MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f053d7dfa216679695b7a4956df3f2fc1aff73b5c34e54e118cf1009cc4c6465. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f053d7dfa216679695b7a4956df3f2fc1aff73b5c34e54e118cf1009cc4c6465
SHA3-384 hash: 3e755fe5370da85b57ab0fc0424c4445e15d502add3cd469f5bcebf054e17dff254b17a34562a24473d46c21befcebdf
SHA1 hash: d524a6905cc1c5714ef031d1fa1189c77580d1ca
MD5 hash: bd72a0c67baff28def74145713368086
humanhash: video-march-bulldog-freddie
File name:f053d7dfa216679695b7a4956df3f2fc1aff73b5c34e54e118cf1009cc4c6465
Download: download sample
Signature LummaStealer
Create hunting rule
File size:4'671'336 bytes
First seen:2023-09-05 11:05:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ca2ada15fca9ba51b650e1414510d44 (2 x Amadey, 1 x LummaStealer, 1 x RemcosRAT)
ssdeep 98304:Lofd0pf+LYAx7iuXLm41kGK4SC+vPIrukyfo:kV0I8onCrs+vQruto
Threatray 5 similar samples on MalwareBazaar
TLSH T13C26BF22BA41C071F5D201B954BEEB7E493DAE204B35C1C397D43D6AD9311D32B3A7AA
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 30e0e0e0e0e0e0ec (1 x RaccoonStealer, 1 x LummaStealer)
Reporter adrian__luca
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://productkeyforfree.com
Verdict:
Malicious activity
Analysis date:
2023-08-23 10:43:39 UTC
Tags:
lumma stealer
Link:
https://app.any.run/tasks/c1891390-295c-44e3-befd-1c311b1605f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/446297/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.60582.31791.4670.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug control expand greyware lolbin overlay packed remote shell32
Link:
https://www.filescan.io/uploads/64f70b9b31c991f8dc0856f3/reports/b0ae05d0-b414-4064-bfc1-510b437dedd8/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f053d7dfa216679695b7a4956df3f2fc1aff73b5c34e54e118cf1009cc4c6465
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c03f10b6-090a-4f34-9d8e-82a22a853a4a
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1303454
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1303454 Sample: 9xWYDF18tk.exe Startdate: 05/09/2023 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Found malware configuration 2->43 45 Antivirus detection for URL or domain 2->45 47 6 other signatures 2->47 7 9xWYDF18tk.exe 4 2->7         started        process3 dnsIp4 23 ipv4.imgur.map.fastly.net 199.232.32.193, 443, 49723 FASTLYUS United States 7->23 25 arthritis.org 172.67.28.160, 443, 49721, 49722 CLOUDFLARENETUS United States 7->25 27 2 other IPs or domains 7->27 49 Maps a DLL or memory area into another process 7->49 11 cmd.exe 2 7->11         started        signatures5 process6 file7 21 C:\Users\user\AppData\Local\Temp\wbeaoueq, PE32 11->21 dropped 51 Injects code into the Windows Explorer (explorer.exe) 11->51 53 Writes to foreign memory regions 11->53 55 Found hidden mapped module (file has been removed from disk) 11->55 15 explorer.exe 12 11->15         started        19 conhost.exe 11->19         started        signatures8 process9 dnsIp10 29 104.21.82.77, 49749, 49753, 49757 CLOUDFLARENETUS United States 15->29 31 glitchmoon.xyz 172.67.198.92, 49747, 49750, 49755 CLOUDFLARENETUS United States 15->31 33 System process connects to network (likely due to code injection or exploit) 15->33 35 Query firmware table information (likely to detect VMs) 15->35 37 Performs DNS queries to domains with low reputation 15->37 39 2 other signatures 15->39 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f053d7dfa216679695b7a4956df3f2fc1aff73b5c34e54e118cf1009cc4c6465/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-23 01:07:34 UTC
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6bj5px5ccztznfnxuskw347s7qnp645vynhfjyiyz4iattcmmrsq._file
Verdict:
malicious
Similar samples:
8f485c0ced1df9b72c676413a4fbf7dcb0ff502cb90932cfe4430c08d8c87de5
LummaStealer
95c06a49c439b9c6baf3e39786a25e09c065e407c6b9bb0ba0e31a0bd8f12ad8
LummaStealer
c1d67650c1478f217e31fc7d54d9196bf6384d6e6edcafcc85f600a858ea2252
LummaStealer
ce28b5bb36eae2c073a5856951a22de3968efd713df1c4e373b1e16cfe5ae255
LummaStealer
e6db950824ebaa85c4bd6b49915bee14d1bbdb7124e68e5494fce0b6d4ae7b38
LummaStealer
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230905-m7ebqaeh7t/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Unpacked files
SH256 hash:
f053d7dfa216679695b7a4956df3f2fc1aff73b5c34e54e118cf1009cc4c6465
MD5 hash:
bd72a0c67baff28def74145713368086
SHA1 hash:
d524a6905cc1c5714ef031d1fa1189c77580d1ca
Link:
https://www.unpac.me/results/4c3681a8-f818-467b-a0a1-4909a135d61a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f053d7dfa216679695b7a4956df3f2fc1aff73b5c34e54e118cf1009cc4c6465

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang
Create hunting rule
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/446297/

Comments