MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40a32ca3bc74fe4f80e03482b3b1d7bcee014dee822a8299bcfbf48ee8c03f73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	40a32ca3bc74fe4f80e03482b3b1d7bcee014dee822a8299bcfbf48ee8c03f73
SHA3-384 hash:	56156e1405860ead7bba6aca3a19e7ac533741e020f51369a6a8e5eb8e696024d0803e1e16bd28abd51104b8cfccc986
SHA1 hash:	b6c542e4cdbc736c0ecfdd2d87d371662fbb5c02
MD5 hash:	198d592d71cd794beb4411b244b5c28d
humanhash:	beryllium-salami-zulu-happy
File name:	198d592d71cd794beb4411b244b5c28d.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	487'936 bytes
First seen:	2023-10-11 01:06:09 UTC
Last seen:	2023-10-11 01:33:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d13adfb2207c0a29448d597efdca439d (2 x LummaStealer)
ssdeep	12288:fh30hEYRHB30pGmVWLpni0bUvW+tVfFMNuHUs:f+nF0omVWBaW+tVCGH
Threatray	148 similar samples on MalwareBazaar
TLSH	T195A4AE10B9E280F2D873253101F8E77A9A38BA31C9758DCFEBC44C7C9A36690A75575E
TrID	42.7% (.EXE) Win32 Executable (generic) (4505/5/1) 19.2% (.EXE) OS/2 Executable (generic) (2029/13) 19.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.9% (.EXE) DOS Executable Generic (2000/1)
Reporter	abuse_ch
Tags:	exe LummaStealer

abuse_ch

LummaStealer C2:
http://peersneaps.fun/api

Intelligence

File Origin

# of uploads :

# of downloads :

306

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

198d592d71cd794beb4411b244b5c28d.exe

Verdict:

No threats detected

Analysis date:

2023-10-11 01:09:12 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4ebe6898-1657-41d8-8775-eefc9e9ef6b6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/453061/

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.16963.14107.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Gathering data

Verdict:

Malicious

Labled as:

TrojanS.B0C35B51

Link:

https://www.hybrid-analysis.com/sample/40a32ca3bc74fe4f80e03482b3b1d7bcee014dee822a8299bcfbf48ee8c03f73

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

LummaC2 Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/208f5630-c843-4d77-9544-029a2d32779b

Result

Threat name:

LummaC Stealer

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1323376

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/40a32ca3bc74fe4f80e03482b3b1d7bcee014dee822a8299bcfbf48ee8c03f73/

Threat name:

Win32.Spyware.Lummastealer

Status:

Malicious

First seen:

2023-10-08 13:33:14 UTC

File Type:

PE (Exe)

AV detection:

28 of 38 (73.68%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=icrszi54ot7e7ahagsblhmoxxtxactpoqivifgn47p2i52gah5zq._file

Verdict:

malicious

LummaStealer

730f92cf3c550adcb289a67300715508b58a8b8747a9c6997e7b5233bcdebb5a

LummaStealer

83ffeee1f0d4690e83edc9c4ad75b0d158cfbe4d8208a30a6fb75fa576b8f529

LummaStealer

92f94ba0c124a7a8158ce117d838c026035116e2ab2565ebc437575ddf87eeea

LummaStealer

bec28def672957143374413ca61cc8bc072551e0547d9597de026f2592b562fc

LummaStealer

c548a9b2a65b4be7904c7c072afac1de6c63a472a54af511eaba6a0a8f36c932

LummaStealer

c6f86c6f03bb9a5d62a0989fb6d3bc1f69b8bd023e2346fe4425ddddaa77e418

LummaStealer

d2cfd66a33c6f1af2eb403108a578962b599a77b5cea6b4a06726a3c60ae8bca

LummaStealer

dd244d20e5646deac770faea203a978a2955efa2f3be320705ba498fc5b05187

LummaStealer

+ 138 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/231011-bgmpmabe73/

Behaviour

Suspicious behavior: EnumeratesProcesses

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

40a32ca3bc74fe4f80e03482b3b1d7bcee014dee822a8299bcfbf48ee8c03f73

MD5 hash:

198d592d71cd794beb4411b244b5c28d

SHA1 hash:

b6c542e4cdbc736c0ecfdd2d87d371662fbb5c02

Detections:

win_lumma_auto

Link:

https://www.unpac.me/results/b5c257fa-924e-47a1-8182-83ce4d5ca080/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/40a32ca3bc74fe4f80e03482b3b1d7bcee014dee822a8299bcfbf48ee8c03f73

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	win_lumma_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lumma.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/453061/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample