MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43c0c02903bfce6e1b8fd95e53228823472f85e1a1f9c1312bf980e052a03aea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	43c0c02903bfce6e1b8fd95e53228823472f85e1a1f9c1312bf980e052a03aea
SHA3-384 hash:	d3387a8ab10a34ca424651f8be47ebca236790d667bb74d1dd74f446619cb03a169f4b4fa06792bbeec7f3788e9d1816
SHA1 hash:	9a2e95eb0092434de34ed4045b6ff8cfc1dac0a5
MD5 hash:	7c7bbda1ca87f1fea18e94319a1e9c5e
humanhash:	lamp-sixteen-one-mockingbird
File name:	file
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	419'328 bytes
First seen:	2023-09-20 14:34:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d91386b9c0657f46a0e0fccbb7bb540a (4 x Smoke Loader, 2 x LummaStealer, 1 x RedLineStealer)
ssdeep	6144:gQv7Slxc/UWE+hm6KmaqzPjXqN93TjcaaWwNaDNErbskQA8b3eEaYlHgeTu:g6ExcJm6K+TLGNQa928T6SlA2
Threatray	8 similar samples on MalwareBazaar
TLSH	T1B7940211B993E072C1EB44315930DB612E7FB87369B5864B3F94276F6D313C12BA5706
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	100100092a201000 (1 x LummaStealer)
Reporter	andretavare5
Tags:	exe LummaStealer

andretavare5

Sample downloaded from http://94.142.138.221/file/name.exe

Intelligence

File Origin

# of uploads :

# of downloads :

307

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-09-20 14:36:00 UTC

Tags:

lumma

Link:

https://app.any.run/tasks/116beb8b-8e69-454a-a8b1-2d38756e530c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/450056/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Gathering data

Verdict:

No Threat

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/650b031732ffdb7a7a0d3267/reports/6b8b58c9-69f3-44c9-b1c9-a93d0ae8df57/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/43c0c02903bfce6e1b8fd95e53228823472f85e1a1f9c1312bf980e052a03aea

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

LummaC2 Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6d593138-1851-4aaf-a93c-2caa02daa071

Result

Threat name:

LummaC Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1311625

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found API chain indicative of sandbox detection

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Query firmware table information (likely to detect VMs)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/43c0c02903bfce6e1b8fd95e53228823472f85e1a1f9c1312bf980e052a03aea/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2023-09-20 14:35:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 23 (78.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ipamakidx7hg4g4p3fpfgiuiends7bpbuh44cmjl7gaoauvahlva._file

Verdict:

malicious

LummaStealer

a65b98c3ab3e2131237638386efc92c6c3fa247f52fad896252cf3f6556ab651

LummaStealer

dd5b52a63e8a774c058e558aa7e983d6aa51f560ba3f01829287c4b85081b884

LummaStealer

e8f15cce81d73dd30199ac900f7c6b04b213121a8a8b00440399422d65a7b083

LummaStealer

efa3344e794905e7c09951a2ce69b18ced2ef56006fe9215d2af9e1364730dd2

LummaStealer

f283459ce2526161b855268f695ba6e00e253b76c82c382f3d9f29fc741f224d

LummaStealer

f561a2851020a8f0473104f4c4123c9730710c0fb6faf6cfcdd926694960374d

LummaStealer

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/230920-rxz8naah43/

Unpacked files

SH256 hash:

62a33ed44fd2cf4a5da1d2690ea97554adedb5052b25b8af3e07df75cab4ae01

MD5 hash:

ea4362cb3ac8f7383d42be4e9bbba4a5

SHA1 hash:

d271651fd35172352e370b240d3d6d018acfa783

Link:

https://www.unpac.me/results/f8404d18-0d94-4ad8-8e46-21bc6c45b5fc/

SH256 hash:

43c0c02903bfce6e1b8fd95e53228823472f85e1a1f9c1312bf980e052a03aea

MD5 hash:

7c7bbda1ca87f1fea18e94319a1e9c5e

SHA1 hash:

9a2e95eb0092434de34ed4045b6ff8cfc1dac0a5

Link:

https://www.unpac.me/results/f8404d18-0d94-4ad8-8e46-21bc6c45b5fc/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/43c0c02903bf/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/43c0c02903bfce6e1b8fd95e53228823472f85e1a1f9c1312bf980e052a03aea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/450056/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample