MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfa2c76389bca9c252f55cc734bee1563f890911b6153320f6e3312328755b08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 6

Intelligence 6 IOCs YARA 15 File information Comments

SHA256 hash:	dfa2c76389bca9c252f55cc734bee1563f890911b6153320f6e3312328755b08
SHA3-384 hash:	c694d01ec355ed78f36017d4533db22b6bafc046c817d82989224d80af07bb71711b3f662dff9d63c748046b95d646ea
SHA1 hash:	fa01a3c8a535917621aa180b1e96b7d797d27dcd
MD5 hash:	1ca619ac8ef2f23baa9ff8fa0df07021
humanhash:	may-alabama-california-arkansas
File name:	Docs.iso
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	1'619'968 bytes
First seen:	2023-10-04 03:39:45 UTC
Last seen:	Never
File type:	iso
MIME type:	application/x-iso9660-image
ssdeep	49152:BFvAWKPBJp1AUWqY2TjXm6Y9YVO8a0q0l:BFhKPBJcUWqY2TTmZ
TLSH	T1A875DF68A58EA8EFC72143F06B4F3DEC751D3432E5E406D9A34CD7870664A7A850BE4B
TrID	99.5% (.NULL) null bytes (2048000/1) 0.2% (.ATN) Photoshop Action (5007/6/1) 0.1% (.ISO) ISO 9660 CD image (2545/36/1) 0.0% (.BIN/MACBIN) MacBinary 1 (1033/5) 0.0% (.ABR) Adobe PhotoShop Brush (1002/3)
Reporter	1ZRR4H
Tags:	iso LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 3 file(s), sorted by their relevance:

File name:	10700_SR_EN.pdf.vbs
File size:	3'067 bytes
SHA256 hash:	51574e9dc00eca75a025fe34e729a487624e1f2f77100618ff67cffb80a36686
MD5 hash:	17e11f6f7d064992deeb632e62b64e8e
MIME type:	text/plain
Signature	LummaStealer

File name:	PR10559_SR_EN.pdf
File size:	864'316 bytes
SHA256 hash:	126f0dc2ff08b82a42b20cf3640d4419bd5597ad52e32a5a311fa9894227c8dc
MD5 hash:	bdf588e5f7d5e15a95bff47718245b3c
MIME type:	application/pdf
Signature	LummaStealer

File name:	update.exe
File size:	687'616 bytes
SHA256 hash:	ec0898d88ee59ee97415deedbc28c6754a4bf83c1443d10e9cd0deeb219f0deb
MD5 hash:	221bb71916e1e9d532ae7022869d55ae
MIME type:	application/x-dosexec
Signature	LummaStealer

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Iso_pdf.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

context-iso control greyware lolbin

Link:

https://www.filescan.io/uploads/651cde94426c8727d6eaabb6/reports/997812f8-c278-40d7-8b7e-98b808c4f64c/overview

Verdict:

Suspicious

Labled as:

Trojan/Generic

Link:

https://www.hybrid-analysis.com/sample/dfa2c76389bca9c252f55cc734bee1563f890911b6153320f6e3312328755b08

Result

Verdict:

MALICIOUS

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dfa2c76389bca9c252f55cc734bee1563f890911b6153320f6e3312328755b08/

Threat name:

Win32.Trojan.ZmutzyPong

Status:

Malicious

First seen:

2023-09-30 05:04:33 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

13 of 23 (56.52%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=36rmoy4jxsu4euxvltdtjpxbky7yscirwyktgihw4mysgkdvlmea._file

Result

Malware family:

n/a

Score:

8/10

Tags:

spyware

Link:

https://tria.ge/reports/231004-gs66ashe2x/

Behaviour

Creates scheduled task(s)

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks computer location settings

Blocklisted process makes network request

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/dfa2c76389bca9c252f55cc734bee1563f890911b6153320f6e3312328755b08

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Certutil_Decode_OR_Download Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Certutil Decode
Reference:	Internal Research

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SUSP_OneNote Create hunting rule
Author:	spatronn
Description:	Hard-Detect One

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	win_lumma_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lumma.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample