MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5198917225087b627bff21df5d0f3780f77d6b6a6bc418c5b10b6532475380e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5198917225087b627bff21df5d0f3780f77d6b6a6bc418c5b10b6532475380e2
SHA3-384 hash: 76cdddf69061fd05ba432730c87f8e55dee27a0a3d33595e3c01b636c7f4e8d52cc1bfb26ee371ec27ebcc30c0f16f3c
SHA1 hash: be9123c8c14485561d490c4c5fc2531945d4730a
MD5 hash: 7190bd0b28da71fa41815f7e65880098
humanhash: california-november-wolfram-nine
File name:5198917225087b627bff21df5d0f3780f77d6b6a6bc41.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:14'560'752 bytes
First seen:2023-12-22 04:10:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 671f2a1f8aee14d336bab98fea93d734 (182 x GuLoader, 4 x Formbook, 4 x RemcosRAT)
ssdeep 393216:b51CujIzsfE2OTJIRB38mcIsre21fWGUl:90ujffH8yRB38TC2Q3
TLSH T1F4E6339015F0BD77EA8182B5250D46F618B36BE5AEACC2C347FAF37C44959D3AC12B18
TrID 39.5% (.EXE) InstallShield setup (43053/19/16)
28.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.6% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
http://jewelassertivebop.fun/api

Intelligence

File Origin
# of uploads :
1
# of downloads :
343
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65850c5703487a0d25d485e9/reports/633af78b-3893-49c9-998d-c94665b1a6ce/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/5198917225087b627bff21df5d0f3780f77d6b6a6bc418c5b10b6532475380e2
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/21b778e9-17d5-4000-8c28-fd88f3da83a6
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1365944
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found hidden mapped module (file has been removed from disk)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1365944 Sample: 5198917225087b627bff21df5d0... Startdate: 22/12/2023 Architecture: WINDOWS Score: 100 47 neighborhoodfeelsa.fun 2->47 49 jewelassertivebop.fun 2->49 51 2 other IPs or domains 2->51 63 Snort IDS alert for network traffic 2->63 65 Multi AV Scanner detection for domain / URL 2->65 67 Antivirus detection for URL or domain 2->67 69 5 other signatures 2->69 11 5198917225087b627bff21df5d0f3780f77d6b6a6bc41.exe 19 2->11         started        signatures3 process4 file5 37 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32+ 11->37 dropped 39 C:\Users\user\AppData\Local\...xecDos.dll, PE32 11->39 dropped 41 C:\Users\user\AppData\Local\...\networx.exe, PE32+ 11->41 dropped 14 networx.exe 4 11->14         started        process6 file7 43 C:\Users\user\AppData\Roaming\...\sqlite.dll, PE32+ 14->43 dropped 45 C:\Users\user\AppData\Roaming\...\networx.exe, PE32+ 14->45 dropped 17 networx.exe 1 14->17         started        process8 signatures9 59 Uses netsh to modify the Windows network and firewall settings 17->59 61 Maps a DLL or memory area into another process 17->61 20 netsh.exe 4 17->20         started        process10 file11 33 C:\Users\user\AppData\Local\Temp\bvytcrawm, PE32 20->33 dropped 35 C:\Users\user\AppData\Local\Temp\ZLib.exe, PE32 20->35 dropped 71 Writes to foreign memory regions 20->71 73 Found hidden mapped module (file has been removed from disk) 20->73 24 ZLib.exe 1 20->24         started        27 conhost.exe 20->27         started        signatures12 process13 dnsIp14 53 neighborhoodfeelsa.fun 172.67.143.130, 49741, 80 CLOUDFLARENETUS United States 24->53 55 diagramfiremonkeyowwa.fun 172.67.183.217, 49742, 80 CLOUDFLARENETUS United States 24->55 57 jewelassertivebop.fun 172.67.188.236, 49740, 80 CLOUDFLARENETUS United States 24->57 29 WerFault.exe 2 16 24->29         started        31 WerFault.exe 19 2 24->31         started        process15
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5198917225087b627bff21df5d0f3780f77d6b6a6bc418c5b10b6532475380e2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5198917225087b627bff21df5d0f3780f77d6b6a6bc418c5b10b6532475380e2/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-12-22 03:17:16 UTC
File Type:
PE (Exe)
Extracted files:
98
AV detection:
3 of 22 (13.64%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kgmjc4rfbb5we677ehpv2dzxqd3x223knpcbrrnrbnster2tqdra._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231222-eryfnaeeg3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
42422d912b9c626ad93eb8c036ad82ee67cfa48cf75259c20c327eddd4cc376f
MD5 hash:
d7b975049ec3aba50e4b7cc654a28214
SHA1 hash:
25f2578945ebc9ac037fef7b7f94c5d48e42388b
Link:
https://www.unpac.me/results/2b6737e8-2d9a-41b1-b21b-a74374d80752/
SH256 hash:
5198917225087b627bff21df5d0f3780f77d6b6a6bc418c5b10b6532475380e2
MD5 hash:
7190bd0b28da71fa41815f7e65880098
SHA1 hash:
be9123c8c14485561d490c4c5fc2531945d4730a
Link:
https://www.unpac.me/results/2b6737e8-2d9a-41b1-b21b-a74374d80752/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5198917225087b627bff21df5d0f3780f77d6b6a6bc418c5b10b6532475380e2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments