MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5998de73a2e6ac2fafe81270e33b6a9fd8cef605cb56603456029b8b598c077. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	d5998de73a2e6ac2fafe81270e33b6a9fd8cef605cb56603456029b8b598c077
SHA3-384 hash:	e02528e80820c7c12f247d91baa05df099f963f12159599c987b3cf3c4462317f787ab1244d44ebf8f52bd193b266bbf
SHA1 hash:	ade62b2a58d4aa6972283cd000a51fe3ff0885e8
MD5 hash:	16f2d0aa122b49bd7f7ca17eb28e5df5
humanhash:	nevada-magnesium-king-cup
File name:	16f2d0aa122b49bd7f7ca17eb28e5df5.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	400'896 bytes
First seen:	2023-07-24 15:56:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	67ce5c1f8081cdf08e5f30c58a340ff6 (1 x LummaStealer)
ssdeep	12288:alJxRPSvnEVL9MtT6Mgzwni786xNPB8bKbb:altSS9M56Mgz3BxNZt
Threatray	35 similar samples on MalwareBazaar
TLSH	T13884AE04B9C2C0F2D46355320DA4F7BA5F397A31DA21CECFEBC41D6A8A327C1961665E
TrID	42.7% (.EXE) Win32 Executable (generic) (4505/5/1) 19.2% (.EXE) OS/2 Executable (generic) (2029/13) 19.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.9% (.EXE) DOS Executable Generic (2000/1)
Reporter	abuse_ch
Tags:	exe LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

297

Origin country :

Vendor Threat Intelligence

Malware family:

smoke

ID:

File name:

2c30831eb76b914da639870474874647.exe

Verdict:

Malicious activity

Analysis date:

2023-07-24 15:08:00 UTC

Tags:

loader smoke trojan amadey rat redline lumma

Link:

https://app.any.run/tasks/da6138cb-f63d-46dc-9135-cc456a082904

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/431355/

Detection(s):

SecuriteInfo.com.Variant.Zusy.478182.8750.19673.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

DNS request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cmd crypto greyware lolbin

Link:

https://www.filescan.io/uploads/64be9f502c2ccb709444963d/reports/ab1aa79c-a8b5-4bb1-83ec-63c8fef3339c/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/d5998de73a2e6ac2fafe81270e33b6a9fd8cef605cb56603456029b8b598c077

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d0de63a6-da2c-443f-b6de-299e529a66d8

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/1278501

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d5998de73a2e6ac2fafe81270e33b6a9fd8cef605cb56603456029b8b598c077/

Threat name:

Win32.Trojan.Zusy

Status:

Malicious

First seen:

2023-07-24 15:57:06 UTC

File Type:

PE (Exe)

AV detection:

25 of 38 (65.79%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2wmy3zz2fzvmf6x6qetq4m5wvh6yz33als2wma2fmau3rnmyyb3q._file

Verdict:

malicious

LummaStealer

443aaac9259917f8116829fc36dbf0569034aad632777d9cc67200b32338cd84

LummaStealer

515006e6eecad0418c6c3980a258dfc6e9f8ff8dacc801298b445c25017beb29

LummaStealer

5c180cd34694c91bc7f4ecaf67d4f462f10254d190d181e02a2a2a7e03d44204

LummaStealer

8059343dd1bd2043009e81a54115ea921ebe7467c35ac05c43e6acd013eec085

LummaStealer

a58b87f315fd77116edce2744e443d0ce6bab9e087a2ead50626e986314f949e

LummaStealer

b78c9c6edd3756702be3d87df39dec7776e412bf4eb93a65c881f2e4a403afe6

LummaStealer

d0130399fd404226ae5b90897e8e3affe29b7d34081ee1bf11ecb3750ca342c5

LummaStealer

d9f6408b67628d5618a4fbaba97404ac55988633ccb2a02a09c95b0b134bafc9

LummaStealer

+ 25 additional samples on MalwareBazaar

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma discovery spyware stealer

Link:

https://tria.ge/reports/230724-tdx1asfg21/

Behaviour

Suspicious behavior: EnumeratesProcesses

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

d5998de73a2e6ac2fafe81270e33b6a9fd8cef605cb56603456029b8b598c077

MD5 hash:

16f2d0aa122b49bd7f7ca17eb28e5df5

SHA1 hash:

ade62b2a58d4aa6972283cd000a51fe3ff0885e8

Link:

https://www.unpac.me/results/d3a704dc-3b01-4a49-826a-53c1ca547ae4/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d5998de73a2e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d5998de73a2e6ac2fafe81270e33b6a9fd8cef605cb56603456029b8b598c077

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	INDICATOR_SUSPICIOUS_USNDeleteJournal Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing anti-forensic artifcats of deletiing USN change journal. Observed in ransomware