MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d66349fd06be15422c5e95e15be4e486cba94fd1339a370f0c8b3b90cef148d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d66349fd06be15422c5e95e15be4e486cba94fd1339a370f0c8b3b90cef148d5
SHA3-384 hash: 276c03c7e98df2166762130d3e47e47a70b184e598b196e3480f8dc8c39d1c445c58b063a2da5292f81216377bffce7d
SHA1 hash: 932e2efaa79e98e7717f83c22ffd40a18d9f5202
MD5 hash: 14be53af83fa482be458bb963ab0375a
humanhash: video-tennessee-july-missouri
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:257'536 bytes
First seen:2023-09-13 14:06:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b402c7220872217841e38133c9655d5b (1 x LummaStealer, 1 x Smoke Loader)
ssdeep 3072:ZIm9JsLZlsFEF7SG1t0uQSMScAzaZfO+IWRMqT922y6BzukSkwhzjP7ah5WkV:gLTcEF7WRS4iqT92/6BzuAwhz/xk
Threatray 3 similar samples on MalwareBazaar
TLSH T14844F111B6F0C872E5AB853D1C35B390AB7F7D236AA1C50F3344166F0E336C29A69396
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 020405030a183000 (1 x Smoke Loader, 1 x LummaStealer)
Reporter jstrosch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-09-13 14:07:46 UTC
Tags:
gcleaner loader lumma stealer
Link:
https://app.any.run/tasks/527faad4-8c90-4a22-97e1-360637bd5849

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448411/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware mikey packed redline
Link:
https://www.filescan.io/uploads/6501c208829c3479a05e503c/reports/ae31de03-f5c4-45c9-b99b-be6799ea0f70/overview
Verdict:
Malicious
Labled as:
Mikey.Generic
Link:
https://www.hybrid-analysis.com/sample/d66349fd06be15422c5e95e15be4e486cba94fd1339a370f0c8b3b90cef148d5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LummaC2 Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/410d039a-1527-46e3-8180-027498ef5e1e
Result
Threat name:
LummaC Stealer, onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1308144
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected LummaC Stealer
Yara detected onlyLogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1308144 Sample: file.exe Startdate: 14/09/2023 Architecture: WINDOWS Score: 100 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 Antivirus detection for dropped file 2->49 51 6 other signatures 2->51 8 file.exe 23 2->8         started        process3 dnsIp4 39 5.42.64.10, 49704, 49705, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 8->39 41 googlehosted.l.googleusercontent.com 142.251.32.65, 443, 49709 GOOGLEUS United States 8->41 43 2 other IPs or domains 8->43 29 C:\Users\user\AppData\...\1272279017.exe, PE32 8->29 dropped 31 C:\Users\user\AppData\Local\...\s41[1], PE32 8->31 dropped 33 C:\Users\user\AppData\Local\...\s41[1], PE32 8->33 dropped 61 Detected unpacking (changes PE section rights) 8->61 63 Detected unpacking (overwrites its own PE header) 8->63 13 cmd.exe 1 8->13         started        15 cmd.exe 1 8->15         started        file5 signatures6 process7 process8 17 1272279017.exe 13 13->17         started        21 conhost.exe 13->21         started        23 taskkill.exe 1 15->23         started        25 conhost.exe 15->25         started        dnsIp9 35 104.21.84.18, 49742, 80 CLOUDFLARENETUS United States 17->35 37 markuschop.fun 172.67.184.196, 49708, 49710, 49711 CLOUDFLARENETUS United States 17->37 53 Antivirus detection for dropped file 17->53 55 Found evasive API chain (may stop execution after checking mutex) 17->55 57 Query firmware table information (likely to detect VMs) 17->57 59 4 other signatures 17->59 27 conhost.exe 17->27         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d66349fd06be15422c5e95e15be4e486cba94fd1339a370f0c8b3b90cef148d5/
Threat name:
Win32.Trojan.Lgoogloader
Create hunting rule
Status:
Malicious
First seen:
2023-09-12 20:01:48 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2zrut7igxykuelc6sxqvxzheq3f2st6rgondodymrm5zbtxrjdkq._file
Verdict:
malicious
Similar samples:
00053bf64ec3040b73c84979799768dba9a03c5f0d2f73512977c7030e29dd49
LummaStealer
59692df75cd335b1fa5026307c90367db2a8f2bb96503857784135597a1bc4dc
LummaStealer
8caa206b184827dd7558de412bae56e0cf7bf575bb192a1cdd6781e8e20fb816
LummaStealer
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/230913-rezjeacd9x/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Unpacked files
SH256 hash:
80978d46225030bf7e3aa308d9339d2df6da61c58f6099064c6f2d5eb9d79712
MD5 hash:
98e96e494b760a7578bb2865ffa3bd1e
SHA1 hash:
cccd4bcdfbd509edb77078000e624568b353a0e3
Link:
https://www.unpac.me/results/117009d0-908b-4714-8d80-5423036d0e7f/
SH256 hash:
d66349fd06be15422c5e95e15be4e486cba94fd1339a370f0c8b3b90cef148d5
MD5 hash:
14be53af83fa482be458bb963ab0375a
SHA1 hash:
932e2efaa79e98e7717f83c22ffd40a18d9f5202
Link:
https://www.unpac.me/results/117009d0-908b-4714-8d80-5423036d0e7f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d66349fd06be/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d66349fd06be15422c5e95e15be4e486cba94fd1339a370f0c8b3b90cef148d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe d66349fd06be15422c5e95e15be4e486cba94fd1339a370f0c8b3b90cef148d5

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/448411/

Comments