MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ae22455f6c6d9c69f58283b69e529c73c447fe00839026084ca463f5a96cc41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	4ae22455f6c6d9c69f58283b69e529c73c447fe00839026084ca463f5a96cc41
SHA3-384 hash:	cb60812c2365ca07f5f5a3237583e3a9e0b8f9eff53c9d311fbb896e1aa6fa6edef336f6ae42967462e12d582989ec30
SHA1 hash:	1f1425d675a930a5c91f8f75ff693d15adc26a7c
MD5 hash:	27f53fb278c4084b190b93c4d5a1167f
humanhash:	winner-queen-purple-lamp
File name:	file
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	256'512 bytes
First seen:	2022-12-20 13:45:19 UTC
Last seen:	2022-12-20 18:47:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c50bea46cfddfdc15672a96efbafed97 (22 x Smoke Loader, 15 x Tofsee, 1 x CoinMiner)
ssdeep	6144:VxnLLI+SAP7NxRUscRXemaHxPGm+Lelg0WjcbXF:VxnfjS8NxK9eUm+Sy0WYbXF
Threatray	269 similar samples on MalwareBazaar
TLSH	T1E944D01176E0C0B3C531057AAFE6C694AA6EBD53BA20DE4737943F2F1E712819D3624B
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	9a9acefecee6e6e6 (4 x Smoke Loader, 2 x Amadey, 2 x Tofsee)
Reporter	andretavare5
Tags:	exe LummaStealer

andretavare5

Sample downloaded from https://vk.com/doc16081047_653399623?hash=azirXUX4Yirtrp1cm9E8pelNpBR1rszltT6via3PRco&dl=GE3DAOBRGA2DO:1671543620:DQfgKIwJ8cdviPYCNhKPOFCfmGvn3N15QoLZTVwqCrc&api=1&no_preview=1#lum1

Intelligence

File Origin

# of uploads :

125

# of downloads :

177

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-12-20 13:48:03 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/84f75f88-9c1e-4d24-805a-2dab823abc9b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/348381/

Detection(s):

Win.Packed.Pwsx-9980703-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Reading critical registry keys

Sending an HTTP POST request

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Gathering data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d501a3e6-38aa-4549-89e8-3219066296c8

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1137961

Signature

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4ae22455f6c6d9c69f58283b69e529c73c447fe00839026084ca463f5a96cc41/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-12-19 01:21:37 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 25 (92.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jlrcivpwy3m4nh2yfa5wtzjjy46ei77aba4qeyeezjdd6wuwzraq._file

Verdict:

malicious

LummaStealer

46ee09b05b493a451c0f786a1adc615771aafb299ad8e4dcd5c0a08bf5a8d838

LummaStealer

4b1ca20e32b7766d19f9bd45b05aa5a26afdd1b0660a6b60a56a51872f792878

LummaStealer

5139de19309ffe544e92c535f651440a1d43bb9bc1c45f5dbb4a3a763f6b6017

LummaStealer

660d9b301036507db4e0422d486d8ed5a19d6626308f98f7697492df4a161194

LummaStealer

6783cfad82b43f038bea849c511d1ed511bfd6e1c39d9ffe76c808cd1003b1d4

LummaStealer

707794eed28f8c7efd154aa947fb77fa182cff9c9c8289aaaac5dac40f6571f6

LummaStealer

765885f76048fa88b34d8f7aa400fc797c2439aeed8c3e034b7b1f3f7625c1fa

LummaStealer

e46ac6db4f2f8ef759b25e350a1889d70147a2d150c24456b35201106d6dccfe

LummaStealer

fb8592116149c09a733fb220937d1b482f2f656112a7f90176b066fe3c75fa13

LummaStealer

+ 259 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/221220-q2yd7ach21/

Behaviour

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

f64a6a2a53b72643be3ec8905114a3b07c6095e8b32212af020fb469a9f13b9e

MD5 hash:

2a1338fc4ec7a1a0426b43ad4bcba79c

SHA1 hash:

4f1efd93fb1d5043f59df03916074b4b4459b150

Link:

https://www.unpac.me/results/0db3aa38-bb57-4e7a-845d-30d9139ad2fe/

SH256 hash:

4ae22455f6c6d9c69f58283b69e529c73c447fe00839026084ca463f5a96cc41

MD5 hash:

27f53fb278c4084b190b93c4d5a1167f

SHA1 hash:

1f1425d675a930a5c91f8f75ff693d15adc26a7c

Link:

https://www.unpac.me/results/0db3aa38-bb57-4e7a-845d-30d9139ad2fe/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4ae22455f6c6d9c69f58283b69e529c73c447fe00839026084ca463f5a96cc41

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/348381/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample