MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4d20704a829164ce29a889159964ce47eeeefa8b96d07e6ea4aca0f2a1be7e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4d20704a829164ce29a889159964ce47eeeefa8b96d07e6ea4aca0f2a1be7e9
SHA3-384 hash: d2876cb308aad2234fb1c2726c5b52485f43c69e4ac6f9d15eccf7afc8d85936a40ff2dbfb9f93fd8229eac72309056e
SHA1 hash: 5f62db5603b5f5b94c60df316e6e4b4f7496c3a0
MD5 hash: 8760f349093248f3bdccf42dd3ae0e7b
humanhash: solar-apart-twelve-harry
File name:3.ps1
Download: download sample
Signature LummaStealer
Create hunting rule
File size:514'616 bytes
First seen:2025-01-17 08:17:51 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 6144:U2s1zAOok9Y3sOGnuerPkwo67g3Lk7pyFV50GuGdtqphBddqyIFr2JdyPrnxiNHM:Ul1fOXZQuAbw6465ajImdALqpvfsifPl
Threatray 91 similar samples on MalwareBazaar
TLSH T14DB48D3141077CAE3BAA2EDAA8006DC10C9D39977704D150BE89927672BE1375FAD9FC
Magika powershell
Reporter JAMESWT_WT
Tags:62-122-184-98 booking LummaStealer ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PowerShell.Obfus-9.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=678a123daa9c8e7858df1fdd
Tags:
virus spawn sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
confuserex evasive fingerprint ipconfig net obfuscated
Link:
https://www.filescan.io/uploads/678a1240b8fb56a392b98143/reports/dfb75ec7-e7da-4b3b-9597-9adee8a25c9a/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c4d20704a829164ce29a889159964ce47eeeefa8b96d07e6ea4aca0f2a1be7e9
Result
Verdict:
MALICIOUS
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1593507
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/c4d20704a829164ce29a889159964ce47eeeefa8b96d07e6ea4aca0f2a1be7e9
Detection:
lumma
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c4d20704a829164ce29a889159964ce47eeeefa8b96d07e6ea4aca0f2a1be7e9/
Threat name:
Win32.Trojan.LummaC
Create hunting rule
Status:
Malicious
First seen:
2024-12-25 01:42:57 UTC
File Type:
Text (PowerShell)
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ytjaobfifelezyu2rcivtfsm4r7o535ixfwqpzxkjlfa6kq347uq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
09bae49e2d08d3316490b621a37fa44ec46eb894133664fffb2b6202e7364c94
LummaStealer
174076f434b961ea67df0480e823246754faed86eb69b37dd49d7774dde0113d
LummaStealer
2f01809f78d096e770544c434b5bb63b3a0461559f7dd98a25a04bf66c8784f4
LummaStealer
7d25ec756bbb5bec2e48dd71255de460789057b354de9dfcf6fce4ee2563d3da
LummaStealer
c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf
LummaStealer
d9f50f7ece15d4decb568deb5afa024dee677bfb436408ea2fdf3297415d6978
LummaStealer
error
LummaStealer
+ 81 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery execution stealer
Link:
https://tria.ge/reports/250117-j6958aykbs/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Lumma Stealer, LummaC
Lumma family
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments