MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57761213dce66bcfb7b0453d9aeba25fb386974598ac92193f34ed29eba758b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 8 File information Comments

SHA256 hash:	57761213dce66bcfb7b0453d9aeba25fb386974598ac92193f34ed29eba758b1
SHA3-384 hash:	9a2933220bdcd8dd5a8d12ab07e38bf0a1fc60d6d26d4454e2ad30ecdff99990977e06ae3c3bf8eb04c3a7d36a0b687d
SHA1 hash:	b82a50c3e2d8be5a164b643ce0fc12578611d3be
MD5 hash:	3d8936f5a6d5848dbf9cf05788c804ac
humanhash:	sad-whiskey-hamper-jig
File name:	file
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	575'192 bytes
First seen:	2023-12-01 17:49:48 UTC
Last seen:	2023-12-07 23:27:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	dd57e6241193db02ac9b4aeea2df893d (6 x RedLineStealer, 1 x LummaStealer)
ssdeep	12288:OBAHNam+fgfr/b/Diq9nMoHi6l17sIeK1:RHNajOqq9nfH9sIeK1
Threatray	12 similar samples on MalwareBazaar
TLSH	T146C48D0DD20A91B6DE4544F2DEB12C8854B889A7AF81ED7CFD4C121B2D1B5FCA3DA274
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe LummaStealer

andretavare5

Sample downloaded from https://vk.com/doc418490229_669068302?hash=aL1MlTOZyhzNArUs2dEqtquDe4NM0O3UDb0zPYKzZuX&dl=mX0PZqooeksN0XTEObpek8Azk2uKJjwsXybDoroEswH&api=1&no_preview=1#gaas

Intelligence

File Origin

# of uploads :

144

# of downloads :

319

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/461748/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader46.36632.15481.30994.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Query of malicious DNS domain

Sending an HTTP POST request to an infection source

Gathering data

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/57761213dce66bcfb7b0453d9aeba25fb386974598ac92193f34ed29eba758b1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

WeeLoader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/08db3a69-4cc2-48c3-8498-8c7fafebf0a8

Result

Threat name:

LummaC Stealer

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1351604

Behaviour

Behavior Graph:

n/a

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/57761213dce66bcfb7b0453d9aeba25fb386974598ac92193f34ed29eba758b1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/57761213dce66bcfb7b0453d9aeba25fb386974598ac92193f34ed29eba758b1/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-12-01 17:50:05 UTC

File Type:

PE (Exe)

AV detection:

15 of 23 (65.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=k53bee644zv47n5qiu6zv25cl6zynf2ftcwjegj7gtwst25hlcyq._file

Verdict:

malicious

LummaStealer

35c95938f2142be31f8ec491afe72c1d31e4d792c6672e49ac8400e9c7b4a555

LummaStealer

57761213dce66bcfb7b0453d9aeba25fb386974598ac92193f34ed29eba758b1

LummaStealer

bc84d385e7442377d67777b6327d58cafcad02199be315ed33b05610bec4602a

LummaStealer

d09693af02eaf96239b0cfb3b0aeefbfc6ec97a09cba87a89b6b06e292cc5209

LummaStealer

e164c86cf3eead4541a719f3cc5f08a7f0b36384fb8e95098116acadad23a69b

LummaStealer

+ 2 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/231201-wekgpsed53/

Unpacked files

SH256 hash:

298ab240fd3de7116367a3bdebb117e7f7dae27fedf21631974a39e83f08056e

MD5 hash:

774da96a8b1d1fbd60b58e6fa22d7ed5

SHA1 hash:

71f73d013b8b8a884324a2f45f71986f25cae584

Detections:

win_lumma_a0

Link:

https://www.unpac.me/results/0340779b-520e-42af-9803-fabed8ab9900/

SH256 hash:

57761213dce66bcfb7b0453d9aeba25fb386974598ac92193f34ed29eba758b1

MD5 hash:

3d8936f5a6d5848dbf9cf05788c804ac

SHA1 hash:

b82a50c3e2d8be5a164b643ce0fc12578611d3be

Link:

https://www.unpac.me/results/0340779b-520e-42af-9803-fabed8ab9900/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.05

Link:

https://yomi.yoroi.company/submissions/57761213dce66bcfb7b0453d9aeba25fb386974598ac92193f34ed29eba758b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/461748/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample