MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed4754164c55dd618ebd2de2946b0e6a04086e138eb5547279df582a197616e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed4754164c55dd618ebd2de2946b0e6a04086e138eb5547279df582a197616e3
SHA3-384 hash: 82a97a9c5ac431834aef98c42af22c2246fe889e8435a0bb03bd7168168a946e55b6623e6b223cedf76aa809dc271a6b
SHA1 hash: 75965deb9b1ac7e5bdc0fb83ff5a00660c4d72ca
MD5 hash: 3915b48bf7e66faca2fc70395d5c797d
humanhash: fourteen-island-juliet-foxtrot
File name:3915b48bf7e66faca2fc70395d5c797d.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:20'132'328 bytes
First seen:2023-12-03 15:05:15 UTC
Last seen:2023-12-03 16:32:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6011984d7c1f1b97a34d7517a498bff8 (8 x RedLineStealer, 5 x STRRAT, 3 x LummaStealer)
ssdeep 393216:tQNmw/uB4e1LTacJCF6ZElIlTFGw0CKM8FZPG6IOyS/Uv/PhHi:+NmwGJBoE8ITFGCkFOe0C
TLSH T127171223E0D92071F9771A33A8A264633D3E49DCE08B286524F46BE3F972D494F57762
TrID 36.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
19.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.4% (.EXE) Win64 Executable (generic) (10523/12/4)
7.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon f0ccb2e8b2d4f071 (1 x LummaStealer)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
http://pinkipinevazzey.pw/api

Intelligence

File Origin
# of uploads :
2
# of downloads :
335
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.5652.8.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending a custom TCP request
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Searching for the window
Query of malicious DNS domain
Sending a TCP request to an infection source
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
89%
Tags:
lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/656c99762efa450749b69dc0/reports/a3e4411b-7b6e-40e4-aaf9-dcd687835248/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ed4754164c55dd618ebd2de2946b0e6a04086e138eb5547279df582a197616e3
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1352615
Signature
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1352615 Sample: DLfNC1EGyi.exe Startdate: 03/12/2023 Architecture: WINDOWS Score: 56 18 imagefilestorage.top 2->18 22 Multi AV Scanner detection for domain / URL 2->22 24 Multi AV Scanner detection for submitted file 2->24 9 DLfNC1EGyi.exe 2->9         started        signatures3 process4 process5 11 javaw.exe 23 9->11         started        dnsIp6 20 imagefilestorage.top 172.67.141.114, 443, 49732 CLOUDFLARENETUS United States 11->20 14 icacls.exe 1 11->14         started        process7 process8 16 conhost.exe 14->16         started       
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-11-29 19:34:30 UTC
File Type:
PE (Exe)
Extracted files:
6494
AV detection:
13 of 23 (56.52%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5vdvifsmkxowddv5fxrji2yonicaq3qtr22vi4tz35mcuglwc3rq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/231203-sgqvqacd34/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Modifies file permissions
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.63
Link:
https://yomi.yoroi.company/submissions/ed4754164c55dd618ebd2de2946b0e6a04086e138eb5547279df582a197616e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MinGWGCC3x
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments