MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6328c47f5252c43b01a9d2e90174bdb6809f099035f084c1bcf6f1323f001952. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 8 File information Comments

SHA256 hash:	6328c47f5252c43b01a9d2e90174bdb6809f099035f084c1bcf6f1323f001952
SHA3-384 hash:	00a8aad55f4271551cf7f8815d6f6f323868c0f79a70ef98b0d07710fee456c7bd1799ee50ade170513f131d6027a1c7
SHA1 hash:	051048f5f47c4c7084489568030392a19cf3096e
MD5 hash:	cf89f381974036bc6449e8a23cd672f8
humanhash:	avocado-victor-apart-yellow
File name:	file
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	715'072 bytes
First seen:	2023-09-15 03:49:11 UTC
Last seen:	2023-09-18 07:58:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	efed4091e3b9498715ec3123c7762889 (1 x LummaStealer, 1 x RedLineStealer)
ssdeep	12288:DeKsv2niKr0g/J0N5m/5VAnSQOSumLjc+583Oq1glT7gJq1M3dD5Fr1FmaA47Hg2:De9vTE015iVCucjc+uN1glT7gJq1M3dD
Threatray	94 similar samples on MalwareBazaar
TLSH	T1F3E4CF077F9F50F0D432253325E786E156AAE371AE54D8B753C80B198DBC4836E2BDA2
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	andretavare5
Tags:	exe LummaStealer

andretavare5

Sample downloaded from https://vk.com/doc17799268_667404777?hash=gCdUUMZKmv0VfNHMAzQmhacNPd9ZT94o2GleJVQt3jz&dl=ycUvAQlhSMrz3kskQDiIqpHcvQyai8hpt3Y2lk0y0r4&api=1&no_preview=1#delux

Intelligence

File Origin

# of uploads :

# of downloads :

298

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-09-15 03:50:50 UTC

Tags:

lumma

Link:

https://app.any.run/tasks/e0f597b4-ca78-41b5-9255-120eb69b4346

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/448738/

Detection(s):

SecuriteInfo.com.Win32.DropperX-gen.894.7506.UNOFFICIAL

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control greyware lolbin overlay packed

Link:

https://www.filescan.io/uploads/6503d46b25e2ece4df6ecfbd/reports/e552f1cc-5fcf-4a14-a684-fd9dfbf72fa2/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/6328c47f5252c43b01a9d2e90174bdb6809f099035f084c1bcf6f1323f001952

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

LummaC2 Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a74cca7b-5327-47d5-abd2-938df2ed9966

Result

Threat name:

LummaC Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1308692

Signature

Found API chain indicative of sandbox detection

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Query firmware table information (likely to detect VMs)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6328c47f5252c43b01a9d2e90174bdb6809f099035f084c1bcf6f1323f001952/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2023-09-15 03:50:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

11 of 22 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mmumi72sklcdwanj2luqc5f5w2aj6cmqgxyijqn463ytepyadfja._file

Verdict:

malicious

LummaStealer

28df5a3859116ee3aaad8c0a17425549d52d69d10cc06dac0dfaee8d874c9267

LummaStealer

4dc5588ac49fa183824ab585b69a491fd45d1d3b2b01f052adc5062b356e7434

LummaStealer

8a77b510d0699fa9c6f656f1129e4dd9a1b3c28f0a90d54a28cdaf8a9a39924f

LummaStealer

a5ebf3f3762dc01bca3696993961927ec6aa376c7246b88089eba88f039d69d5

LummaStealer

d5998de73a2e6ac2fafe81270e33b6a9fd8cef605cb56603456029b8b598c077

LummaStealer

f561a2851020a8f0473104f4c4123c9730710c0fb6faf6cfcdd926694960374d

LummaStealer

+ 84 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/230915-edxxzagf2s/

Unpacked files

SH256 hash:

55853d9cf7458ff3a3ceaab7ba07f348213a1db2893e2d8c1ae2c3a64b256d9b

MD5 hash:

50cccfef1de7149b31077443a275fb55

SHA1 hash:

04506b0b6eaf5d7965c0407c2d782b2fc6f5e06d

Link:

https://www.unpac.me/results/ddb3da75-19e5-4aec-8ca4-f15ffb3de33c/

SH256 hash:

6328c47f5252c43b01a9d2e90174bdb6809f099035f084c1bcf6f1323f001952

MD5 hash:

cf89f381974036bc6449e8a23cd672f8

SHA1 hash:

051048f5f47c4c7084489568030392a19cf3096e

Link:

https://www.unpac.me/results/ddb3da75-19e5-4aec-8ca4-f15ffb3de33c/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6328c47f5252/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/6328c47f5252c43b01a9d2e90174bdb6809f099035f084c1bcf6f1323f001952

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	win_lumma_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lumma.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/448738/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample