MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea6ec9be3aea67056e4564a9b3ce8d6e92eda54db32e710043de98d7d65ffd54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea6ec9be3aea67056e4564a9b3ce8d6e92eda54db32e710043de98d7d65ffd54
SHA3-384 hash: 2cc9fe48275b9d56924f052cb701c6e96ccd09919a1ed59189c99055bf14e744be307cc1a8bdc446355483dd59357178
SHA1 hash: 62ed9e02eb9b387211153e8cd7554d82ba70541c
MD5 hash: c9bd78329466c6f92ebd4989e5cb0d35
humanhash: failed-leopard-lithium-west
File name:1111.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:483'328 bytes
First seen:2023-09-04 06:17:53 UTC
Last seen:2023-09-04 06:38:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e2df31d3619106ad25b94113e9b63d3 (3 x LummaStealer)
ssdeep 6144:lKGWDvcUw8avAb7WsNjag3TSsRyaph69qNw5RDAOufxdFpeOY6W1QznIyCd:l5OvPsYN72s6INwPkOu5dFpe1
Threatray 4 similar samples on MalwareBazaar
TLSH T14AA49D14B9C1C0F2C827143101E4E77689787631CB768DCBF7D4DA78EA392C1967AA9E
TrID 42.7% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Reporter 0xToxin
Tags:89-23-96-203 exe LummaStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
267
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1111.exe
Verdict:
No threats detected
Analysis date:
2023-09-04 06:23:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a4f35a2b-03a2-41f1-9a42-06be4d9fcd19

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/445946/
Detection(s):
SecuriteInfo.com.Variant.Zusy.483829.3540.6704.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Sending a custom TCP request
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypto greyware
Link:
https://www.filescan.io/uploads/64f5769c67511af1a1b42e21/reports/11d7a9e7-939f-4fc5-8e9d-9f69e9b6bd4d/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/ea6ec9be3aea67056e4564a9b3ce8d6e92eda54db32e710043de98d7d65ffd54
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9092df34-1331-4c10-bc36-8501814dc869
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1302631
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea6ec9be3aea67056e4564a9b3ce8d6e92eda54db32e710043de98d7d65ffd54/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2023-09-04 06:18:07 UTC
File Type:
PE (Exe)
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5jxmtpr25jtqk3sfmsu3htunn2jo3jknwmxhcacd32mnpvs77vka._file
Verdict:
malicious
Similar samples:
1cc7feaee823df0807c49341b9f4f0e58a4c021e8bc974af7bf5eb02fe09731e
LummaStealer
bd043af859a796897462ed7a5aadb1c4a145f67f01a00c49b45a4b80564da6bb
LummaStealer
be532f3c9322f0b96eac8a3f6871e5542f7b3c4760219fb0e94a1b8201ba709e
LummaStealer
c42b0d200c2022fba3332dd1078cf1412ba37eb52bd74acf7edb4672b1d0f330
LummaStealer
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/230904-g2lwqaef45/
Behaviour
Suspicious behavior: EnumeratesProcesses
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
ea6ec9be3aea67056e4564a9b3ce8d6e92eda54db32e710043de98d7d65ffd54
MD5 hash:
c9bd78329466c6f92ebd4989e5cb0d35
SHA1 hash:
62ed9e02eb9b387211153e8cd7554d82ba70541c
Link:
https://www.unpac.me/results/e1668f8b-e70e-456f-b46e-91905097bbf0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ea6ec9be3aea/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea6ec9be3aea67056e4564a9b3ce8d6e92eda54db32e710043de98d7d65ffd54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:win_lumma_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lumma.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/445946/

Comments