MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bab3da7536b417c895fdb03cdd337d3cbab1e95f89000f3722a660e2a740a93f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bab3da7536b417c895fdb03cdd337d3cbab1e95f89000f3722a660e2a740a93f
SHA3-384 hash: 6397c8e6811b02e96cd1f86f60de8eadbf723ad1f8c3c25663eed2943ef94439841a484e162415fa66a4eb244fcfa26c
SHA1 hash: e78e5ab21c9eeb9077526a20013bef1e106b2bb5
MD5 hash: 1ad28dad1597eb28ebe2b44dea6f5140
humanhash: xray-football-aspen-lemon
File name:b222.txt
Download: download sample
Signature LummaStealer
Create hunting rule
File size:565 bytes
First seen:2024-10-01 14:19:35 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12:4pmo84UxQocoMcM4tXLW7Kmp5Tq2giFPgq+VjMBy9F9:4pmB4oylMt62mp5TRJAVQBeF9
Threatray 2 similar samples on MalwareBazaar
TLSH T118F0C0E2FAA4A226C3F367609BE7250C4365FA1F6865471347DED8F00534B3827A9237
Magika powershell
Reporter aachum
Tags:LummaStealer ps1 txt


Avatar
iamaachum
https://finalstepgetshere.com/uploads/b222.txt

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
ES ES
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Heur.BZC.PZQ.Boxter.1073.79AA2F9B.20980.28031.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66fce1dc0fdf8887097988e6
Tags:
Shellcode Dropper Stealer
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/66fc0517168559661d514b24/reports/9a867668-cb90-47c8-8d53-031fabd2da41/overview
Verdict:
Malicious
Labled as:
BZC.PZQ.Boxter.1073
Link:
https://www.hybrid-analysis.com/sample/bab3da7536b417c895fdb03cdd337d3cbab1e95f89000f3722a660e2a740a93f
Result
Verdict:
MALICIOUS
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1523895
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops large PE files
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Powershell drops PE file
Powershell uses Background Intelligent Transfer Service (BITS)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523895 Sample: b222.txt.ps1 Startdate: 02/10/2024 Architecture: WINDOWS Score: 100 37 vozmeatillu.shop 2->37 39 stogeneratmns.shop 2->39 41 10 other IPs or domains 2->41 47 Multi AV Scanner detection for domain / URL 2->47 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 8 other signatures 2->53 8 powershell.exe 1 38 2->8         started        12 WinFIG.exe 2->12         started        14 WinFIG.exe 2->14         started        16 svchost.exe 1 1 2->16         started        signatures3 process4 dnsIp5 31 C:\Users\user\AppData\Roaming\...\WinFIG.exe, PE32 8->31 dropped 63 Powershell uses Background Intelligent Transfer Service (BITS) 8->63 65 Drops large PE files 8->65 67 Loading BitLocker PowerShell Module 8->67 69 Powershell drops PE file 8->69 19 WinFIG.exe 8->19         started        22 conhost.exe 8->22         started        71 Writes to foreign memory regions 12->71 73 Allocates memory in foreign processes 12->73 75 Injects a PE file into a foreign processes 12->75 24 BitLockerToGo.exe 12->24         started        26 BitLockerToGo.exe 14->26         started        33 finalstepgetshere.com 185.255.122.133, 443, 49708, 49709 ICMESE Netherlands 16->33 35 127.0.0.1 unknown unknown 16->35 file6 signatures7 process8 signatures9 55 Writes to foreign memory regions 19->55 57 Allocates memory in foreign processes 19->57 59 Injects a PE file into a foreign processes 19->59 61 LummaC encrypted strings found 19->61 28 BitLockerToGo.exe 19->28         started        process10 dnsIp11 43 gravvitywio.store 104.21.16.12, 443, 49717, 49719 CLOUDFLARENETUS United States 28->43 45 steamcommunity.com 104.102.49.254, 443, 49716, 49718 AKAMAI-ASUS United States 28->45
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bab3da7536b417c895fdb03cdd337d3cbab1e95f89000f3722a660e2a740a93f/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xkz5u5jwwql4rfp5wa6n2m35hs5ld2k7reaa6nzcuzqofj2ave7q._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
07eb1f46be05e9fd912dcc5e4e5a9c278a5856e6137fa00b2d0921840dd942fa
LummaStealer
4304cf12a607df22c6bb588e79c597ca0e96e24dc020e84063224eb1c8fa61dd
LummaStealer
error
LummaStealer
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bab3da7536b417c895fdb03cdd337d3cbab1e95f89000f3722a660e2a740a93f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

PowerShell (PS) ps1 78f6ec9bdda9c44122ae81fd6b0ac6f04e8c68166243dd3c77a7315d158b1c83

LummaStealer

PowerShell (PS) ps1 bab3da7536b417c895fdb03cdd337d3cbab1e95f89000f3722a660e2a740a93f

(this sample)

zip 98096930546353bf9c8fdb90c189285a560bdbf3a1d0d6ee4eebc42c8b35ff43

  
Dropped by
SHA256 78f6ec9bdda9c44122ae81fd6b0ac6f04e8c68166243dd3c77a7315d158b1c83
  
Delivery method
Distributed via web download
  
Dropping
SHA256 98096930546353bf9c8fdb90c189285a560bdbf3a1d0d6ee4eebc42c8b35ff43
  
Dropping
MD5 4bdd611a7ad3d92fd9f92ff7cb82cb26
  
Dropped by
MD5 1168e44d288d2ce3f552e44dfb9ac65f

Comments