MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98dfaf81e8d95d883d12555caaa38a034c724b1fde76a03b64103cc673a45d84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 98dfaf81e8d95d883d12555caaa38a034c724b1fde76a03b64103cc673a45d84
SHA3-384 hash: df2191d443894ade487052f52ff63603856a27afdbcf60881bdffe78fdd09cc40621e3920dc6ff18e4daec189f95c42a
SHA1 hash: 48357a59c84c8976b87c35ff76d916c4a6c64596
MD5 hash: 2f17f726e2068521a858d0caa2f0a1a0
humanhash: mississippi-oranges-happy-magnesium
File name:SecuriteInfo.com.Win32.PWSX-gen.12957.3029
Download: download sample
Signature LummaStealer
Create hunting rule
File size:7'305'216 bytes
First seen:2025-02-25 17:05:44 UTC
Last seen:2025-02-25 17:33:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76e0abc5c135fccfefff5d32b453ca5 (3 x LummaStealer)
ssdeep 98304:u3q5LCgVvaeHUjftxbAXOANfXmBq/cx9ICsJ59j8sImds54b330FcaUC5hHSgbC+:Hj+KwQW
Threatray 1 similar samples on MalwareBazaar
TLSH T16E7661919927E081D9F3B87F52A173A584751CFA4B113C33B74E2628EC311E9D6CBB29
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 000e160e162f2b00 (1 x LummaStealer)
Reporter SecuriteInfoCom
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
528
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
meterpreter
Create hunting rule
ID:
1
File name:
4363463463464363463463463.zip
Verdict:
Malicious activity
Analysis date:
2025-02-25 15:15:55 UTC
Tags:
arch-exec loader opendir delphi xred backdoor auto generic stealer lumma meterpreter amadey botnet github redline vidar telegram stealc evasion payload asyncrat python rat dcrat remote darkcrystal xworm quasarrat miner exfiltration credentialflusher phorpiex gcleaner hausbomber rhadamanthys njrat bladabindi quasar pastebin discord danabot omani umbralstealer susp-powershell rustystealer cryptbot rdp netreactor
Link:
https://app.any.run/tasks/ca9aff22-8d6e-4a03-85a8-21cf103bb882

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.12957.3029.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67bdf90628ab76d43a5d14d9
Tags:
malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc obfuscated
Link:
https://www.filescan.io/uploads/67bdf8843afc3763bec62b3e/reports/65381da8-e55a-460e-a24e-3fb1c42fe3ed/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/98dfaf81e8d95d883d12555caaa38a034c724b1fde76a03b64103cc673a45d84
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AtlasAgent
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f89f4e18-1610-440d-8180-eb71092a2a05
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1623951
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/98dfaf81e8d95d883d12555caaa38a034c724b1fde76a03b64103cc673a45d84
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/98dfaf81e8d95d883d12555caaa38a034c724b1fde76a03b64103cc673a45d84/
Threat name:
Win32.Trojan.LummaC
Create hunting rule
Status:
Malicious
First seen:
2025-02-25 17:06:18 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tdp27api3foyqpiskvokvi4kanghesy73z3kao3eca6mm45elwca._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
98dfaf81e8d95d883d12555caaa38a034c724b1fde76a03b64103cc673a45d84
LummaStealer
error
LummaStealer
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/250225-vmjdyaxr17/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Checks installed software on the system
Reads user/profile data of local email clients
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/738d16ce-3bee-4d19-b7cd-07ca29f3e57c
Unpacked files
SH256 hash:
98dfaf81e8d95d883d12555caaa38a034c724b1fde76a03b64103cc673a45d84
MD5 hash:
2f17f726e2068521a858d0caa2f0a1a0
SHA1 hash:
48357a59c84c8976b87c35ff76d916c4a6c64596
Link:
https://www.unpac.me/results/0c584165-08de-4783-97de-1d094300162f/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/98dfaf81e8d9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/98dfaf81e8d95d883d12555caaa38a034c724b1fde76a03b64103cc673a45d84

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 98dfaf81e8d95d883d12555caaa38a034c724b1fde76a03b64103cc673a45d84

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3452042/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetCommandLineA

Comments