MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a1d9383c7b577d320bf352ff6424e571d2687d150619f5a506741d6da29317a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 91 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a1d9383c7b577d320bf352ff6424e571d2687d150619f5a506741d6da29317a
SHA3-384 hash: 1ed93dd4a452506a83e5238752e231b74dc446e75e42a851dd51b41f931226ad50af0ed7547f4cd80391333fe2ea32b3
SHA1 hash: fbe992afb11e862f1a9566dcb7e33dd076b1df2e
MD5 hash: c234ae17876a05f66d44b38451c90332
humanhash: fruit-cola-network-blue
File name:pnk222.zip
Download: download sample
Signature LummaStealer
Create hunting rule
File size:15'880'804 bytes
First seen:2024-09-25 14:13:33 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 393216:0OwdaAZ4LDyTSla8E8GBLzhsWL/4Z7yFg1E5h1Z88kI:KVZwDX0VmWL/4HU8TI
TLSH T1CDF633F6FD14AECBFE7364994A149547A6F604E63030ACA180A1DAE1F6DF7904CC852B
Magika zip
Reporter NDA0E
Tags:LummaStealer Stealc zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
181
Origin country :
NL NL
File Archive Information

This file archive contains 17 file(s), sorted by their relevance:

File name:System.ServiceModel.Channels.ni.dll
File size:537'088 bytes
SHA256 hash: 7fb6f9151f85a79faa2112d326a78bec73402a2cc4e7b0377f41e23529608e74
MD5 hash: bbda2c1333ffbe47273d9b6e6e5c818f
MIME type:application/x-dosexec
Signature LummaStealer
File name:nethost.dll
File size:105'120 bytes
SHA256 hash: 5720b3c57bb17e76abdf44a35e92e1cd41cb1895f826bd8a3310da63823e7636
MD5 hash: 531c002fa808cbb1de1f667ebb5d310e
MIME type:application/x-dosexec
Signature LummaStealer
File name:VBoxSupLib.dll
File size:22'928 bytes
SHA256 hash: 34e8bd19a7dd241a1275a3cf77a8a59a7df1fc529f864f92d8548cc7e0429b26
MD5 hash: 9636cd28f536dd3fb438c866f28610a9
MIME type:application/x-dosexec
Signature LummaStealer
File name:VBoxRT.dll
File size:7'252'288 bytes
SHA256 hash: ff6299343ba95ba302e15ae06c756f2b1aee26980e8d781f1c1766f2cb432d28
MD5 hash: 9c96fc3d4616816a7655fdba0d3d5722
MIME type:application/x-dosexec
Signature LummaStealer
File name:AssemblyLoader.dll
File size:8'704 bytes
SHA256 hash: 1d835eb832151c18c28dcbc03fe7fb7114d5b2f4ad5ce7ab6f4e3634e78ea69d
MD5 hash: 9dce9f18a13691491b2d991f3053b9ff
MIME type:application/x-dosexec
Signature LummaStealer
File name:System.ServiceModel.Discovery.ni.dll
File size:1'243'648 bytes
SHA256 hash: 3ce23dc8df3b6972cb5c3e9975e7c6bcc0a9ed5f8f3e9d2d580c3a1eeeabc61a
MD5 hash: ebc2171fd63acdc0ec222479084e34bb
MIME type:application/x-dosexec
Signature LummaStealer
File name:System.ServiceModel.Activities.ni.dll
File size:2'310'144 bytes
SHA256 hash: 9ce057afe57add88e0567824ce22c4c7a07e61aaaeaaf4a9cb9ac801f0b829f7
MD5 hash: d830e4d3c5cd997db7adbf25ad3a96a6
MIME type:application/x-dosexec
Signature LummaStealer
File name:System.ServiceModel.Activities.dll
File size:561'880 bytes
SHA256 hash: a55b30a8ac1f4b3c36a4a80fbf1386ce8bc46696e414cb72521e8441ff8914ca
MD5 hash: 57af89f049d2bf6149e430eb4aaa9bd4
MIME type:application/x-dosexec
Signature LummaStealer
File name:System.Security.ni.dll
File size:983'552 bytes
SHA256 hash: 97377304f73b1ffe687a08d4f535c67653297221072a6d0a8a73b00a54aa8929
MD5 hash: 2629cf47bd635d6b183ebf90caf477d6
MIME type:application/x-dosexec
Signature LummaStealer
File name:vulkan-1.dll
File size:718'496 bytes
SHA256 hash: 4d18b4ce03de6fe581f5f003365b39ac1e71d9b7497fc787edf23a7f45361052
MD5 hash: 324aff6c3eb09b8975a40c3bfbab2e64
MIME type:application/x-dosexec
Signature LummaStealer
File name:System.ServiceModel.Internals.ni.dll
File size:990'720 bytes
