MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7bdbf20eb742e859dc999d8b31f15900c8c7a55d14fe93e283cac6dda3ca2137. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7bdbf20eb742e859dc999d8b31f15900c8c7a55d14fe93e283cac6dda3ca2137
SHA3-384 hash: 87391b99de58e6867c780b07d108087cbe51502beab415c592544856f28c4257a13510f1d82cbb08060e80bdd58fa5be
SHA1 hash: ad323601b5ada9b142273189cb63519265427ff1
MD5 hash: 957537119d1d808725d08308b0189a99
humanhash: blue-skylark-juliet-crazy
File name:957537119d1d808725d08308b0189a99
Download: download sample
Signature LummaStealer
Create hunting rule
File size:4'819'456 bytes
First seen:2024-02-02 21:20:48 UTC
Last seen:2024-02-02 23:32:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:N7CfKCu9sD+yw1LviJw5ReL+2QyLG48aSYHtDRPGUHFv/3+iUD0pdSdvDtrm:sfK6RKvieCL+HyqeVbPGoN+iUDgkd
Threatray 1 similar samples on MalwareBazaar
TLSH T19A26C046FF498E56C3AE6F77C2D2401443B1D48B5363F70B2B9923B5190372A7D8E68A
TrID 44.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
34.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
6.3% (.EXE) Win64 Executable (generic) (10523/12/4)
3.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon f0e4e0c08ce6c8cc (1 x LummaStealer)
Reporter zbetcheckin
Tags:32 exe LummaStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
326
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474249/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.KLE.gen.Eldorado.27503.11012.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
90%
Tags:
finger lolbin packed remote
Link:
https://www.filescan.io/uploads/65bd5cc00b80a407288e35c2/reports/ae8fb5ad-9745-401c-ac55-ce1fc90c1e83/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/7bdbf20eb742e859dc999d8b31f15900c8c7a55d14fe93e283cac6dda3ca2137
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4755f4cb-ad2f-487a-a3de-3afa2a133fd7
Result
Threat name:
LummaC, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1385867
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Silenttrinity Stager Msbuild Activity
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7bdbf20eb742e859dc999d8b31f15900c8c7a55d14fe93e283cac6dda3ca2137
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7bdbf20eb742e859dc999d8b31f15900c8c7a55d14fe93e283cac6dda3ca2137/
Threat name:
ByteCode-MSIL.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2024-02-02 21:21:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
499
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ppn7edvxiluftxeztwftd4kzadempjk5ct7jhyudzldn3i6kee3q._file
Verdict:
malicious
Similar samples:
7bdbf20eb742e859dc999d8b31f15900c8c7a55d14fe93e283cac6dda3ca2137
LummaStealer
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:zgrat rat stealer
Link:
https://tria.ge/reports/240202-z7bbaaaabn/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Detect ZGRat V1
Lumma Stealer
ZGRat
Malware Config
C2 Extraction:
https://pavementpreferencewjiao.site/api
Unpacked files
SH256 hash:
0b9898bf338c16fa7444054230a2f1b38016cd4f3823a94768b2fc64ddd2d44a
MD5 hash:
21d91996b245d5338c7c7b8c5ad74246
SHA1 hash:
4b02c12fbf68ce6d232205f2b432c65310b0a44c
Link:
https://www.unpac.me/results/c1ee8d0d-38b6-4d23-a42e-160177e9a7d7/
SH256 hash:
63366bb58836a4d9fc6a7fb5632ce6aeb52fd2ec57ea5d766b27bfedf7b7deee
MD5 hash:
a6810a5899b5a89ee483c9e94dacb015
SHA1 hash:
c787d081f7534936636b17d94ecee651fd64fdac
Link:
https://www.unpac.me/results/c1ee8d0d-38b6-4d23-a42e-160177e9a7d7/
SH256 hash:
55d7a8b9bcb013c98a636e1acf721ff76b5e1d8d69905a1c4c5f090627f6b987
MD5 hash:
f48c58e13d507414ecb2ee3b823ab5f1
SHA1 hash:
b464ab35bd9250f23e42df7f08b543e6745a6ddf
Link:
https://www.unpac.me/results/c1ee8d0d-38b6-4d23-a42e-160177e9a7d7/
SH256 hash:
6a26df7ee49de6fec6c5de1f3f7a94075d2dfbc50922e3b30fd8111f2e734f33
MD5 hash:
f45c1512d5a47375e6e396b4d1111e58
SHA1 hash:
8af036b8c60d10e85cf82212930bb04bc0553f36
Link:
https://www.unpac.me/results/c1ee8d0d-38b6-4d23-a42e-160177e9a7d7/
SH256 hash:
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
MD5 hash:
544cd51a596619b78e9b54b70088307d
SHA1 hash:
4769ddd2dbc1dc44b758964ed0bd231b85880b65
Link:
https://www.unpac.me/results/c1ee8d0d-38b6-4d23-a42e-160177e9a7d7/
SH256 hash:
ee5d8d19b12e43459490c9c27024416c670a133fc3f1972fc8f24c6f2b80544c
MD5 hash:
2a3d628b8e04f48a8aea26a687cdc545
SHA1 hash:
e44b4764e00b4e3607f226ab0388403ee785e0bd
Link:
https://www.unpac.me/results/c1ee8d0d-38b6-4d23-a42e-160177e9a7d7/
SH256 hash:
7bdbf20eb742e859dc999d8b31f15900c8c7a55d14fe93e283cac6dda3ca2137
MD5 hash:
957537119d1d808725d08308b0189a99
SHA1 hash:
ad323601b5ada9b142273189cb63519265427ff1
Link:
https://www.unpac.me/results/c1ee8d0d-38b6-4d23-a42e-160177e9a7d7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7bdbf20eb742/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7bdbf20eb742e859dc999d8b31f15900c8c7a55d14fe93e283cac6dda3ca2137

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 7bdbf20eb742e859dc999d8b31f15900c8c7a55d14fe93e283cac6dda3ca2137

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2755646/
Cape
Cape
https://www.capesandbox.com/analysis/474249/

Comments


Avatar
zbet commented on 2024-02-02 21:20:50 UTC

url : hxxp://a0915052.xsph.ru/logo2.jpg