MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2b67a646410e2cc28d317dcc062ad158f03be2639db5efec993fcdb3886de1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2b67a646410e2cc28d317dcc062ad158f03be2639db5efec993fcdb3886de1a
SHA3-384 hash: 1ee96726791079acbafc61b7d4719fb880b2ff73eef074b1e2adff89b78cc1d6abad84b5c6b2952216ff79e6cc371c9b
SHA1 hash: b4bedd3e71ef041c399413e6bcdd03db37d80d2f
MD5 hash: a6f75b1e5f8b4265869f7e5bdcaa3314
humanhash: friend-colorado-green-april
File name:a2b67a646410e2cc28d317dcc062ad158f03be2639db5.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'478'144 bytes
First seen:2023-10-16 22:25:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8012fe0c67d93ad97108363904afaf97 (1 x LummaStealer)
ssdeep 24576:m1W8VSHsqxNkHROM62DbJByw9mgIkBKMAyisV5+n2n3dcCwSl/JRFIvx:W3SMAAlVD+w9RIk0MA1sEOcCbl/Jsx
Threatray 15 similar samples on MalwareBazaar
TLSH T14F65CF1933E840B6C86AC07CC997861BEBF27811176157CF02A4A6BE5F37BE15B39325
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
http://numpersb.fun/api

Intelligence

File Origin
# of uploads :
1
# of downloads :
346
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
0bbaa41eb11fba7a01cd966793dfefaf.exe
Verdict:
Malicious activity
Analysis date:
2023-10-17 11:22:13 UTC
Tags:
stealer redline amadey botnet trojan opendir loader lumma
Link:
https://app.any.run/tasks/29ef7758-c34e-42af-b50a-53aed81de0d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/455046/
Detection(s):
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen5.9465.29630.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending an HTTP POST request
Gathering data
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug control greyware keylogger lolbin shell32
Link:
https://www.filescan.io/uploads/652db87b8d16e62970c88914/reports/7a305507-4545-46b1-950a-b40e550d04ce/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/a2b67a646410e2cc28d317dcc062ad158f03be2639db5efec993fcdb3886de1a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LummaC2 Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bfc39802-a729-42b5-80a9-44a4c7d42fed
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1326885
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a2b67a646410e2cc28d317dcc062ad158f03be2639db5efec993fcdb3886de1a
Detection:
lumma
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a2b67a646410e2cc28d317dcc062ad158f03be2639db5efec993fcdb3886de1a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-10-16 22:26:06 UTC
File Type:
PE (Exe)
Extracted files:
58
AV detection:
17 of 22 (77.27%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uk3huzdecdrmykgtc7omayvncwhqhprghhnv57wjsp6nwoeg3yna._file
Verdict:
malicious
Similar samples:
28533fbb167059524fb63906320201575b19fa3674f03b558a42e18fd7523f3a
LummaStealer
43ffb3408277b409fd9914cd9975298f2a91869377c2721c3c3f4ae2e787af9f
LummaStealer
55377c01fe10fc33588f070e73b274f925351bcdf6e916579b856dc970db34e0
LummaStealer
55e9b1c3ec5c6d634dcfd03b8456c14b39743f3c2330605c650d22065a0a381b
LummaStealer
5f6110fdf11e888a353ffc60086f15c12deb42a07eec9d8b842589bfa67176dc
LummaStealer
6bc6b15b89387d9de01d506ca19989f12e22ccdb8013ed94cfe2be54cf60c4f7
LummaStealer
cd34667b92f66ea3b0208ca3517a20b4da5742b7b6c18b45ce6ad0325cadfed6
LummaStealer
f8412c9a8d210409888fb0aed2120d12b4be1cb480cf24ed66b13ccbfef6d928
LummaStealer
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/231016-2cg7fshf32/
Behaviour
Suspicious behavior: EnumeratesProcesses
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
4aa8d583491061ab27019ac1958378462bf952affb747fe90ecefd8ebec21d2f
MD5 hash:
1784500a959adcea288b845eccfd7532
SHA1 hash:
54e378552ab0a2626b2435bc1be831913516a851
Link:
https://www.unpac.me/results/6fc75817-4254-4cec-8a00-5f8eb12dbad9/
SH256 hash:
a2b67a646410e2cc28d317dcc062ad158f03be2639db5efec993fcdb3886de1a
MD5 hash:
a6f75b1e5f8b4265869f7e5bdcaa3314
SHA1 hash:
b4bedd3e71ef041c399413e6bcdd03db37d80d2f
Link:
https://www.unpac.me/results/6fc75817-4254-4cec-8a00-5f8eb12dbad9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a2b67a646410e2cc28d317dcc062ad158f03be2639db5efec993fcdb3886de1a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe a2b67a646410e2cc28d317dcc062ad158f03be2639db5efec993fcdb3886de1a

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/455046/
  
URLhaus
https://urlhaus.abuse.ch/url/2721461/
  
Delivery method
Distributed via web download

Comments