MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d24ea00ed73ab0806701d32471a42b615a46c10e2db31df9d78a550d2b992b69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d24ea00ed73ab0806701d32471a42b615a46c10e2db31df9d78a550d2b992b69
SHA3-384 hash: 53088daf210ab3de156a246afe49f226f452a40597b5970579bca41a76dd93efd88d1d5e608ac19d78992f2ab64a520f
SHA1 hash: 5a4554aea615f6bce4a33f6341ef7c432202512c
MD5 hash: db5bb990c04bc29e0e5ad85f82fc2f9b
humanhash: violet-autumn-oven-william
File name:human-check.b-cdn.net.ps1
Download: download sample
Signature LummaStealer
Create hunting rule
File size:115 bytes
First seen:2024-08-26 17:11:47 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 3:VSJJLNyAmarBO/tmt55akuVvp0Pr4/TnOqkkvp:snyuk854kuVvp0Pk/rOsvp
TLSH T133B092909A6CEA0C42BFBA30191C598FB2038272E1A0366AE89010805A0CA1FD31B248
Magika powershell
Reporter aachum
Tags:LummaStealer ps1


Avatar
iamaachum
https://human-check.b-cdn.net/verify-captcha-v7.html

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
ES ES
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66ccb763e7ff3f5a063c0413
Tags:
Encryption Execution Generic Infostealer Stealth Trojan
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin lolbin masquerade mshta powershell shell32
Link:
https://www.filescan.io/uploads/66ccb7621c7fd2cfb7052113/reports/b2cddf85-4151-4326-9029-fe714a46bbbd/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/d24ea00ed73ab0806701d32471a42b615a46c10e2db31df9d78a550d2b992b69
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1499226
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Powershell drops PE file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Very long command line found
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1499226 Sample: human-check.b-cdn.net.ps1 Startdate: 26/08/2024 Architecture: WINDOWS Score: 100 48 poko.b-cdn.net 2->48 50 onionoowzwqm.shop 2->50 52 locatedblsoqp.shop 2->52 60 Suricata IDS alerts for network traffic 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Antivirus detection for URL or domain 2->64 66 5 other signatures 2->66 11 powershell.exe 11 2->11         started        14 svchost.exe 1 1 2->14         started        signatures3 process4 dnsIp5 72 Encrypted powershell cmdline option found 11->72 74 Powershell drops PE file 11->74 17 powershell.exe 7 11->17         started        19 conhost.exe 11->19         started        58 127.0.0.1 unknown unknown 14->58 signatures6 process7 process8 21 mshta.exe 17 17->21         started        dnsIp9 56 poko.b-cdn.net 169.150.247.33, 443, 49730, 49734 SPIRITTEL-ASUS United States 21->56 38 C:\Users\user\AppData\Local\...\poko[1], PE32 21->38 dropped 68 Suspicious powershell command line found 21->68 70 Very long command line found 21->70 26 powershell.exe 14 36 21->26         started        file10 signatures11 process12 file13 40 C:\Users\user\...\wxmsw32u_xrc_gcc_custom.dll, PE32+ 26->40 dropped 42 C:\Users\user\AppData\Local\Temp\WwaApi.dll, PE32+ 26->42 dropped 44 C:\Users\user\...\SharedVoiceAgents.dll, PE32+ 26->44 dropped 46 6 other malicious files 26->46 dropped 76 Loading BitLocker PowerShell Module 26->76 30 0Setup.exe 26->30         started        33 conhost.exe 26->33         started        signatures14 process15 signatures16 78 Multi AV Scanner detection for dropped file 30->78 80 Writes to foreign memory regions 30->80 82 Allocates memory in foreign processes 30->82 84 2 other signatures 30->84 35 BitLockerToGo.exe 30->35         started        process17 dnsIp18 54 onionoowzwqm.shop 188.114.97.3, 443, 49743, 49744 CLOUDFLARENETUS European Union 35->54
Score:
0%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/d24ea00ed73ab0806701d32471a42b615a46c10e2db31df9d78a550d2b992b69
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d24ea00ed73ab0806701d32471a42b615a46c10e2db31df9d78a550d2b992b69/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2jhkadwxhkyiazyb2mshdjblmfnenqiofwzr36oxrjkq2k4zfnuq._file
Verdict:
unknown
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery execution stealer
Link:
https://tria.ge/reports/240826-vqtn3svhka/
Behaviour
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
Lumma Stealer, LummaC
Malware Config
C2 Extraction:
https://onionoowzwqm.shop/api
https://locatedblsoqp.shop/api
Dropper Extraction:
https://poko.b-cdn.net/poko
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d24ea00ed73ab0806701d32471a42b615a46c10e2db31df9d78a550d2b992b69

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

PowerShell (PS) ps1 d24ea00ed73ab0806701d32471a42b615a46c10e2db31df9d78a550d2b992b69

(this sample)

LummaStealer

Executable exe 210a9e063211abc76ee5d4b082a207ae20627021d0ec3131963a4a1822aaf9db

LummaStealer

Executable exe b231615f9bbd687fea1ab41e35a58fd1bb5ebe478dcea4785cb11c8702e3bc7e

  
Link
https://tria.ge/240826-vjcrzsvela
  
Dropping
IDATDropper
  
Delivery method
Distributed via web download
  
Dropping
SHA256 b231615f9bbd687fea1ab41e35a58fd1bb5ebe478dcea4785cb11c8702e3bc7e
  
Dropping
MD5 9cc77f386053aafba2d0918a99942d6f

Comments