MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd244d20e5646deac770faea203a978a2955efa2f3be320705ba498fc5b05187. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd244d20e5646deac770faea203a978a2955efa2f3be320705ba498fc5b05187
SHA3-384 hash: 2f021d135655e7a1f5e82e4f5acfacea0543e76674248bf532ddb751a302c6e3e2804a2fbde0dd1e2c4f93e6841dcb00
SHA1 hash: c77d73ea352e0f9f45ff10822c0400afa6ff75c6
MD5 hash: 256db7ccd988a48d7fd97cb1f0edb8be
humanhash: montana-nuts-floor-ten
File name:256db7ccd988a48d7fd97cb1f0edb8be.bin.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'967'904 bytes
First seen:2023-10-07 12:15:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:SBminKFeZiCUOsh1Jly2rzxQYrpdL3kq6JFhbDEgJ6u:TLFeXUOsh5rzxQYb
Threatray 77 similar samples on MalwareBazaar
TLSH T128958D14FBE8E866C3556E79CCECD756F166ACA0AD21C21B3880576D19B13BC4B883C7
TrID 44.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
25.5% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
8.0% (.SCR) Windows screen saver (13097/50/3)
6.4% (.EXE) Win64 Executable (generic) (10523/12/4)
4.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon b830b6ec6474d898 (1 x njrat, 1 x LummaStealer)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
http://decorhighsa.pw/api

Intelligence

File Origin
# of uploads :
1
# of downloads :
366
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
256db7ccd988a48d7fd97cb1f0edb8be.bin.exe
Verdict:
Malicious activity
Analysis date:
2023-10-07 12:47:04 UTC
Tags:
lumma stealer
Link:
https://app.any.run/tasks/c9ff9fb8-3c13-4676-b625-6f89964f040d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.HEUR.Trojan-PSW.MSIL.Stealerc.gen.4737.12733.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a file
Launching a process
DNS request
Sending an HTTP GET request
Sending an HTTP POST request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Enabling autorun by creating a file
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/dd244d20e5646deac770faea203a978a2955efa2f3be320705ba498fc5b05187
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LummaC2 Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5de2b2da-59da-4b25-913c-c5072d1d89d6
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1321468
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Drops VBS files to the startup folder
Found evasive API chain (may stop execution after checking locale)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd244d20e5646deac770faea203a978a2955efa2f3be320705ba498fc5b05187/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2023-10-07 12:16:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
17 of 23 (73.91%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3use2ihfmrw6vr3q7lvcaouxriuvl35c6o7debyfxjey7rnqkgdq._file
Verdict:
malicious
Similar samples:
2a10de68cf32f00733275b4d66276226c82e362b06e8bc1e3af88232f59ebb4e
LummaStealer
4a699a693c63228aebd3e0bc98d92fe2d8bb7ae487992e81cfee767f0b9ed1bf
LummaStealer
7590cb175c30e90638d9d0f168add1c0cb66d769917ebc3052a9235618a5582b
LummaStealer
89bc9fdb7d1d93a49c7cf3ccfff8ec5c174a44dd580e63e3cb47de448e9daefc
LummaStealer
b835220d18074195e2df569e8088470b7f400c334aef1dd54dfe30e2019dab7a
LummaStealer
bec28def672957143374413ca61cc8bc072551e0547d9597de026f2592b562fc
LummaStealer
c7825ac17db3d7a4fca371b94a6bc4aa7d22e40bfa10e24b0c3ef063c82de7d5
LummaStealer
d2cfd66a33c6f1af2eb403108a578962b599a77b5cea6b4a06726a3c60ae8bca
LummaStealer
f4ec042b3b9d605d34a32d37c19a100e50f1ab5242f02f826d683ee6f742810a
LummaStealer
+ 67 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231007-pffrksec98/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Drops startup file
Unpacked files
SH256 hash:
3dc3e5b03d32f02e720cdeb34db51d32d8aad8a979d4f6ba5913f11e82e554e9
MD5 hash:
ac3091ea6f57c8b04eca89f8afe6c8d9
SHA1 hash:
b7805ddf259d827bbf2260185a03898b096a28ce
Link:
https://www.unpac.me/results/137968b6-110b-4164-9e77-9246d92d8038/
SH256 hash:
dd244d20e5646deac770faea203a978a2955efa2f3be320705ba498fc5b05187
MD5 hash:
256db7ccd988a48d7fd97cb1f0edb8be
SHA1 hash:
c77d73ea352e0f9f45ff10822c0400afa6ff75c6
Link:
https://www.unpac.me/results/137968b6-110b-4164-9e77-9246d92d8038/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dd244d20e564/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/dd244d20e5646deac770faea203a978a2955efa2f3be320705ba498fc5b05187

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDIC208_NOCEX_NOREACTOR
Create hunting rule
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_lumma_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lumma.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments