MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1846e8f852ea3dbc958fddcd1a8f8a4c2888e3e1f5603d8b95e9c18afe90477. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1846e8f852ea3dbc958fddcd1a8f8a4c2888e3e1f5603d8b95e9c18afe90477
SHA3-384 hash: ef5efbb6554eeed83607c346daca56fbb5b40cde06ccf48761ad8d2d4580fe043f4d22d95f544d1cb31699a885dd29f7
SHA1 hash: 660efc4ff78c4935b05879c7af349f091f329729
MD5 hash: 5573bd69ffc990125dcab7097da6f00c
humanhash: blossom-muppet-item-green
File name:human-verify.b-cdn.net.ps1
Download: download sample
Signature LummaStealer
Create hunting rule
File size:131 bytes
First seen:2024-08-26 17:17:38 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 3:VSJJLNyAmarBO/tmt55akqizkVkoTMRk8nbPROkJ+NO2osk:snyuk854kqizkVkiQfOkUVxk
TLSH T11BC09218953D294D03DAE9710C781D4B2587CB3A9BB8237AFE8520C86D61289F316748
Magika txt
Reporter aachum
Tags:ps1


Avatar
iamaachum
https://human-verify.b-cdn.net/verify-captcha-v1.html

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
ES ES
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66ccb8d1b2a4681a7296a9ab
Tags:
Encryption Execution Generic Infostealer Stealth
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin lolbin masquerade mshta powershell shell32
Link:
https://www.filescan.io/uploads/66ccb8cdeb26ed7f73c4cdb7/reports/04bab00f-b948-49dc-abca-3ae1619e2892/overview
Verdict:
Suspicious
Labled as:
TrojanDownloader/PS.Agent
Link:
https://www.hybrid-analysis.com/sample/a1846e8f852ea3dbc958fddcd1a8f8a4c2888e3e1f5603d8b95e9c18afe90477
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1499234
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Powershell drops PE file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Very long command line found
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1499234 Sample: human-verify.b-cdn.net.ps1 Startdate: 26/08/2024 Architecture: WINDOWS Score: 100 48 onionoowzwqm.shop 2->48 50 locatedblsoqp.shop 2->50 52 bidvertiser.b-cdn.net 2->52 60 Suricata IDS alerts for network traffic 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Antivirus detection for URL or domain 2->64 66 5 other signatures 2->66 11 powershell.exe 11 2->11         started        14 svchost.exe 1 1 2->14         started        signatures3 process4 dnsIp5 72 Encrypted powershell cmdline option found 11->72 74 Powershell drops PE file 11->74 17 powershell.exe 7 11->17         started        19 conhost.exe 11->19         started        58 127.0.0.1 unknown unknown 14->58 signatures6 process7 process8 21 mshta.exe 16 17->21         started        dnsIp9 56 bidvertiser.b-cdn.net 185.59.220.198, 443, 49699, 49708 CDN77GB United Kingdom 21->56 38 C:\Users\user\AppData\Local\...\bidv[1], PE32 21->38 dropped 68 Suspicious powershell command line found 21->68 70 Very long command line found 21->70 26 powershell.exe 14 40 21->26         started        file10 signatures11 process12 file13 40 C:\Users\user\AppData\...\PrintConfig.dll, PE32+ 26->40 dropped 42 C:\Users\user\...\PresentationUI.ni.dll, MS-DOS 26->42 dropped 44 C:\Users\user\AppData\...\PresentationUI.dll, PE32 26->44 dropped 46 9 other files (8 malicious) 26->46 dropped 76 Loading BitLocker PowerShell Module 26->76 30 0OfficeSuite Premium.exe 26->30         started        33 conhost.exe 26->33         started        signatures14 process15 signatures16 78 Writes to foreign memory regions 30->78 80 Allocates memory in foreign processes 30->80 82 Injects a PE file into a foreign processes 30->82 84 LummaC encrypted strings found 30->84 35 BitLockerToGo.exe 30->35         started        process17 dnsIp18 54 onionoowzwqm.shop 188.114.96.3, 443, 49725, 49726 CLOUDFLARENETUS European Union 35->54
Score:
0%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/a1846e8f852ea3dbc958fddcd1a8f8a4c2888e3e1f5603d8b95e9c18afe90477
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1846e8f852ea3dbc958fddcd1a8f8a4c2888e3e1f5603d8b95e9c18afe90477/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ugcg5d4ff2r5xsky7xondkhyutbirdr6d5lahwfzl2obrl7jar3q._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/240826-vt9vgaxblm/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Downloads MZ/PE file
Malware Config
Dropper Extraction:
https://bidvertiser.b-cdn.net/bidv
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1846e8f852ea3dbc958fddcd1a8f8a4c2888e3e1f5603d8b95e9c18afe90477

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

PowerShell (PS) ps1 a1846e8f852ea3dbc958fddcd1a8f8a4c2888e3e1f5603d8b95e9c18afe90477

(this sample)

LummaStealer

Executable exe 537cf4c7a0688ea50090c6da3856aac3209b3e4ce3a446b46bec798930e4ab93

LummaStealer

Executable exe 174124a205687b4b9fc490fb15a8028ffdd7ecb1096d8251001f98eeaecdbedb

  
Link
https://tria.ge/240826-vjfhwavelf
  
Dropping
IDATDropper
  
Delivery method
Distributed via web download
  
Dropping
SHA256 174124a205687b4b9fc490fb15a8028ffdd7ecb1096d8251001f98eeaecdbedb
  
Dropping
MD5 ce1e2d9b81faa9bb57bc6813544c89db

Comments