MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1f92a1ee28a016edfc091be927a75202c851e2aaaf1a56ea3f7b6d0ee81baaf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1f92a1ee28a016edfc091be927a75202c851e2aaaf1a56ea3f7b6d0ee81baaf
SHA3-384 hash: 7624daed949cbbcd61bb7c3a1e78524257e84329174249e97ab2a417cb048379e2f9761b700cc39e8edb425865457818
SHA1 hash: 2b1cbe5883d614cde60207cc374438ed7af1b7b1
MD5 hash: a4d4c81fead95eda399ec3739839d6b9
humanhash: bulldog-mississippi-august-fix
File name:Installer.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'192'448 bytes
First seen:2023-07-06 09:30:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:8CMVAl0Y3xq10UBpt/l0Y3xq10UB1gZ/zMjhPzysSEO:87cj3xAxj3xAA2dydEO
Threatray 8 similar samples on MalwareBazaar
TLSH T17F45BD257581C9B1C4551932C0D3D5F90BF2BF62E272C68BFA873D9B3E323818A566C9
TrID 44.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
25.9% (.EXE) InstallShield setup (43053/19/16)
7.8% (.SCR) Windows screen saver (13097/50/3)
6.3% (.EXE) Win64 Executable (generic) (10523/12/4)
3.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon c9d1d8cd96a0aec6 (2 x njrat, 2 x Gh0stRAT, 1 x NanoCore)
Reporter obfusor
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
HK HK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Installer.exe
Verdict:
Malicious activity
Analysis date:
2023-07-06 09:33:40 UTC
Tags:
installer lumma stealer
Link:
https://app.any.run/tasks/3de9d83b-684c-44b2-b292-64c7c59040f8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/408953/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.3942.1503.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Adding an access-denied ACE
Creating a file
DNS request
Sending an HTTP POST request
Reading critical registry keys
Searching for the window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypto greyware packed
Link:
https://www.filescan.io/uploads/64a68b7a8583eaadb34f0f83/reports/5ff432ee-31a5-4020-b483-13e44f246c33/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/d1f92a1ee28a016edfc091be927a75202c851e2aaaf1a56ea3f7b6d0ee81baaf
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cbae8a31-9d5e-46ed-99ce-98486db9de9c
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1267969
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1f92a1ee28a016edfc091be927a75202c851e2aaaf1a56ea3f7b6d0ee81baaf/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2023-07-05 21:41:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
20 of 36 (55.56%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2h4suhxcriaw5x6asg7je6tveawikhrkvly2k3vd663nb3ubxkxq._file
Verdict:
malicious
Similar samples:
68af9af3506c7a35ef60026b6662cbc1fda0b36007a6eb48a974e4d7574db21f
LummaStealer
7e7f09ae12feb0fe6e06fa095f5842fc5c11270bc08bec3ed05d87564890fcbc
LummaStealer
8e35c485f5a7bc19bdf66ad951c2d05de5cc72cc70ecc0a60e86b31028de8db9
LummaStealer
b9c2fa6207cd6e32d74e20820e6a62bbb618cf84e7fb74e95a5e7400ec88ffc1
LummaStealer
bcf619de91d54b32858baabce229d3073a02f0f090c9190c5e80cd8f74d82561
LummaStealer
d9e54f6fa96be453706495c9282a926667f750d348bdb9ea47c4a9fa93f80ab2
LummaStealer
df0de6f581fff0ddc9972190887715c30433bc08f4fdd3fbbe7cbfc0a0f9af9a
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma spyware stealer
Link:
https://tria.ge/reports/230706-lg2hwshg53/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Lumma Stealer
Unpacked files
SH256 hash:
e0b457f6f6d6365cbe68167fe776cf57ee587ab792d68d96dd3b5fc7b4817e80
MD5 hash:
7a3ed67700f513b0dd7c6e1833675257
SHA1 hash:
a545058d8d997c65fcc52f367aa3dd72068eb034
Link:
https://www.unpac.me/results/6bff3fd0-3eda-476f-ab4e-b4ff5640b54b/
SH256 hash:
9ee1188bfa814e0ae8dccba22ead8ed250915807d8750a48120b514f24e762b2
MD5 hash:
f397e831c90a57becf0231110467d3f6
SHA1 hash:
b0b7806f43d46d8161cdc80063b482b40ddac9bb
Link:
https://www.unpac.me/results/6bff3fd0-3eda-476f-ab4e-b4ff5640b54b/
SH256 hash:
e0b457f6f6d6365cbe68167fe776cf57ee587ab792d68d96dd3b5fc7b4817e80
MD5 hash:
7a3ed67700f513b0dd7c6e1833675257
SHA1 hash:
a545058d8d997c65fcc52f367aa3dd72068eb034
Link:
https://www.unpac.me/results/6bff3fd0-3eda-476f-ab4e-b4ff5640b54b/
SH256 hash:
9ee1188bfa814e0ae8dccba22ead8ed250915807d8750a48120b514f24e762b2
MD5 hash:
f397e831c90a57becf0231110467d3f6
SHA1 hash:
b0b7806f43d46d8161cdc80063b482b40ddac9bb
Link:
https://www.unpac.me/results/6bff3fd0-3eda-476f-ab4e-b4ff5640b54b/
SH256 hash:
d1f92a1ee28a016edfc091be927a75202c851e2aaaf1a56ea3f7b6d0ee81baaf
MD5 hash:
a4d4c81fead95eda399ec3739839d6b9
SHA1 hash:
2b1cbe5883d614cde60207cc374438ed7af1b7b1
Link:
https://www.unpac.me/results/6bff3fd0-3eda-476f-ab4e-b4ff5640b54b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d1f92a1ee28a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1f92a1ee28a016edfc091be927a75202c851e2aaaf1a56ea3f7b6d0ee81baaf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/408953/

Comments