MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52e03a1176120dd02e9081fc41e9b3edad7ba002e251d6bf1349857f4ef193a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52e03a1176120dd02e9081fc41e9b3edad7ba002e251d6bf1349857f4ef193a2
SHA3-384 hash: 0add65d1f138a8eb8c3c402eca9b07a46a3c4c37ed5e3069dc62a0a8a0232f51b9bcb54210c83111ef3a7122091c2739
SHA1 hash: da12b470e707792d8435fc79e1fb599f057e4560
MD5 hash: c6af87f5117afd0a700eba976d74d2ce
humanhash: cardinal-double-pennsylvania-cup
File name:52e03a1176120dd02e9081fc41e9b3edad7ba002e251d6bf1349857f4ef193a2
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'153'536 bytes
First seen:2023-09-06 12:24:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:sZoukh9zYLf+Qq/W4TNIgtJY8hnRXYvvPpwcvHVyqTH3OCzEw9qY8uQJStm5xzei:sKukbJ71CTE+pZVD3YwajXzTpOua
Threatray 164 similar samples on MalwareBazaar
TLSH T1B235E03033FA0E08E5BE1B3159FB909107B6BE673A36CB6E9644164D1922753CF12B67
TrID 47.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.4% (.SCR) Windows screen saver (13097/50/3)
6.8% (.EXE) Win64 Executable (generic) (10523/12/4)
4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon e4bce8ace0b4e4a4 (1 x LummaStealer)
Reporter adrian__luca
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
52e03a1176120dd02e9081fc41e9b3edad7ba002e251d6bf1349857f4ef193a2
Verdict:
Malicious activity
Analysis date:
2023-09-06 12:27:25 UTC
Tags:
lumma stealer
Link:
https://app.any.run/tasks/7fb41c4c-7055-492e-84f6-e6b4103b0da1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LummaStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/446564/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.27476.26991.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
DNS request
Reading critical registry keys
Sending a custom TCP request
Query of malicious DNS domain
Stealing user critical data
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint lolbin obfuscated packed remote stealer
Link:
https://www.filescan.io/uploads/64f86f9f4578d9c35e0432e4/reports/b0777e5d-cd8a-4252-a729-c27ed4242f93/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/52e03a1176120dd02e9081fc41e9b3edad7ba002e251d6bf1349857f4ef193a2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LummaC2 Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dc90e5dc-7adc-4bcb-beb7-31fb0c499ad8
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1304283
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52e03a1176120dd02e9081fc41e9b3edad7ba002e251d6bf1349857f4ef193a2/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-09-06 12:25:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=klqduelwcig5aluqqh6ed2nt5wwxxiac4ji5npytjgcx6txrsora._file
Verdict:
malicious
Similar samples:
0e25b5299c3df59e05d296b1478d43094d5d81e1a5b8706fd355b36388244326
LummaStealer
1c9708a7c1cca2ffb1fb6711828553521a81c313bd3dcefba441e546d2457e5d
LummaStealer
3b5e8e6f6a6b79c7bfe058f6ab152b46cd04f78d13aa914f9ffc5de5f94dcd11
LummaStealer
4cf04223c56e29b7ecb5abb763ed840fecb68c1e9f718daaf823bf94f7ae9efb
LummaStealer
50ee88e94c3b5ee3652c4768305f6924679cfd6a48792ed322f0ef858ed06c7e
LummaStealer
bb51422c11080e388fbb7dc7a7bfdb6cc01235d8ccb65fbbf726c230db357be6
LummaStealer
e02f9dc140a5c96f52f5920069e851e6eb606c8b957ae43cb58081d0e8a87d73
LummaStealer
ee5c19be53080ac42369f307dd5a82956a8e927860473cee8352f94b01046c6d
LummaStealer
f064653fb4b2d463961af7fe3234c034a068d382f0df1eada6e7090dc7c288c8
LummaStealer
f13eb672c5400eefce395ca9f5f668e2273748e3c398558e17f4c43ec314ff71
LummaStealer
+ 154 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma spyware stealer
Link:
https://tria.ge/reports/230906-pllj1sfc89/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Lumma Stealer
Unpacked files
SH256 hash:
55f94b2a4b51aed5b8cbd11fcf00431511dc2b94992419aa9c43e480f4308ea1
MD5 hash:
025e90cbefe67ed0d1919867a74d807c
SHA1 hash:
9877c53ff353ecfcd41992762f59902f7f634010
Link:
https://www.unpac.me/results/d5b28ec1-6442-4727-ae87-9fe7ce7c6325/
SH256 hash:
5e7f575569b2b6896dc373d7edce043902e5590770e100612153f941c5978354
MD5 hash:
932af8d83db9fc2232a8c20b8d74a792
SHA1 hash:
d8404442c7d37919dfec4e53920ba574828a2676
Link:
https://www.unpac.me/results/d5b28ec1-6442-4727-ae87-9fe7ce7c6325/
SH256 hash:
198a65f6a3f780f1a022f030629e8561c31cc555a113f570a566d40d1ee56a05
MD5 hash:
9b3a1b5d3ffe9fb9db6c5aaefa1ae076
SHA1 hash:
0da05e4c72430da0d061a02cd6cf50c41e6bd83a
Link:
https://www.unpac.me/results/d5b28ec1-6442-4727-ae87-9fe7ce7c6325/
SH256 hash:
52e03a1176120dd02e9081fc41e9b3edad7ba002e251d6bf1349857f4ef193a2
MD5 hash:
c6af87f5117afd0a700eba976d74d2ce
SHA1 hash:
da12b470e707792d8435fc79e1fb599f057e4560
Link:
https://www.unpac.me/results/d5b28ec1-6442-4727-ae87-9fe7ce7c6325/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/52e03a117612/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/52e03a1176120dd02e9081fc41e9b3edad7ba002e251d6bf1349857f4ef193a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/446564/

Comments