MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a08e7d5f23bd08b42488c2e37110a1d2cc9339c41f7d7567ae95bdd469c01b9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a08e7d5f23bd08b42488c2e37110a1d2cc9339c41f7d7567ae95bdd469c01b9e
SHA3-384 hash: a5e50d631d1b4bfbc8c41aa7caeedfe5de58fa4c3015f20e1f667daf9099b9527a9d0eed8554fcd659a4366a816d8bab
SHA1 hash: c43b79e1e8cc9713c6b6ba06ce4b6c66a4a34ed1
MD5 hash: d72b40d88f5c7add1775d4170ef20ba3
humanhash: cup-november-spring-low
File name:123.ps1
Download: download sample
Signature LummaStealer
Create hunting rule
File size:107 bytes
First seen:2024-12-25 12:28:28 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 3:rN6enUOvK+6N6F96Ct+RbqRF4I1yMQRWL7n:Z6es6P6C0IMPy7n
Threatray 2'039 similar samples on MalwareBazaar
TLSH T1ABB012D79614809136D34216166C16D897FD01E897E45317A08346745007822DF23201
Magika txt
Reporter zhuzhu0009
Tags:Loader LummaStealer ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
SG SG
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=676bfa908a4d48ee35ff4543
Tags:
obfuscate xtreme shell
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin mshta
Link:
https://www.filescan.io/uploads/676bfa92509459c7f804e967/reports/8d87ad33-f176-40a7-b216-6a4c1617d856/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/a08e7d5f23bd08b42488c2e37110a1d2cc9339c41f7d7567ae95bdd469c01b9e
Result
Verdict:
UNKNOWN
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1580630
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
LummaC encrypted strings found
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powershell Download and Execute IEX
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580630 Sample: 123.ps1 Startdate: 25/12/2024 Architecture: WINDOWS Score: 100 38 triptrip.melody-wave.shop 2->38 40 senc1.melody-wave.shop 2->40 42 notebookgi.click 2->42 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 12 other signatures 2->56 10 powershell.exe 11 2->10         started        13 svchost.exe 1 1 2->13         started        signatures3 process4 dnsIp5 66 Suspicious powershell command line found 10->66 68 Bypasses PowerShell execution policy 10->68 16 mshta.exe 16 10->16         started        20 conhost.exe 10->20         started        44 127.0.0.1 unknown unknown 13->44 signatures6 process7 dnsIp8 36 triptrip.melody-wave.shop 104.21.90.105, 443, 49704, 49708 CLOUDFLARENETUS United States 16->36 48 Suspicious powershell command line found 16->48 22 powershell.exe 18 16->22         started        signatures9 process10 signatures11 58 Suspicious powershell command line found 22->58 25 powershell.exe 15 16 22->25         started        28 conhost.exe 22->28         started        process12 signatures13 60 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->60 62 Found suspicious powershell code related to unpacking or dynamic code loading 25->62 64 Injects a PE file into a foreign processes 25->64 30 powershell.exe 25->30         started        34 conhost.exe 25->34         started        process14 dnsIp15 46 notebookgi.click 172.67.150.185, 443, 49861, 49867 CLOUDFLARENETUS United States 30->46 70 Query firmware table information (likely to detect VMs) 30->70 72 Tries to harvest and steal ftp login credentials 30->72 74 Tries to harvest and steal browser information (history, passwords, etc) 30->74 76 Tries to steal Crypto Currency Wallets 30->76 signatures16
Score:
0%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/a08e7d5f23bd08b42488c2e37110a1d2cc9339c41f7d7567ae95bdd469c01b9e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a08e7d5f23bd08b42488c2e37110a1d2cc9339c41f7d7567ae95bdd469c01b9e/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uchh2xzdxuelijeiylrxcefb2lgjgooed56xkz5osw65i2oadopa._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
076f67998eb166f04df31870cefaa7eaf95fb595c4c278c4a787b99d633a0860
LummaStealer
11d025152433189799f82de6b428f5ceb8ddb47573a38d51c267d48b891d498e
LummaStealer
3b25248589efb10b13aa8a65adcbfe667f6cdddf96c3522dd7565d4899b0b1f5
LummaStealer
3fa4ae4ae197fa29bb3b99af1b7b786fc125d4d6248e2198570332c67c120a53
LummaStealer
4845ac2d2543364cd82f45093c27f5bf4275829ecfa0ad111f317facda7bd45f
LummaStealer
80b80e15f605f0b8740e1989e505280394d746e8a8ee37cdb9b009d745e42da0
LummaStealer
aa43b00f0dd6b8af4c0873667834c27379aeae99cd97cae41b5535422730f67a
LummaStealer
ccacaf0bd975ea2b7cb9e03986419ef04947ed39bfe3b18bae3577a3890ddada
LummaStealer
error
LummaStealer
f4062ce594210669e953bbb5d0371e320c834ac63b8e308a709206fe25e9aea6
LummaStealer
+ 2'029 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/241225-pnw4jaspht/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://triptrip.melody-wave.shop/re2.mp4
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a08e7d5f23bd08b42488c2e37110a1d2cc9339c41f7d7567ae95bdd469c01b9e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/ad570ad2-ccdd-401f-9e83-5b23b551d3f2

Comments