MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4dc5588ac49fa183824ab585b69a491fd45d1d3b2b01f052adc5062b356e7434. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4dc5588ac49fa183824ab585b69a491fd45d1d3b2b01f052adc5062b356e7434
SHA3-384 hash: 478f7740c7241bfd1a980a50770435f051c8776b153f75c51aac68ccf731a1f5a90b31ea7d9bb9645e93418e8223e5b3
SHA1 hash: 7ecef70f5769fb870a1edbd2feb3bdd4b2ac1869
MD5 hash: 20f0bdb1c1b0fc48e7923a5e9fc65c50
humanhash: cat-mango-coffee-hot
File name:20f0bdb1c1b0fc48e7923a5e9fc65c50
Download: download sample
Signature LummaStealer
Create hunting rule
File size:3'204'096 bytes
First seen:2023-07-26 06:50:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 98304:nSGqtecGLXDOM19JV9MN14QwqqYoB5pU5SF:SXtaXD119JVKj4QwqqYOm
Threatray 2'352 similar samples on MalwareBazaar
TLSH T1C5E5336D641BADD2D71625B30B127473A7B19BEDB0823909CE3AA655CF36CCB0C4CD29
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 2000707179680068 (1 x LummaStealer)
Reporter zbetcheckin
Tags:32 exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
899756f47edd02727fca00b607b6f955.exe
Verdict:
Malicious activity
Analysis date:
2023-07-25 23:48:36 UTC
Tags:
rat redline amadey trojan loader lumma stealer
Link:
https://app.any.run/tasks/2e987ca8-ca62-44c2-981b-848d3d2d5fdd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/433361/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.68354651.12817.22205.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
Launching a service
Restart of the analyzed sample
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4dc5588ac49fa183824ab585b69a491fd45d1d3b2b01f052adc5062b356e7434
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5f155fde-60d5-4554-aa14-6c5baf5a6028
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1279857
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ipconfig to lookup or modify the Windows network settings
Yara detected Costura Assembly Loader
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4dc5588ac49fa183824ab585b69a491fd45d1d3b2b01f052adc5062b356e7434/
Threat name:
ByteCode-MSIL.Trojan.Seraph
Create hunting rule
Status:
Malicious
First seen:
2023-07-25 23:21:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jxcvrcwet6qyhaskwwc3ngsjd7kf2hj3fma7auvnyudcwnlooq2a._file
Verdict:
malicious
Similar samples:
379d1597e3930745f2652d746d6671a801390d86e16c8694e0ff46132d915aba
LummaStealer
a572db3e3faa3e4ec6f6df3460267b074b0ed24ddaeb80a84f2b839e136e1066
LummaStealer
b6a1f7a46ead00ddc8691bc83782d299934ef81a8dd9517d09aadd4296120ef3
LummaStealer
bb90c8c39ba60347b2d5f2a73a11f9c1f9f7e16251ca3098e4c087257bcce09b
LummaStealer
bcd079ed77301cc5f6a0443ccb3c5b4fe4a4b660ad61d5bcc40f0224c8c2da63
LummaStealer
bcf619de91d54b32858baabce229d3073a02f0f090c9190c5e80cd8f74d82561
LummaStealer
d0130399fd404226ae5b90897e8e3affe29b7d34081ee1bf11ecb3750ca342c5
LummaStealer
e190e4156d84f4311c5a4b10471bc3465847d6f8aee11a3d7598ca70733a0b71
LummaStealer
edce8f80d69409249e3811bb8b8347bb8151147fd186f0c8847085d2840193be
LummaStealer
f8a98f6720565d1ac05e9c1342e5bd669f46afe61626172cf4a692dd40822294
LummaStealer
+ 2'342 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery spyware stealer
Link:
https://tria.ge/reports/230726-hmg5nahg74/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Lumma Stealer
Unpacked files
SH256 hash:
4dc5588ac49fa183824ab585b69a491fd45d1d3b2b01f052adc5062b356e7434
MD5 hash:
20f0bdb1c1b0fc48e7923a5e9fc65c50
SHA1 hash:
7ecef70f5769fb870a1edbd2feb3bdd4b2ac1869
Link:
https://www.unpac.me/results/6defe3d2-e5c1-455a-8c13-8fb6e27696ab/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4dc5588ac49f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/4dc5588ac49fa183824ab585b69a491fd45d1d3b2b01f052adc5062b356e7434

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 4dc5588ac49fa183824ab585b69a491fd45d1d3b2b01f052adc5062b356e7434

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2690146/
Cape
Cape
https://www.capesandbox.com/analysis/433361/

Comments


Avatar
zbet commented on 2023-07-26 06:50:11 UTC

url : hxxp://5.42.92.67/lend/c2build.exe