MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd34667b92f66ea3b0208ca3517a20b4da5742b7b6c18b45ce6ad0325cadfed6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd34667b92f66ea3b0208ca3517a20b4da5742b7b6c18b45ce6ad0325cadfed6
SHA3-384 hash: a1b839098ac49a075c4f9e780ac57c5db23321ff61903e8fa2e121eb43c87d593efef8ee5b245ed88dfd06f24850611c
SHA1 hash: 8e9e9b266bd5778f8585b4f30dff88b11f2f71e2
MD5 hash: 913bf0127da60c2512d681af2ea0529d
humanhash: fourteen-ack-september-november
File name:913BF0127DA60C2512D681AF2EA0529D.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:3'740'672 bytes
First seen:2023-10-16 20:35:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:PmLKV3ENxJ3PXd1mlkD4oGJD+U5+HA+YSXxwjwTFa4m/VCTonwFs7GiGq:P0Jfd1B4ou+U5+graSccXOoys7r
Threatray 78 similar samples on MalwareBazaar
TLSH T12F069E035654CF2BF3929A3856D3E8287390DA36B705F78F0BAC742C999217585F26CB
TrID 47.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.4% (.SCR) Windows screen saver (13097/50/3)
6.8% (.EXE) Win64 Executable (generic) (10523/12/4)
4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon e4e498989894e4e0 (1 x LummaStealer)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
http://diamondcrystal.fun/api

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cd34667b92f66ea3b0208ca3517a20b4da5742b7b6c18b45ce6ad0325cadfed6
Verdict:
Malicious activity
Analysis date:
2023-10-13 05:28:12 UTC
Tags:
lumma stealer
Link:
https://app.any.run/tasks/a05bf75c-b91f-42db-aedd-a9e41c1382b0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/455023/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.45799.5759.15865.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Reading critical registry keys
Query of malicious DNS domain
Stealing user critical data
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin net_reactor obfuscated packed packed regsvcs
Link:
https://www.filescan.io/uploads/652d9eb25da218a42f51d9ce/reports/2ebacf9a-5319-4a9b-8630-6482699147bd/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/cd34667b92f66ea3b0208ca3517a20b4da5742b7b6c18b45ce6ad0325cadfed6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LummaC2 Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8792eeec-d99f-4266-aaff-25e129eb5bd0
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1326835
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to behave differently if execute on a Russian/Kazak computer
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AntiVM3
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cd34667b92f66ea3b0208ca3517a20b4da5742b7b6c18b45ce6ad0325cadfed6
Detection:
lumma
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cd34667b92f66ea3b0208ca3517a20b4da5742b7b6c18b45ce6ad0325cadfed6/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-10-13 09:11:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
17 of 36 (47.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zu2gm64s6zxkhmbarsrvc6rawtnfoqvxw3aywroonlidexfn73la._file
Verdict:
malicious
Similar samples:
0634d2afee669d7d5c5193ec04ef7db10b5b9edc9deaa3731143687b8221c6b5
LummaStealer
28533fbb167059524fb63906320201575b19fa3674f03b558a42e18fd7523f3a
LummaStealer
43ffb3408277b409fd9914cd9975298f2a91869377c2721c3c3f4ae2e787af9f
LummaStealer
55377c01fe10fc33588f070e73b274f925351bcdf6e916579b856dc970db34e0
LummaStealer
5f6110fdf11e888a353ffc60086f15c12deb42a07eec9d8b842589bfa67176dc
LummaStealer
6d6121447771e0c31b1dfc64805d6876af36e8e64cd279c3cd1acfa2afeb4906
LummaStealer
78d9bbdddd1f1a5fa50b54a5d434934c16901736a02288dff8a85309ad0cc6cb
LummaStealer
f8412c9a8d210409888fb0aed2120d12b4be1cb480cf24ed66b13ccbfef6d928
LummaStealer
+ 68 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
spyware
Link:
https://tria.ge/reports/231016-zdjqkafe5t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Unpacked files
SH256 hash:
664dea519130135b65faeb503cd9576a1aaef5519708fc4ba0215fa4992fff80
MD5 hash:
e6b96c819620f155317cc03c75983014
SHA1 hash:
94c38e24bf613e2740eb743bca3af73a2c233651
Link:
https://www.unpac.me/results/7a33790e-8bed-47bc-8b50-565886d1b8e0/
SH256 hash:
bfa12a2456d40d6c32a1f4e35bd43c81f6f67466234faed8fec19397d0e6d808
MD5 hash:
7a7927bac28be846b2fd2a5d10ba0676
SHA1 hash:
67a7b8616fc8e7aa7bb7a6e2521548e67a7caa2d
Link:
https://www.unpac.me/results/7a33790e-8bed-47bc-8b50-565886d1b8e0/
Parent samples :
fb110b1db7c02725d6cb0953cf153a2b5e158d358db136aece90ac06d79cb07d
80dd6d009a2b7ab7aa393d063048320db5ea3920a4fd9cca4a0a76f12183273f
SH256 hash:
dcf3822bff968bfb425d0bf2696a45a42edfbf051b6101199905fc7cfeca3d8c
MD5 hash:
2fa653ae572c0375f9250a64b6ffdb48
SHA1 hash:
54bbe05ff569eaa60fadaf6eecf4bae959b1af3c
Link:
https://www.unpac.me/results/7a33790e-8bed-47bc-8b50-565886d1b8e0/
SH256 hash:
cd34667b92f66ea3b0208ca3517a20b4da5742b7b6c18b45ce6ad0325cadfed6
MD5 hash:
913bf0127da60c2512d681af2ea0529d
SHA1 hash:
8e9e9b266bd5778f8585b4f30dff88b11f2f71e2
Link:
https://www.unpac.me/results/7a33790e-8bed-47bc-8b50-565886d1b8e0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cd34667b92f6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd34667b92f66ea3b0208ca3517a20b4da5742b7b6c18b45ce6ad0325cadfed6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/455023/

Comments