MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c
SHA3-384 hash: 98114a1e0a556dd4b535396c74153f6cf2e30a669594d9b64b27ada1a34a2b2eb7bcba3c73f969b1e94d983a27b07976
SHA1 hash: 6029ea950091d269d9626343a8defefd1b6c5c1c
MD5 hash: ffc87cf5de85e0a6a3941bc91780d928
humanhash: mexico-video-golf-cardinal
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'009'088 bytes
First seen:2023-03-23 13:02:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:XKcEqlms7r6WKt3iS/rmEPM/u0iEV9IHuxJxruCD:66lms3a3iS/rmOMVVqHuvYCD
Threatray 1'224 similar samples on MalwareBazaar
TLSH T12A95EF37695AC997C11BD371B3839124222DBEC51B279D076AF63387FA2039E3E4C265
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon a1e8e8e68a8eccfc (1 x LummaStealer)
Reporter jstrosch
Tags:.NET exe LummaStealer MSIL X64

Intelligence

File Origin
# of uploads :
1
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-23 13:04:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/86f997bd-3736-44de-a0b6-8ea54db4ba1a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/376842/
Detection(s):
Win.Trojan.NanoCore-9993885-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Sending a custom TCP request
Reading critical registry keys
Sending an HTTP POST request
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/641c4e066ed02dd52de51ab0/reports/db812b67-85f7-4498-ba06-b11b75a09b08/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9230e3e0-6737-455e-8fcf-3b6eafde1f09
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1200706
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected LummaC Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c/
Threat name:
Win64.Trojan.BadNetLdr
Create hunting rule
Status:
Malicious
First seen:
2023-03-23 13:03:08 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
26
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vx5zvffbmijacwpswslp6rz64facj4sbslgbht47qkn3vzweai6a._file
Verdict:
malicious
Similar samples:
357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51
LummaStealer
36ce3b9ec0b50fcc219b1f1272363b8d3542b4afc3229e0251f58d9b27fb74e1
LummaStealer
3bafde54ba687060ac7b17a4d377f368d27cf7c21fb369915065ee4995d2c01e
LummaStealer
59494a51618f234021c0dae2d87667ce9e431b8a75a1b4952d3e48bf71492fbb
LummaStealer
66f670897647771d09ce1aa90e62b72aaa02ef22461d1fae042a52520abad20d
LummaStealer
836907bfb58ca905abe606873a4a8e761d6b2573fbe61d1289d8ddb4188fc238
LummaStealer
914e09b5e1bee2e3bbb2d77f8fae1a8069f67b887f6abf9c5785e9fc5e39dd1c
LummaStealer
a0bf8575052b720932ab96605b4622a07453b1ace7cd73a8f262ca3e7fa7317a
LummaStealer
ac02c4ea63c245d101b1aab06ff98f44aafab1e43c0194d1deab13fcf2a69279
LummaStealer
c0e2de257b40366c2e97a6c4a074d18a49a8ade3037632cd754489d26198dbd3
LummaStealer
+ 1'214 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma spyware stealer
Link:
https://tria.ge/reports/230323-qaccmshf9x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Lumma Stealer
Unpacked files
SH256 hash:
adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c
MD5 hash:
ffc87cf5de85e0a6a3941bc91780d928
SHA1 hash:
6029ea950091d269d9626343a8defefd1b6c5c1c
Link:
https://www.unpac.me/results/b9b9b818-99ab-4a23-8a42-8379db1a37d4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/adfb9a94a162/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/376842/

Comments