SHA256 hash: 51a595ffbe19e10515a50f01fce9e211783ff6bbfe607fa597bc435b523fb391
MD5 hash: c993aa228a960e5e592f528ae6622305
MIME type:application/x-dosexec
Signature LummaStealer
File name:VirtualBoxVM.dll
File size:1'358'560 bytes
SHA256 hash: 787718f9d3b401023535e96c6ab15b42362882579499fc972c8fa225c9741c24
MD5 hash: efb4c42931a04beaba821f7aa42d1db3
MIME type:application/x-dosexec
Signature LummaStealer
File name:libwinpthread-1.dll
File size:60'798 bytes
SHA256 hash: cc9ae61e899fdc2f7ff33b20564eeb179788dd921e44d673a80e0db162c706b3
MD5 hash: baecb005bf7e5c22eabe35327426f153
MIME type:application/x-dosexec
Signature LummaStealer
File name:VBoxSharedClipboard.dll
File size:69'688 bytes
SHA256 hash: 9fdc76da45016187d325b992b83980227112ba14ed1cb3a2dea8929046163a13
MD5 hash: a802413b13e45c7d526705cbd3974ae5
MIME type:application/x-dosexec
Signature LummaStealer
File name:VBoxVMM.dll
File size:5'158'168 bytes
SHA256 hash: ddebdb740915cdb367c3adf61d62f7b9cf1c7535cc8edbb7d80c9b8add055afa
MD5 hash: dbfcdd86bda68ab53d8b50329ef713f5
MIME type:application/x-dosexec
Signature LummaStealer
File name:vk_swiftshader.dll
File size:3'426'976 bytes
SHA256 hash: 3e5d7ef83fbd7fb5b8901d15232978bcd0478a60db7b927adbc1535a75bb4cb7
MD5 hash: 43edb274f096f152db2c50e66490dbe6
MIME type:application/x-dosexec
Signature LummaStealer
File name:DupInOut.exe
File size:17'898'496 bytes
SHA256 hash: f348d486f4ebab8938d9af964443e23e4129e17ef363c5ecb5796893e28d33bb
MD5 hash: c8f281820b7f0b95d216921def02e2e3
MIME type:application/x-dosexec
Signature LummaStealer
Vendor Threat Intelligence
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f1a7858aca58c2b2c6ef9a
Tags:
Encryption Static Vmdetect Alien
Gathering data
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8a1d9383c7b577d320bf352ff6424e571d2687d150619f5a506741d6da29317a
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/8a1d9383c7b577d320bf352ff6424e571d2687d150619f5a506741d6da29317a
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
99%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/8a1d9383c7b577d320bf352ff6424e571d2687d150619f5a506741d6da29317a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a1d9383c7b577d320bf352ff6424e571d2687d150619f5a506741d6da29317a/
Threat name:
Win64.Spyware.Lummastealer
Create hunting rule
Status:
Suspicious
First seen:
2024-09-23 20:36:38 UTC
File Type:
Binary (Archive)
Extracted files:
50
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=riozha6hwv35gif7gux7mqsok4osnb6rkbqz6wsqm5a5nwrjgf5a._file
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:stealc botnet:c1 discovery spyware stealer
Link:
https://tria.ge/reports/240925-rwallszhkr/
Malware Config
C2 Extraction:
http://45.200.149.53
https://racedsuitreow.shop/api
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8a1d9383c7b577d320bf352ff6424e571d2687d150619f5a506741d6da29317a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.
Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research
Rule name:GoBinTest
Create hunting rule
Rule name:GoInjector
Create hunting rule
Author:NDA0E
Description:Detects Go Injector
Rule name:golang
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_shylock_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Shylock Banker

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

zip 8a1d9383c7b577d320bf352ff6424e571d2687d150619f5a506741d6da29317a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3191092/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3191182/

Comments