MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9908463593e6a22247db288d2966051a140a36fc712d5b546a3112ebba6b0483. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9908463593e6a22247db288d2966051a140a36fc712d5b546a3112ebba6b0483
SHA3-384 hash: 280278857e4dc4c1449356e168d9c301904b55d89affb01f09af2ba47154fb1f3ed4e7edeb91a2301bcad4ea45e23b14
SHA1 hash: aa9d6c94d548765ce8c64c0acd986ac119426b2f
MD5 hash: 98c02979db19eb538ac83e8cd8e83cf9
humanhash: blossom-jersey-may-white
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'598'976 bytes
First seen:2023-10-21 17:01:14 UTC
Last seen:2023-10-21 22:35:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e24778f24214c85de8cd98738af1bd0f (1 x LummaStealer)
ssdeep 49152:2n1EAyUj/jJU+xYMGmLwpflalwYqZwj/:2Hj/dwFdai1Zwj/
Threatray 632 similar samples on MalwareBazaar
TLSH T18D75AE4AA1677D73C4E68EF004598209BCEBF41063089F03BDCC995C769E9DE9C6B61B
TrID 68.7% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.1% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.SCR) Windows screen saver (13097/50/3)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 60de9f9b9794a2b0 (1 x LummaStealer)
Reporter andretavare5
Tags:exe LummaStealer


Avatar
andretavare5
Sample downloaded from https://vk.com/doc52355237_667243744?hash=iCeRiYkiIxo74UR6vMM7ozUn1JpsrBw7IbfGz2VZcPH&dl=5beks65AYix10Lidzy5xNVXH2CAHazcymJyQ3uEZ6r0&api=1&no_preview=1#by

Intelligence

File Origin
# of uploads :
13
# of downloads :
334
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-10-21 17:03:57 UTC
Tags:
autoit
Link:
https://app.any.run/tasks/ad1300f8-d877-4a87-b3b4-5534840a132c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.17309.10868.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% subdirectories
Launching cmd.exe command interpreter
Creating a process with a hidden window
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Running batch commands
Creating a process from a recently created file
DNS request
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/9908463593e6a22247db288d2966051a140a36fc712d5b546a3112ebba6b0483
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8745d99d-3f5f-4ec4-b12e-102263672568
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1329729
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Drops PE files with a suspicious file extension
Found API chain indicative of sandbox detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for domain / URL
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1329729 Sample: file.exe Startdate: 21/10/2023 Architecture: WINDOWS Score: 100 35 mambergame.fun 2->35 37 QCKtOdpBqNTFlhqybnxTg.QCKtOdpBqNTFlhqybnxTg 2->37 41 Snort IDS alert for network traffic 2->41 43 Multi AV Scanner detection for domain / URL 2->43 45 Found malware configuration 2->45 47 3 other signatures 2->47 9 file.exe 9 2->9         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\Temp\44361\Punk, PE32 9->33 dropped 12 cmd.exe 1 9->12         started        process6 signatures7 57 Uses ping.exe to sleep 12->57 59 Drops PE files with a suspicious file extension 12->59 61 Uses ping.exe to check the status of other devices and networks 12->61 15 cmd.exe 1 12->15         started        18 conhost.exe 12->18         started        process8 signatures9 63 Uses ping.exe to sleep 15->63 20 Estimated.pif 12 15->20         started        24 cmd.exe 2 15->24         started        27 cmd.exe 2 15->27         started        29 4 other processes 15->29 process10 dnsIp11 39 mambergame.fun 172.67.222.121, 49738, 49739, 49740 CLOUDFLARENETUS United States 20->39 49 Query firmware table information (likely to detect VMs) 20->49 51 Found many strings related to Crypto-Wallets (likely being stolen) 20->51 53 Found API chain indicative of sandbox detection 20->53 55 2 other signatures 20->55 31 C:\Users\user\AppData\Local\...stimated.pif, PE32 24->31 dropped file12 signatures13
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9908463593e6a22247db288d2966051a140a36fc712d5b546a3112ebba6b0483
Detection:
lumma
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9908463593e6a22247db288d2966051a140a36fc712d5b546a3112ebba6b0483/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-10-21 17:02:06 UTC
File Type:
PE (Exe)
Extracted files:
63
AV detection:
13 of 23 (56.52%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=teeemnmt42rcer63fcgsszqfdikaunx4oewvwvdkgejoxotlasbq._file
Verdict:
malicious
Similar samples:
315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86
LummaStealer
508cea1c4f565ddda81b217dfbc844f69bb00550348bee2cff7caf734811ad82
LummaStealer
5323dc8bea28e435e02e60851888f0bec221a2e89128443f985a3adc1ff12353
LummaStealer
63dd0a2a872fe7368088cd4916ed199f6ead9c5f5843facdcaa578bb68dedd57
LummaStealer
6f08315a969035d9cca94d594b69eb041e5f302613326c537bd5cd0d471f8b1c
LummaStealer
a567c1f01f6bed6d88712149472f5262d2ddc14aa4d6c1b0544e81dd0929931f
LummaStealer
b4b8d49ce8ac2c756f6d65399e71a15fc46814f4aee055bcc99cbb7d1d50cd88
LummaStealer
c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23
LummaStealer
c8c29747de0e8294d559a19e183e9ad6fd4c738a6e99bbf2f46f8dc1a3b7d05b
LummaStealer
fa71d463f30d9188e2d14b957c948dc59d61e2a54f929ebb6d5b607f9219b1f0
LummaStealer
+ 622 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/231021-vj4wgaff61/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
9e345b4dffd76ed57d2d7cb6dee4a41720754c4f618e5d277887bf9d94643c13
MD5 hash:
81de325f4586e3f269e079fad4611f07
SHA1 hash:
d749925d25b509ae5b6b2f1c07db796dbabfc46d
Link:
https://www.unpac.me/results/85a5cd9c-2552-4d3a-962f-5f6950426ee0/
SH256 hash:
9908463593e6a22247db288d2966051a140a36fc712d5b546a3112ebba6b0483
MD5 hash:
98c02979db19eb538ac83e8cd8e83cf9
SHA1 hash:
aa9d6c94d548765ce8c64c0acd986ac119426b2f
Link:
https://www.unpac.me/results/85a5cd9c-2552-4d3a-962f-5f6950426ee0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.88
Link:
https://yomi.yoroi.company/submissions/9908463593e6a22247db288d2966051a140a36fc712d5b546a3112ebba6b0483

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by

Comments