MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8658df5807fec28cf11beaee8a95813a463d50311d5635cd4dfc2b229ea5b5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	b8658df5807fec28cf11beaee8a95813a463d50311d5635cd4dfc2b229ea5b5f
SHA3-384 hash:	dc596f0d38ca1003d281fd53fe9a0362a7ea8107e4b58f91872147cb963739b27e27ea04a0dbebb7c367437295b97609
SHA1 hash:	6a22b9b21fdcadb3925c779fb572ef4d6dfc4a67
MD5 hash:	a96660cb571533b9f7170c6a53f1c777
humanhash:	north-shade-vegan-romeo
File name:	a96660cb571533b9f7170c6a53f1c777.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	346'624 bytes
First seen:	2023-01-12 15:12:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	dc61e0c6faeada0c00413a0a116aa87d (14 x Smoke Loader, 6 x RedLineStealer, 2 x ArkeiStealer)
ssdeep	3072:OXO1mu8BfZdv7550fAcG+bLYGXbU4d9MOYBiSx5xztxNHF8M/WhJshZumGBKmZQs:W4wD7aAcTbXrU4osSxPztPHO6WKpTg
Threatray	141 similar samples on MalwareBazaar
TLSH	T1DA74BEE07291D873D91706318C2ACAF03A7EBC339A646617330466BFAF71395A5E631D
TrID	39.5% (.EXE) InstallShield setup (43053/19/16) 28.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 9.6% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	6c7c141484948cc0 (1 x LummaStealer)
Reporter	abuse_ch
Tags:	exe LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

193

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a96660cb571533b9f7170c6a53f1c777.exe

Verdict:

Malicious activity

Analysis date:

2023-01-12 15:15:38 UTC

Tags:

installer

Link:

https://app.any.run/tasks/a9a0c3ec-40ab-4f63-a56a-4767b00f7365

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/352323/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63c02348d53d23fd7ca4756f/reports/6989b183-e5d1-470c-a775-f1499f74a8fe/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b824409a-c043-46bf-9fc3-5ce900946550

Result

Threat name:

LummaC Stealer

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1150427

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Query firmware table information (likely to detect VMs)

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b8658df5807fec28cf11beaee8a95813a463d50311d5635cd4dfc2b229ea5b5f/

Threat name:

Win32.Trojan.IcedID

Status:

Malicious

First seen:

2023-01-12 02:32:47 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xbsy35map7wcrtyrx2xorkkycosghvidchkwgxgu37blekpklnpq._file

Verdict:

malicious

LummaStealer

3419f8887e6f4a2e3520510e30a24c383364e26930329d911c2c40207dab096b

LummaStealer

6513d3ca0604ec33242e2dd8bcabe29fe62cb2acabada15ad959fc6d7cef576f

LummaStealer

7a9f4a82a6d02681b4262765e66177ed7198fed403e768bed1d28987974f8be0

LummaStealer

7bd7346f3ef17dd2c0cc405b6754ddcd7effd90619b94a1715fa90f9a5fea9ac

LummaStealer

b9cbe1bc0246eb38236e67fb2039168c2998a205809843f16f771722d1d67d0f

LummaStealer

c516fc3286df7ec543273f5cce533a9d356c56ab014c2d92337ba420712da32c

LummaStealer

c837a63ce5b9c5828fbf262e570947fbdc78ef081411f1cd0f22bd534ef55788

LummaStealer

f00bd21c84342a281c5fbef3687aae86d5062b3f9a5f6480c496a98444001672

LummaStealer

fd8cd7be845f1373752fdeefccedf44c6bc855deaeac2e682f6b0d910301689e

LummaStealer

+ 131 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/230112-sk6eksgd74/

Behaviour

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Reads user/profile data of web browsers

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/57fa7dd6-a1dc-4391-9b37-f7f7f36c14dd

Unpacked files

SH256 hash:

2269b102555426d3a4cb0a3e359bbf03f2a25ccf0aeb30c4d549a769ef5a03a3

MD5 hash:

58b97c22ce79ed06da5b569e92987ace

SHA1 hash:

34f970992b862c6b7db110facecdfcf54b954a05

Link:

https://www.unpac.me/results/b8a5c57a-aff9-4374-8ec5-52cff6d579aa/

SH256 hash:

b8658df5807fec28cf11beaee8a95813a463d50311d5635cd4dfc2b229ea5b5f

MD5 hash:

a96660cb571533b9f7170c6a53f1c777

SHA1 hash:

6a22b9b21fdcadb3925c779fb572ef4d6dfc4a67

Link:

https://www.unpac.me/results/b8a5c57a-aff9-4374-8ec5-52cff6d579aa/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b8658df5807fec28cf11beaee8a95813a463d50311d5635cd4dfc2b229ea5b5f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/352323/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample