MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 616666d9b60d1c211b76fac927651e82dbe9fc4d62d296b7e55950ab56cdf2a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 616666d9b60d1c211b76fac927651e82dbe9fc4d62d296b7e55950ab56cdf2a5
SHA3-384 hash: 1784e8b492346653df85ae30064b7bd72a34267af08ebd21c11207f2b7fbdd2f849cc8bb81302075adf2337ee85bf978
SHA1 hash: 7f5e8af401b1a3adeddacf7c94acba89130b3407
MD5 hash: f7181e485d0bc7cd60c3bd41ec47a038
humanhash: emma-magnesium-batman-minnesota
File name:f7181e485d0bc7cd60c3bd41ec47a038.ps1
Download: download sample
Signature LummaStealer
Create hunting rule
File size:741 bytes
First seen:2025-01-06 06:57:20 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12:G1xHeqyUVPB1eVM1t2IfVPtwOZIsUYYJy7GAWz/Iy4MhTOA6leRGFVmgEWTJ0zm7:GuEBIVMJBtIp0iJz/HZolkGFVmgEeJj7
Threatray 21 similar samples on MalwareBazaar
TLSH T190011504C7165313C271978D6713DA2BE80EC04C0111AC7D768F3C0D77A15918DF57EA
Magika powershell
Reporter abuse_ch
Tags:LummaStealer ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=677b7fcfc029bd73f283d8db
Tags:
autorun virus shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
persistence
Link:
https://www.filescan.io/uploads/677b7f06a34620f112e34de3/reports/056fc1c7-ec70-4640-8edb-ac79347cd8a6/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/616666d9b60d1c211b76fac927651e82dbe9fc4d62d296b7e55950ab56cdf2a5
Result
Verdict:
UNKNOWN
Result
Threat name:
DcRat, KeyLogger, StormKitty, Strela Ste
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1584679
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Compiles code for process injection (via .Net compiler)
Found malicious URL file
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Drops script at startup location
Sigma detected: Powerup Write Hijack DLL
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected BrowserPasswordDump
Yara detected DcRat
Yara detected Generic Downloader
Yara detected Keylogger Generic
Yara detected Powershell download and execute
Yara detected StormKitty Stealer
Yara detected Strela Stealer
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1584679 Sample: CKi4EZWZsC.ps1 Startdate: 06/01/2025 Architecture: WINDOWS Score: 100 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 20 other signatures 2->60 9 powershell.exe 14 21 2->9         started        process3 dnsIp4 50 147.45.44.131, 49704, 49705, 49706 FREE-NET-ASFREEnetEU Russian Federation 9->50 44 C:\Windows\Temp\Package.bat, Unicode 9->44 dropped 46 C:\Users\user\AppData\...\DeleteApp.url, MS 9->46 dropped 72 Found many strings related to Crypto-Wallets (likely being stolen) 9->72 74 Suspicious execution chain found 9->74 76 Compiles code for process injection (via .Net compiler) 9->76 14 cmd.exe 1 9->14         started        17 conhost.exe 9->17         started        file5 signatures6 process7 signatures8 78 Suspicious powershell command line found 14->78 80 Bypasses PowerShell execution policy 14->80 19 powershell.exe 35 14->19         started        23 cmd.exe 1 14->23         started        process9 file10 40 C:\Users\user\AppData\...\ivm1acbc.cmdline, Unicode 19->40 dropped 42 C:\Users\user\AppData\Local\...\ivm1acbc.0.cs, Unicode 19->42 dropped 62 Found many strings related to Crypto-Wallets (likely being stolen) 19->62 64 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->64 66 Writes to foreign memory regions 19->66 68 Injects a PE file into a foreign processes 19->68 25 RegAsm.exe 19->25         started        28 RegAsm.exe 1 3 19->28         started        31 csc.exe 3 19->31         started        36 3 other processes 19->36 34 curl.exe 1 23->34         started        signatures11 process12 dnsIp13 70 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->70 52 157.20.182.177, 4449, 49707 FCNUniversityPublicCorporationOsakaJP unknown 28->52 48 C:\Users\user\AppData\Local\...\ivm1acbc.dll, PE32 31->48 dropped 38 cvtres.exe 1 31->38         started        file14 signatures15 process16
Score:
81%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/616666d9b60d1c211b76fac927651e82dbe9fc4d62d296b7e55950ab56cdf2a5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/616666d9b60d1c211b76fac927651e82dbe9fc4d62d296b7e55950ab56cdf2a5/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mftgnwnwbuoccg3w7lesozi6qln6t7cnmljjnn7flfikwvwn6ksq._file
Verdict:
malicious
Label(s):
stormkitty
Create hunting rule
asyncrat
Create hunting rule
Similar samples:
2b07a75b74b701d95f6957416959df359f441e7455e933913208891f05c6c9e5
LummaStealer
5605af6e3cba4057057a8cc765f94d1112d1a147171e056b1bdfcc3b38a056f0
LummaStealer
5d8b55532cda3855a8211e70366648a22ef5193dd36931fa61e3393290c2ada9
LummaStealer
5e8a676a5b37f85a09339873a139a73268662b1c0bfe94d764bbfffec60ea196
LummaStealer
9c2838e120c7ed5b582bedc6177f14a52aa578adeea269d0f96fc71a95bd6e68
LummaStealer
ad822394ecd393272d3d1ba77306e502ee90259f4c328dab80e9d6b5e4bd363f
LummaStealer
e0cc614e2c756bfe9eb3773daa8d6c0ac66a2902826f5ccbd94113e3ff69e3db
LummaStealer
error
LummaStealer
+ 11 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/250106-hrg1fssjbk/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/616666d9b60d1c211b76fac927651e82dbe9fc4d62d296b7e55950ab56cdf2a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Methodology_Suspicious_Shortcut_Local_URL
Create hunting rule
Author:@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
Description:Detects local script usage for .URL persistence
Reference:https://twitter.com/cglyer/status/1176184798248919044

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

PowerShell (PS) ps1 616666d9b60d1c211b76fac927651e82dbe9fc4d62d296b7e55950ab56cdf2a5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3390146/
  
Delivery method
Distributed via web download

Comments