MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e3176f4b02bade546d7e7965ae7a7092977be4f822ad927e62e6603de83e2f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e3176f4b02bade546d7e7965ae7a7092977be4f822ad927e62e6603de83e2f9
SHA3-384 hash: 3a60836341daeb3fb0fd21851c23a192d570f71c29471bc98e44172c38f9cc3121b91a0eadca4a7596ce8dccb2a1ed35
SHA1 hash: 1904a8f85514871157edf7111cba2e92682af03c
MD5 hash: b4c67afbce5715b8bc9c3b652564ee22
humanhash: zebra-whiskey-wolfram-venus
File name:b4c67afbce5715b8bc9c3b652564ee22
Download: download sample
Signature LummaStealer
Create hunting rule
File size:699'672 bytes
First seen:2023-10-30 07:25:17 UTC
Last seen:2023-10-30 09:56:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 24474625b01796b3171973a0cb41f62c (1 x LummaStealer)
ssdeep 12288:4D6oYmy0vvcL0xzonhWwnW56viEUrvPiKaTicl80cwenIS93p3qVy4FML:ay0HcLIzMWFjvDPiKaTiclDcwi93MVyH
Threatray 195 similar samples on MalwareBazaar
TLSH T139E4BE64F00786B2FDE650F6F06178974C90AEB21742B9E793D49E1066FF3D01B21A2B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe LummaStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
322
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
2fb4f825fe7e8c33bf88366773d31496.exe
Verdict:
Malicious activity
Analysis date:
2023-10-30 10:00:36 UTC
Tags:
sinkhole loader smoke lumma stealer
Link:
https://app.any.run/tasks/b1e7856c-87d1-4448-97be-428c0c112342

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457052/
Detection(s):
PUA.Win.Packer.Ep-7
Create hunting rule

PUA.Win.Packer.Embedpe-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending an HTTP POST request
Reading critical registry keys
Stealing user critical data
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed stealer
Link:
https://www.filescan.io/uploads/653f5a8a390b22a61e543719/reports/ded1be43-a9e5-4db7-bb45-b33f156aff97/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9e3176f4b02bade546d7e7965ae7a7092977be4f822ad927e62e6603de83e2f9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LummaC2 Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a7e12d70-add9-44df-8f45-89f6d9f6e427
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1334089
Signature
Contains functionality to behave differently if execute on a Russian/Kazak computer
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9e3176f4b02bade546d7e7965ae7a7092977be4f822ad927e62e6603de83e2f9
Detection:
lumma
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9e3176f4b02bade546d7e7965ae7a7092977be4f822ad927e62e6603de83e2f9/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-10-30 07:26:05 UTC
File Type:
PE (Exe)
AV detection:
15 of 23 (65.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tyyxn5fqfow6krwx46lfvz5hbeuxppspqivnsj7gfztahxud4l4q._file
Verdict:
malicious
Similar samples:
575d4d61e043f68fbc070d178284a2cacfb2ecaa0e352df98382e0fde7495f5f
LummaStealer
84f515bfed1a8fa9f055a9f3bddb3851618ce0b0b940a5d548aadc24c19362bb
LummaStealer
9908463593e6a22247db288d2966051a140a36fc712d5b546a3112ebba6b0483
LummaStealer
a2b67a646410e2cc28d317dcc062ad158f03be2639db5efec993fcdb3886de1a
LummaStealer
c89400e70500cd0faad8ea9d0c8d3cc2fc58408c1123dd3fbcd02e80d4bbed65
LummaStealer
f8412c9a8d210409888fb0aed2120d12b4be1cb480cf24ed66b13ccbfef6d928
LummaStealer
+ 185 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/231030-h9hdyabf8z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
4d148e7c4eeb0bcceab8791322d54d8520aa8f7ca87c9a3b8b5fe6fbbdc75f84
MD5 hash:
aa10ef62cbdfd93a01e31f2860123b36
SHA1 hash:
5e6c55db3e48ca193ae8250c3e286619ededd46d
Link:
https://www.unpac.me/results/053de3f9-1efd-4565-8b3b-c7c4d1606c28/
SH256 hash:
9e3176f4b02bade546d7e7965ae7a7092977be4f822ad927e62e6603de83e2f9
MD5 hash:
b4c67afbce5715b8bc9c3b652564ee22
SHA1 hash:
1904a8f85514871157edf7111cba2e92682af03c
Link:
https://www.unpac.me/results/053de3f9-1efd-4565-8b3b-c7c4d1606c28/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9e3176f4b02bade546d7e7965ae7a7092977be4f822ad927e62e6603de83e2f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 9e3176f4b02bade546d7e7965ae7a7092977be4f822ad927e62e6603de83e2f9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2726605/
Cape
Cape
https://www.capesandbox.com/analysis/457052/

Comments