MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0130399fd404226ae5b90897e8e3affe29b7d34081ee1bf11ecb3750ca342c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0130399fd404226ae5b90897e8e3affe29b7d34081ee1bf11ecb3750ca342c5
SHA3-384 hash: 03836cc78d4ec0eb5e768d5b5071340513ce77d22292f11321e24721fa436ebf98d10690c3c039a7abba245d1e338407
SHA1 hash: c79df640b839d8fb01ede7d91c397212a3e1da0c
MD5 hash: f4f147d270e98a7598f02362ddd2f927
humanhash: magnesium-tango-leopard-beer
File name:f4f147d270e98a7598f02362ddd2f927.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:3'256'832 bytes
First seen:2023-07-20 14:45:28 UTC
Last seen:2023-07-20 15:28:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 98304:FRyJKKbIFlOLLN3z71neq1VKj7J2tB5pu:FkwKbqeJ171Yj7Ep
Threatray 2'320 similar samples on MalwareBazaar
TLSH T131E53307B4845E6BCA648C7388CD90CC56ACFBCDE04D6BD49380EA67E622BDD195D7E0
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 6cc4d0d494b4e4c8 (1 x RedLineStealer, 1 x RaccoonStealer, 1 x LummaStealer)
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
291
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f4f147d270e98a7598f02362ddd2f927.exe
Verdict:
Malicious activity
Analysis date:
2023-07-20 14:46:06 UTC
Tags:
lumma
Link:
https://app.any.run/tasks/588b08dc-2edf-42df-8641-cc86d63c5902

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/426347/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.25572.24444.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64b948acf52c3e1a014ab403/reports/fedad6d3-e317-4be3-9dfc-745daf7ac430/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/d0130399fd404226ae5b90897e8e3affe29b7d34081ee1bf11ecb3750ca342c5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c8508c5c-228d-4db2-a442-57fcab00d249
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1276905
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Costura Assembly Loader
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1276905 Sample: a8VAU3JgIh.exe Startdate: 20/07/2023 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Found malware configuration 2->43 45 Antivirus detection for URL or domain 2->45 47 8 other signatures 2->47 6 Tddecerhb.exe 14 5 2->6         started        10 a8VAU3JgIh.exe 16 5 2->10         started        13 Tddecerhb.exe 4 2->13         started        process3 dnsIp4 49 Antivirus detection for dropped file 6->49 51 Multi AV Scanner detection for dropped file 6->51 53 Machine Learning detection for dropped file 6->53 15 Tddecerhb.exe 6->15         started        29 files.catbox.moe 108.181.20.35, 443, 49692, 49717 ASN852CA Canada 10->29 23 C:\Users\user\AppData\Roaming\Tddecerhb.exe, PE32 10->23 dropped 25 C:\Users\...\Tddecerhb.exe:Zone.Identifier, ASCII 10->25 dropped 27 C:\Users\user\AppData\...\a8VAU3JgIh.exe.log, ASCII 10->27 dropped 55 Injects a PE file into a foreign processes 10->55 19 a8VAU3JgIh.exe 12 10->19         started        21 Tddecerhb.exe 13->21         started        file5 signatures6 process7 dnsIp8 31 gstatic-node.io 188.114.96.7, 49693, 49696, 49697 CLOUDFLARENETUS European Union 19->31 33 188.114.97.7, 49694, 49695, 49702 CLOUDFLARENETUS European Union 19->33 35 192.168.2.1 unknown unknown 19->35 37 Query firmware table information (likely to detect VMs) 21->37 39 Tries to harvest and steal browser information (history, passwords, etc) 21->39 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0130399fd404226ae5b90897e8e3affe29b7d34081ee1bf11ecb3750ca342c5/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Suspicious
First seen:
2023-07-20 13:14:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ajqhgp5ibbcnls3scex5dr277rjw7jubapodpyr5szxkdfdilcq._file
Verdict:
malicious
Similar samples:
0b0a8734313c4f347c472b5b9a8b2351759799e27a2c4e60263f2e522130ec5c
LummaStealer
0cfa378be0ba59aeb6d4f75ec7f8e97d26794d5a4cc3258ded80117020226c96
LummaStealer
10c3ade35a4335bd3c404789a75cc98b4b28a12468db7f8fd6e94d468e0bad7e
LummaStealer
379d1597e3930745f2652d746d6671a801390d86e16c8694e0ff46132d915aba
LummaStealer
7e9ed4d997f5a2c2d35cb8c49f66625eb37d3711906dc39dfc6e34319ad3a2cc
LummaStealer
bb90c8c39ba60347b2d5f2a73a11f9c1f9f7e16251ca3098e4c087257bcce09b
LummaStealer
bcd079ed77301cc5f6a0443ccb3c5b4fe4a4b660ad61d5bcc40f0224c8c2da63
LummaStealer
bcf619de91d54b32858baabce229d3073a02f0f090c9190c5e80cd8f74d82561
LummaStealer
e190e4156d84f4311c5a4b10471bc3465847d6f8aee11a3d7598ca70733a0b71
LummaStealer
+ 2'310 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery persistence spyware stealer
Link:
https://tria.ge/reports/230720-r5ab7shb36/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Lumma Stealer
Unpacked files
SH256 hash:
d0130399fd404226ae5b90897e8e3affe29b7d34081ee1bf11ecb3750ca342c5
MD5 hash:
f4f147d270e98a7598f02362ddd2f927
SHA1 hash:
c79df640b839d8fb01ede7d91c397212a3e1da0c
Link:
https://www.unpac.me/results/04459ba0-4cd4-4b4c-abcf-dfc47914b353/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d0130399fd40/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0130399fd404226ae5b90897e8e3affe29b7d34081ee1bf11ecb3750ca342c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe d0130399fd404226ae5b90897e8e3affe29b7d34081ee1bf11ecb3750ca342c5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2686424/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/426347/

Comments