MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70c0dffaef2ee48f0e296939cbc1c5782f753e29d820d6b5aac8b0af7d36f4a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70c0dffaef2ee48f0e296939cbc1c5782f753e29d820d6b5aac8b0af7d36f4a8
SHA3-384 hash: 1b90b6345f6b98918a4cef89a028fd88977f7b94b79df5b00f1b77433d5113fa0143cb91ecdf48b6fb83f82b965facd8
SHA1 hash: ba2bfa2372bac5be90e5d0f9c921911987a94a8e
MD5 hash: 0fde2003e0481984e8a475d3a7e18f98
humanhash: enemy-saturn-summer-jig
File name:0fde2003e0481984e8a475d3a7e18f98.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'799'705 bytes
First seen:2023-09-06 21:36:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:tLOARaX/tvWDucM5CwuZ7tO2mof0sSI8Tujr6FsbQ:tLOqaPkDucoufsrlPaOabQ
Threatray 356 similar samples on MalwareBazaar
TLSH T157D53A103F158694E8485573C1DA41644BEAECD71BA2E35B6BE936EC29313D63C8E8CF
TrID 47.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.4% (.SCR) Windows screen saver (13097/50/3)
6.8% (.EXE) Win64 Executable (generic) (10523/12/4)
4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 68e0b8b0e888c4b0 (1 x LummaStealer)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
None C2:
http://grossvp.xyz/c2conf

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0fde2003e0481984e8a475d3a7e18f98.exe
Verdict:
No threats detected
Analysis date:
2023-09-06 21:39:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/386a9ace-ef33-4494-b040-1b75483ebc59

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/446754/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.28316.32426.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending a custom TCP request
Reading critical registry keys
Creating a file
Query of malicious DNS domain
Stealing user critical data
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated overlay
Link:
https://www.filescan.io/uploads/64f8f0ff6048ca9283161d0d/reports/8f0b02e5-f343-4ca6-baae-23aabce07404/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/70c0dffaef2ee48f0e296939cbc1c5782f753e29d820d6b5aac8b0af7d36f4a8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/abe42f6f-fd14-46e8-9d12-2a8a5fc9a7cc
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1304756
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/70c0dffaef2ee48f0e296939cbc1c5782f753e29d820d6b5aac8b0af7d36f4a8/
Threat name:
ByteCode-MSIL.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2023-09-04 11:28:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
85
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=odan76xpf3si6drjne44xqofpaxxkprj3aqnnnnkzcyk67jw6sua._file
Verdict:
malicious
Similar samples:
1c0eb090ad769cdd943476e9300d57e553ad24f099408334b8c0370ee9bb7648
LummaStealer
4a78da86088eed90bd838d99d1afd5ceaca6c9c521be450639670f6d06a7fe77
LummaStealer
585c6f4a346365aeaf83f0f72be43074b98a360e4458c8b1e81f55ce55d1067c
LummaStealer
6936a56efd4d51f236841a94f58686ad099773e0adbef02561cda498347181f4
LummaStealer
70d86fc8d1247dcd26ed0927411614973d45216d676978f768e14cb16d362536
LummaStealer
8bc03680f98a99ea21d78a4a132be678f848a7209efa0656123745fba54fae03
LummaStealer
9dd91a17703dba0d4582e24431c17eac4fdca602ea8d14f4f43afcc2657b3bbc
LummaStealer
9fbdcf044aba61ae6c0678b5f83fc4bd8b589ba3a4fd12a5bef53e2ead494eed
LummaStealer
ed190afc14d4389527347867538df5949d132ce9d5da7c323e8812b08c0242be
LummaStealer
f2e2cb71a06ac2a95a02168fc3d91f160e6e07ca19c5e6d3d708a9a486dd3f92
LummaStealer
+ 346 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
spyware
Link:
https://tria.ge/reports/230906-1gfzhscb36/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Unpacked files
SH256 hash:
9d7b26554a8056dcfc1e42a1643c526cbc9dc1a4e9e5c5f7d67d0e5ae5ecad16
MD5 hash:
221ae11fe403214bb622239e167da338
SHA1 hash:
e4aa8feaad11d000d4aa78c1e8f73b66a846db6b
Link:
https://www.unpac.me/results/b164df1f-3888-42d9-900e-caea6fe9bfa2/
SH256 hash:
fd56a07f2da75c84337cbf94e0acafc09fb909cfb187a0ae214827ce2c4708bb
MD5 hash:
d93c5f59ddc41313bf36f106a2f1fe17
SHA1 hash:
97c5cd9d0689c1cd74685bc979122a13eba3fcc9
Link:
https://www.unpac.me/results/b164df1f-3888-42d9-900e-caea6fe9bfa2/
SH256 hash:
9d7b26554a8056dcfc1e42a1643c526cbc9dc1a4e9e5c5f7d67d0e5ae5ecad16
MD5 hash:
221ae11fe403214bb622239e167da338
SHA1 hash:
e4aa8feaad11d000d4aa78c1e8f73b66a846db6b
Link:
https://www.unpac.me/results/b164df1f-3888-42d9-900e-caea6fe9bfa2/
SH256 hash:
fd56a07f2da75c84337cbf94e0acafc09fb909cfb187a0ae214827ce2c4708bb
MD5 hash:
d93c5f59ddc41313bf36f106a2f1fe17
SHA1 hash:
97c5cd9d0689c1cd74685bc979122a13eba3fcc9
Link:
https://www.unpac.me/results/b164df1f-3888-42d9-900e-caea6fe9bfa2/
SH256 hash:
70c0dffaef2ee48f0e296939cbc1c5782f753e29d820d6b5aac8b0af7d36f4a8
MD5 hash:
0fde2003e0481984e8a475d3a7e18f98
SHA1 hash:
ba2bfa2372bac5be90e5d0f9c921911987a94a8e
Link:
https://www.unpac.me/results/b164df1f-3888-42d9-900e-caea6fe9bfa2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/70c0dffaef2e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/70c0dffaef2ee48f0e296939cbc1c5782f753e29d820d6b5aac8b0af7d36f4a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_lumma_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lumma.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/446754/

Comments