MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78d9bbdddd1f1a5fa50b54a5d434934c16901736a02288dff8a85309ad0cc6cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	78d9bbdddd1f1a5fa50b54a5d434934c16901736a02288dff8a85309ad0cc6cb
SHA3-384 hash:	c08913b32935e0ba081203f7e5b2b43b26448e82bade8292db3726b7a328d108e9049e877e5d28c491dcbc735cf4c580
SHA1 hash:	a9b3e5707f1288c13385d22c9d6be64025d7ab0c
MD5 hash:	c994796c6c4a3da7e179175be3397c3b
humanhash:	equal-hydrogen-king-oranges
File name:	file
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	616'960 bytes
First seen:	2023-10-13 23:05:58 UTC
Last seen:	2023-10-14 06:40:12 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	df15d63a937d35e74c72e9f9506c0e04 (2 x LummaStealer, 1 x N-W0rm)
ssdeep	12288:XS+FEwNPpPaOl98cmE82hmNOacl3KAbK:LFIOl98cZXkFYb
Threatray	115 similar samples on MalwareBazaar
TLSH	T1BED4BF60372983B9E444AC36888686771AD4A8AC7F176543F744FF49F7FA0A8871538F
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe LummaStealer

andretavare5

Sample downloaded from https://vk.com/doc52355237_666927601?hash=qO89YZEIWsD35hWjcZ1qzb8IZDWyX1I9i8clfJH9qjo&dl=nt7JouVSFMnzuwvhC6DXx5GyIst3lxKKXPz707d6RP0&api=1&no_preview=1

Intelligence

File Origin

# of uploads :

# of downloads :

320

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-10-13 23:08:49 UTC

Tags:

lumma stealer

Link:

https://app.any.run/tasks/b5cd8bad-2202-446a-8263-b0d2260d0851

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/454226/

Detection(s):

SecuriteInfo.com.Win32.CrypterX-gen.9247.3704.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Sending an HTTP POST request

Reading critical registry keys

Sending a custom TCP request

Stealing user critical data

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware xpack

Link:

https://www.filescan.io/uploads/6529cd5b24a90472670a3b31/reports/537009f5-4ed7-43bc-8aeb-db330065f1cd/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/78d9bbdddd1f1a5fa50b54a5d434934c16901736a02288dff8a85309ad0cc6cb

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

LummaC2 Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/562f9040-601b-4ec5-b2d7-a2e748612024

Result

Threat name:

LummaC Stealer

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1325520

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to behave differently if execute on a Russian/Kazak computer

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Query firmware table information (likely to detect VMs)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/78d9bbdddd1f1a5fa50b54a5d434934c16901736a02288dff8a85309ad0cc6cb

Detection:

lumma

Link:

https://mwdb.cert.pl/sample/78d9bbdddd1f1a5fa50b54a5d434934c16901736a02288dff8a85309ad0cc6cb/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-10-13 23:06:05 UTC

File Type:

PE (Exe)

AV detection:

18 of 38 (47.37%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pdm3xxo5d4nf7jilkss5inetjqljafzwuarirx7yvbjqtlimy3fq._file

Verdict:

malicious

LummaStealer

28533fbb167059524fb63906320201575b19fa3674f03b558a42e18fd7523f3a

LummaStealer

40a32ca3bc74fe4f80e03482b3b1d7bcee014dee822a8299bcfbf48ee8c03f73

LummaStealer

43ffb3408277b409fd9914cd9975298f2a91869377c2721c3c3f4ae2e787af9f

LummaStealer

55e9b1c3ec5c6d634dcfd03b8456c14b39743f3c2330605c650d22065a0a381b

LummaStealer

5f6110fdf11e888a353ffc60086f15c12deb42a07eec9d8b842589bfa67176dc

LummaStealer

6bc6b15b89387d9de01d506ca19989f12e22ccdb8013ed94cfe2be54cf60c4f7

LummaStealer

f8412c9a8d210409888fb0aed2120d12b4be1cb480cf24ed66b13ccbfef6d928

LummaStealer

+ 105 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/231013-23dlysgc52/

Behaviour

Suspicious behavior: EnumeratesProcesses

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

66f5a9d98573892326c28d4a18905de8f3f44d609c8e3ba3e964de5c2d714d19

MD5 hash:

7ac4471bd82380a4fdb414d30beb88c2

SHA1 hash:

bb81a504dd03b8c23c274926e77f901bba15076d

Link:

https://www.unpac.me/results/7ea329b5-0ef0-4243-8753-d2a56775ccea/

SH256 hash:

78d9bbdddd1f1a5fa50b54a5d434934c16901736a02288dff8a85309ad0cc6cb

MD5 hash:

c994796c6c4a3da7e179175be3397c3b

SHA1 hash:

a9b3e5707f1288c13385d22c9d6be64025d7ab0c

Link:

https://www.unpac.me/results/7ea329b5-0ef0-4243-8753-d2a56775ccea/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/78d9bbdddd1f1a5fa50b54a5d434934c16901736a02288dff8a85309ad0cc6cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/454226/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample