace641e61/reports/1f8532c8-b10d-4575-92c7-ec7aefe0937a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/3d1a4b9e37868f54e7e7eb98aae0203e2c50b2977170e0006cd3cbcb071c6b94
Result
Verdict:
UNKNOWN
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1592081
Signature
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
LummaC encrypted strings found
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Download and Execute IEX
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected LummaC Stealer
Yara detected MSILLoadEncryptedAssembly
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1592081 Sample: new-riii-1-b.pub.hta Startdate: 15/01/2025 Architecture: WINDOWS Score: 100 26 idealizetreez.shop 2->26 28 e1.foiloverturnarrival.shop 2->28 30 2 other IPs or domains 2->30 38 Suricata IDS alerts for network traffic 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 14 other signatures 2->44 9 mshta.exe 1 2->9         started        signatures3 process4 signatures5 54 Encrypted powershell cmdline option found 9->54 12 powershell.exe 17 9->12         started        process6 signatures7 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->56 58 Suspicious powershell command line found 12->58 60 Creates HTML files with .exe extension (expired dropper behavior) 12->60 62 3 other signatures 12->62 15 powershell.exe 15 16 12->15         started        18 conhost.exe 12->18         started        process8 dnsIp9 36 f1.foiloverturnarrival.shop 172.67.194.161, 443, 49715, 57600 CLOUDFLARENETUS United States 15->36 20 powershell.exe 1 15->20         started        24 conhost.exe 15->24         started        process10 dnsIp11 32 idealizetreez.shop 104.21.64.1, 443, 57621, 57628 CLOUDFLARENETUS United States 20->32 34 klipgibob.shop 172.67.212.45, 443, 57702 CLOUDFLARENETUS United States 20->34 46 Query firmware table information (likely to detect VMs) 20->46 48 Found many strings related to Crypto-Wallets (likely being stolen) 20->48 50 Tries to harvest and steal ftp login credentials 20->50 52 2 other signatures 20->52 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d1a4b9e37868f54e7e7eb98aae0203e2c50b2977170e0006cd3cbcb071c6b94/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hunexhrxq2hvjz7h5omkvybahywfbmuxofyoaadm2pf4wby4noka._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250115-vypebs1kem/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d1a4b9e37868f54e7e7eb98aae0203e2c50b2977170e0006cd3cbcb071c6b94

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

HTML Application (hta) hta 3d1a4b9e37868f54e7e7eb98aae0203e2c50b2977170e0006cd3cbcb071c6b94

(this sample)

HTML Application (hta) hta e716ca99e984fe3bb273cd413c094f8b39fea23d566839e1e80030aa03e42e67

dfdad8f20c9f80ebe086258decd9a0e1650e3f954fd9605f523d3f91d7f4d321

anyrun
any.run
https://app.any.run/tasks/ccd6d598-2b4c-45c1-a81d-c052f8cb379c
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3402461/
  
Dropping
SHA256 dfdad8f20c9f80ebe086258decd9a0e1650e3f954fd9605f523d3f91d7f4d321
  
Dropping
MD5 9f1c33e4029877b83827b8b13490cf6f

Comments