MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2cfd66a33c6f1af2eb403108a578962b599a77b5cea6b4a06726a3c60ae8bca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash:	d2cfd66a33c6f1af2eb403108a578962b599a77b5cea6b4a06726a3c60ae8bca
SHA3-384 hash:	8c84e8d043e1321cdea27ad222974e5ab14ae6e733ceb58e8333e1648fc784afae67440a220b4e660e3259aa3a23dcb1
SHA1 hash:	003962d544813800328c394b2b87a00b288d376f
MD5 hash:	0edfa39bb38fdb60095f1cb3026af6ae
humanhash:	artist-salami-island-pasta
File name:	DLoad.bin
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	7'492'482 bytes
First seen:	2023-10-05 12:22:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6011984d7c1f1b97a34d7517a498bff8 (8 x RedLineStealer, 5 x STRRAT, 3 x LummaStealer)
ssdeep	98304:OZcZBwjotiAqIZZn9mUtdradTBrHJWGs2NyqeoNE/7SRYY2VymGu/m6zHAlA64TY:6jOpqIZv7STVHJack+YlGlSRRw
Threatray	33 similar samples on MalwareBazaar
TLSH	T172760163B0DA2471F8732A367892D432393E5C9CE04629A929F4AED7F472D0C5F4B791
TrID	36.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 19.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 12.4% (.EXE) Win64 Executable (generic) (10523/12/4) 7.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 5.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	g0njxa
Tags:	exe lumma LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

299

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://dload.site

Verdict:

Malicious activity

Analysis date:

2023-10-05 11:29:47 UTC

Tags:

lumma stealer

Link:

https://app.any.run/tasks/050a7f3d-da15-4da4-98f0-ecbf5cb715f2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.Malware-gen.6019.6990.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

DNS request

Sending a custom TCP request

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a process with a hidden window

Running batch commands

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

89%

Tags:

lolbin masquerade overlay packed shell32

Link:

https://www.filescan.io/uploads/651eaaa74d45a517a3420059/reports/c430c4b7-7cd3-4115-8c20-1e86a130008b/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/d2cfd66a33c6f1af2eb403108a578962b599a77b5cea6b4a06726a3c60ae8bca

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

OWASP

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/278d87b7-2341-4255-8b7a-31613eb7c365

Result

Threat name:

n/a

Detection:

clean

Classification:

n/a

Score:

4 / 100

Link:

https://www.joesandbox.com/analysis/1320241

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d2cfd66a33c6f1af2eb403108a578962b599a77b5cea6b4a06726a3c60ae8bca/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2lh5m2rty3y26lvuamiiuv4jmk2ztj33ltvgwsqgojvdyyforpfa._file

Verdict:

malicious

LummaStealer

26373be33aa3dc54e22a2d1c67c1bc0a42dcfc0ebe9ad6c715829e4fe76a30ae

LummaStealer

4d998b6577854de846db8247d7c1fa2ce080ba115368cfce0308d88bd5e6aaf3

LummaStealer

5c7e18764c02e02117f91213a2f66e63265d3ed30c0ea8ae1c9be8ff5ee4ba43

LummaStealer

89bc9fdb7d1d93a49c7cf3ccfff8ec5c174a44dd580e63e3cb47de448e9daefc

LummaStealer

8ca0436b72f946ce0c6c5613e991444c69c2e3cc79a43da4e54d49c95ac362d2

LummaStealer

b835220d18074195e2df569e8088470b7f400c334aef1dd54dfe30e2019dab7a

LummaStealer

c7825ac17db3d7a4fca371b94a6bc4aa7d22e40bfa10e24b0c3ef063c82de7d5

LummaStealer

e69f9ad1a39625c68a758abd264ed9809ad54e77f197aaf6ae4b8b4f79029ced

LummaStealer

f4ec042b3b9d605d34a32d37c19a100e50f1ab5242f02f826d683ee6f742810a

LummaStealer

+ 23 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

4/10

Tags:

n/a

Link:

https://tria.ge/reports/231005-pkfx5scg97/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Unpacked files

SH256 hash:

d2cfd66a33c6f1af2eb403108a578962b599a77b5cea6b4a06726a3c60ae8bca

MD5 hash:

0edfa39bb38fdb60095f1cb3026af6ae

SHA1 hash:

003962d544813800328c394b2b87a00b288d376f

Link:

https://www.unpac.me/results/5f7fe529-3832-4e13-a8b7-d0f0b5ac8375/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d2cfd66a33c6f1af2eb403108a578962b599a77b5cea6b4a06726a3c60ae8bca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MinGWGCC3x Create hunting rule
Author:	malware-lu

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	win_lumma_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lumma.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample