MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a778f6cc3e8d33e55e0f2379ea5923a3314db424118bb9a7e0ba872a645e5bf9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a778f6cc3e8d33e55e0f2379ea5923a3314db424118bb9a7e0ba872a645e5bf9
SHA3-384 hash: a226b40379238d1d15e3bbd1b70238ea1f2fb5585e9f3cadc13b166dad98c5d84cfa40800b264954fcc481c59cd0d895
SHA1 hash: 70f73ed9cc8fe68e35af30c6285b48d076482618
MD5 hash: 3fdf01034335b7ce87b54883a3908621
humanhash: magnesium-east-item-kansas
File name:3fdf01034335b7ce87b54883a3908621
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'265'152 bytes
First seen:2023-02-19 12:38:12 UTC
Last seen:2023-02-19 14:27:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4054baf204a5a03db5bb3059a75fe4c0 (1 x LummaStealer)
ssdeep 12288:ddcwwEKs4x8FLdLM/deTt5taNuPX66OZU:ddc7Etg8F3Tt5taMOZU
Threatray 304 similar samples on MalwareBazaar
TLSH T19B45D001B4C1C433C0B2153109F4E7BA5A7EB9600B6599FF67E41FAE4F703D196726AA
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 exe LummaStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3fdf01034335b7ce87b54883a3908621
Verdict:
Malicious activity
Analysis date:
2023-02-19 12:40:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3505b876-c85d-4765-80ba-4f23c2570c5e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/368213/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65554094.22753.6212.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63f21867e6a5b4588ca1070e/reports/9158c124-8343-4969-a933-97f7e9faab2c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/a778f6cc3e8d33e55e0f2379ea5923a3314db424118bb9a7e0ba872a645e5bf9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LummaC2 Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0d6d1dca-4935-4d8a-9770-3b3ca1c77197
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1178801
Signature
Allocates memory in foreign processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a778f6cc3e8d33e55e0f2379ea5923a3314db424118bb9a7e0ba872a645e5bf9/
Threat name:
Win32.Trojan.Cryware
Create hunting rule
Status:
Malicious
First seen:
2023-02-18 01:25:14 UTC
File Type:
PE (Exe)
AV detection:
24 of 39 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u54pntb6ruz6kxqpen46uwjdumyu3nbecgf3tj7axkdsuzc6lp4q._file
Verdict:
malicious
Similar samples:
0cd1c97c405a01a4f7b54760f30aab6ca71396ca7a473b27fa85320e66f319c8
LummaStealer
434a55ad813b1a6b02c52f969ad2101dffb037871b160ee82090383a9961ac07
LummaStealer
5a84910606ad80acd72e15856c704e0a044f93d46df482d5629d4cc2c55d546b
LummaStealer
5b6092b1e5a7c5fd607eb7fcd5a4ae3209348893f24a38b7058862bc5e8eef3c
LummaStealer
705770f54ef72d3b2d8b44b8f0e062a6769eaf121527da31f0fa0c9c178ede2c
LummaStealer
9112a7346d78a2ae8877aa00b74654c6d09247b3db7fff02c78dc11235ce37f8
LummaStealer
91590ccdea506a9845135a3306d2fd81f1aedbd15af34974cb114526443b2e0f
LummaStealer
9f672ecfe527575cf2b512c9e64799774e4de3340cb0e0f205a78650f575e052
LummaStealer
cf4f0360f834d43d24f4c54fdb0bdaba623b6acd8a44953da8599c8bf25b3a59
LummaStealer
+ 294 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230219-pvlw5sfe73/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
a778f6cc3e8d33e55e0f2379ea5923a3314db424118bb9a7e0ba872a645e5bf9
MD5 hash:
3fdf01034335b7ce87b54883a3908621
SHA1 hash:
70f73ed9cc8fe68e35af30c6285b48d076482618
Link:
https://www.unpac.me/results/9e8b638f-711c-4471-8e03-7633ff222f0a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a778f6cc3e8d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a778f6cc3e8d33e55e0f2379ea5923a3314db424118bb9a7e0ba872a645e5bf9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe a778f6cc3e8d33e55e0f2379ea5923a3314db424118bb9a7e0ba872a645e5bf9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2544817/
Cape
Cape
https://www.capesandbox.com/analysis/368213/

Comments


Avatar
zbet commented on 2023-02-19 12:38:16 UTC

url : hxxp://h167471.srv11.test-hf.su/65.exe