MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59692df75cd335b1fa5026307c90367db2a8f2bb96503857784135597a1bc4dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59692df75cd335b1fa5026307c90367db2a8f2bb96503857784135597a1bc4dc
SHA3-384 hash: 6cad89122315536a68df90e3f9206369f89947ee456a72cb072b29d4503016b2fceaa01909714da5359067ce381c7374
SHA1 hash: 03554252ed7f31b9ddc473ec780fc0ef1674cdd9
MD5 hash: ed013a65f9f2184b59cfa41e7e4b3dba
humanhash: triple-bulldog-wyoming-connecticut
File name:filex.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:285'696 bytes
First seen:2023-09-10 09:52:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8a8dbe6ecfacdaceac22d14c24917858 (3 x RedLineStealer, 1 x LummaStealer, 1 x Formbook)
ssdeep 6144:cV+4tt25MIRakGNhYPu2p3QuvakzErQ9cQfCj:S25MIkkGNwPWSahrQ9cQfCj
Threatray 13 similar samples on MalwareBazaar
TLSH T15D549E45B3A910F8E1B38278CC510645E673B8191B65A69F13E0477A9F336D0AE3FF62
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 808880ac8c88a888 (1 x AsyncRAT, 1 x LummaStealer)
Reporter 0xToxin
Tags:exe lumma LummaStealer titanaquaplus-xyz

Intelligence

File Origin
# of uploads :
1
# of downloads :
370
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
filex.exe
Verdict:
Malicious activity
Analysis date:
2023-09-10 09:55:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a150070f-8f10-4b29-a9a5-dd8e36581a5f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447724/
Detection(s):
SecuriteInfo.com.Heuristic.HEUR.AGEN.1363347.211.21999.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Launching a process
Creating a file
Query of malicious DNS domain
Sending a TCP request to an infection source
Forced shutdown of a system process
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/59692df75cd335b1fa5026307c90367db2a8f2bb96503857784135597a1bc4dc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f378d823-637c-4122-9560-5b4cc63ea7d0
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1306830
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/59692df75cd335b1fa5026307c90367db2a8f2bb96503857784135597a1bc4dc/
Threat name:
Win64.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2023-09-10 09:53:07 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lfus35242m23d6sqeyyhzebwpwzkr4v3szidqv3yie2vs6q3ytoa._file
Verdict:
malicious
Similar samples:
1cc7feaee823df0807c49341b9f4f0e58a4c021e8bc974af7bf5eb02fe09731e
LummaStealer
52e03a1176120dd02e9081fc41e9b3edad7ba002e251d6bf1349857f4ef193a2
LummaStealer
6846828546f5883942cb40ad28958a9cde3b54b1838851e8b52d33fcbdeae3c7
LummaStealer
70c0dffaef2ee48f0e296939cbc1c5782f753e29d820d6b5aac8b0af7d36f4a8
LummaStealer
8770a893bc2ac58f0cdc6fc5c9b1499819215a26fbaf7b0915d3d75fefdae0dc
LummaStealer
8caa206b184827dd7558de412bae56e0cf7bf575bb192a1cdd6781e8e20fb816
LummaStealer
bd3ae41147c48bcea273f742ae19c229ad76c4a75895253e01a58bd4f3c2b9d1
LummaStealer
be532f3c9322f0b96eac8a3f6871e5542f7b3c4760219fb0e94a1b8201ba709e
LummaStealer
c42b0d200c2022fba3332dd1078cf1412ba37eb52bd74acf7edb4672b1d0f330
LummaStealer
ea6ec9be3aea67056e4564a9b3ce8d6e92eda54db32e710043de98d7d65ffd54
LummaStealer
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230910-lwmchsgc26/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Downloads MZ/PE file
Unpacked files
SH256 hash:
c60d4fc0320693354028e5d5409d53457b0a51fa5eb57c27abace621ed2af4a0
MD5 hash:
67e117b7074d60b55998bca419509ea4
SHA1 hash:
4d9ef89eb5c3f57cf8bb8ef8d7759035933c2448
Link:
https://www.unpac.me/results/b45d6b00-8058-4dd3-9439-840eafe48dfc/
SH256 hash:
59692df75cd335b1fa5026307c90367db2a8f2bb96503857784135597a1bc4dc
MD5 hash:
ed013a65f9f2184b59cfa41e7e4b3dba
SHA1 hash:
03554252ed7f31b9ddc473ec780fc0ef1674cdd9
Link:
https://www.unpac.me/results/b45d6b00-8058-4dd3-9439-840eafe48dfc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/59692df75cd3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/59692df75cd335b1fa5026307c90367db2a8f2bb96503857784135597a1bc4dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/447724/

Comments