MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43ffb3408277b409fd9914cd9975298f2a91869377c2721c3c3f4ae2e787af9f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43ffb3408277b409fd9914cd9975298f2a91869377c2721c3c3f4ae2e787af9f
SHA3-384 hash: f9c24d39a10e8f80232ef3216cdccbd098d61c6be13d298e60a7cf7439833747e15d28fa38380dec13454c39aa24ef3c
SHA1 hash: dbf8d55e14cd5552fc1ac5a9ad70820092af2582
MD5 hash: cbfc359ca5845daf6c6a07fb3d393586
humanhash: april-winter-lake-xray
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:616'960 bytes
First seen:2023-10-12 15:53:00 UTC
Last seen:2023-10-12 19:58:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash df15d63a937d35e74c72e9f9506c0e04 (2 x LummaStealer, 1 x N-W0rm)
ssdeep 6144:4My51owNp9pPdEtEzu9M9UJo2ouZgDJuT2+ARZEeiPOmN+6sHXl8UCBV6l3KAAOF:4t5qwNPpPaOl98cmE82hmNOacl3KAb9
Threatray 101 similar samples on MalwareBazaar
TLSH T1DDD4BF60372983B9E444AC36888686771AD498AC7F176943F744FF49F7F60A8871538F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe LummaStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc52355237_666877167?hash=gAWBwkPF0HTseIsisYGxik0SUZyeA2whOt8sJ3zV3vs&dl=osynrkUA2ivDnSHjI9Stoe2QLCZXMiCtGN36q0axT20&api=1&no_preview=1#carlo

Intelligence

File Origin
# of uploads :
14
# of downloads :
341
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-10-12 15:55:36 UTC
Tags:
lumma stealer
Link:
https://app.any.run/tasks/325d5d1c-f059-420d-9bd8-01bcf08003ec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/453913/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.19685.24607.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
DNS request
Sending an HTTP POST request
Reading critical registry keys
Stealing user critical data
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/116302/overview
Behaviour
MalwareBazaar
CPUID_Instruction
SystemUptime
MeasuringTime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
No Threat
Threat level:
  2.5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/65281660422e14c65a8e6fae/reports/518a1f67-2bd2-41eb-b0dc-0f923ed181e0/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/43ffb3408277b409fd9914cd9975298f2a91869377c2721c3c3f4ae2e787af9f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LummaC2 Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b98ae8aa-f6f4-4c0c-a536-c0a56dbdff45
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1324832
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to behave differently if execute on a Russian/Kazak computer
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/43ffb3408277b409fd9914cd9975298f2a91869377c2721c3c3f4ae2e787af9f
Detection:
lumma
Create hunting rule
Link:
https://mwdb.cert.pl/sample/43ffb3408277b409fd9914cd9975298f2a91869377c2721c3c3f4ae2e787af9f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-10-12 15:53:06 UTC
File Type:
PE (Exe)
AV detection:
13 of 22 (59.09%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ip73gqeco62at7mzctgzs5jjr4vjdbuto7bhehb4h5fofz4hv6pq._file
Verdict:
malicious
Similar samples:
28533fbb167059524fb63906320201575b19fa3674f03b558a42e18fd7523f3a
LummaStealer
40a32ca3bc74fe4f80e03482b3b1d7bcee014dee822a8299bcfbf48ee8c03f73
LummaStealer
55e9b1c3ec5c6d634dcfd03b8456c14b39743f3c2330605c650d22065a0a381b
LummaStealer
5af26ccac449a398a93015c1d7baa11e4f5bb2991f2b5b742d1480e902db3184
LummaStealer
5f6110fdf11e888a353ffc60086f15c12deb42a07eec9d8b842589bfa67176dc
LummaStealer
6bc6b15b89387d9de01d506ca19989f12e22ccdb8013ed94cfe2be54cf60c4f7
LummaStealer
730f92cf3c550adcb289a67300715508b58a8b8747a9c6997e7b5233bcdebb5a
LummaStealer
c6f86c6f03bb9a5d62a0989fb6d3bc1f69b8bd023e2346fe4425ddddaa77e418
LummaStealer
f8412c9a8d210409888fb0aed2120d12b4be1cb480cf24ed66b13ccbfef6d928
LummaStealer
+ 91 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/231012-tbmrjsaa2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
43ffb3408277b409fd9914cd9975298f2a91869377c2721c3c3f4ae2e787af9f
MD5 hash:
cbfc359ca5845daf6c6a07fb3d393586
SHA1 hash:
dbf8d55e14cd5552fc1ac5a9ad70820092af2582
Link:
https://www.unpac.me/results/8b3c66de-a9de-4360-bfb8-f50e270675fb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43ffb3408277b409fd9914cd9975298f2a91869377c2721c3c3f4ae2e787af9f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/453913/

Comments