MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5af26ccac449a398a93015c1d7baa11e4f5bb2991f2b5b742d1480e902db3184. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5af26ccac449a398a93015c1d7baa11e4f5bb2991f2b5b742d1480e902db3184
SHA3-384 hash: a4aabb5200359105b152d6a5675ec3e525be083be3c8c8de9222e720dc334113780c5013a2b12cc49d042f5c5c8aea32
SHA1 hash: d3fee70345495a32d6b88acb67532651d57d8119
MD5 hash: 2b95776482de7a9fb20247533dd93e66
humanhash: red-november-ceiling-eighteen
File name:2b95776482de7a9fb20247533dd93e66.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:488'960 bytes
First seen:2023-10-10 15:55:36 UTC
Last seen:2023-10-10 16:34:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d13adfb2207c0a29448d597efdca439d (2 x LummaStealer)
ssdeep 12288:nh30hEYRHB30pGmVWLpni0bUvW+tVfFwNuHUN:n+nF0omVWBaW+tV+Gu
Threatray 140 similar samples on MalwareBazaar
TLSH T115A4AE10B9E280F2D873253105B4E7BA9A387A31CA748DCFFBC44D7C9A36690A71575E
TrID 42.7% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
http://oxygendwelli.fun/api

Intelligence

File Origin
# of uploads :
2
# of downloads :
329
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2b95776482de7a9fb20247533dd93e66.exe
Verdict:
No threats detected
Analysis date:
2023-10-10 16:07:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1149e4bb-6350-420c-ab43-89b0750651ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/452930/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.22686.6762.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
TrojanS.B0C35B51
Link:
https://www.hybrid-analysis.com/sample/5af26ccac449a398a93015c1d7baa11e4f5bb2991f2b5b742d1480e902db3184
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LummaC2 Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bc2c1bc0-1484-4365-8214-2e039ff96947
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1323071
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5af26ccac449a398a93015c1d7baa11e4f5bb2991f2b5b742d1480e902db3184/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2023-10-07 06:48:21 UTC
File Type:
PE (Exe)
AV detection:
20 of 23 (86.96%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=llzgzswejgrzrkjqcxa5povbdzhvxmuzd4vvw5bncsaosaw3ggca._file
Verdict:
malicious
Similar samples:
65a68201d9709f5f3d07fe60b0b693983e2480197b6d9f570b6e78e49deade24
LummaStealer
730f92cf3c550adcb289a67300715508b58a8b8747a9c6997e7b5233bcdebb5a
LummaStealer
75d7d46ed7d193c249f6f1d7e309b6986f1303e772599d90d65467b4a7d5f80a
LummaStealer
92f94ba0c124a7a8158ce117d838c026035116e2ab2565ebc437575ddf87eeea
LummaStealer
9554e7ef83f9c1aabed52be7a308d7e25c99e7d71e006146aee045d29784f92d
LummaStealer
bec28def672957143374413ca61cc8bc072551e0547d9597de026f2592b562fc
LummaStealer
c6f86c6f03bb9a5d62a0989fb6d3bc1f69b8bd023e2346fe4425ddddaa77e418
LummaStealer
dd244d20e5646deac770faea203a978a2955efa2f3be320705ba498fc5b05187
LummaStealer
+ 130 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/231010-tdbr3agd33/
Behaviour
Suspicious behavior: EnumeratesProcesses
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
5af26ccac449a398a93015c1d7baa11e4f5bb2991f2b5b742d1480e902db3184
MD5 hash:
2b95776482de7a9fb20247533dd93e66
SHA1 hash:
d3fee70345495a32d6b88acb67532651d57d8119
Detections:
win_lumma_auto
Create hunting rule
Link:
https://www.unpac.me/results/cbb9edfe-95ed-4101-b477-6782d1e98809/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:win_lumma_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lumma.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/452930/

Comments