MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd8cd7be845f1373752fdeefccedf44c6bc855deaeac2e682f6b0d910301689e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	fd8cd7be845f1373752fdeefccedf44c6bc855deaeac2e682f6b0d910301689e
SHA3-384 hash:	43c1eac78946d459de8a0922c515f410010f1cf817d621607b1a0bfd07147c3ee9e6c52bcd157ecceec717d0f44ed448
SHA1 hash:	971e8340ea42da31af7fdf752a4990fb8558b643
MD5 hash:	387217a16ac73d84d7d85e7c954db040
humanhash:	oklahoma-west-juliet-connecticut
File name:	387217a16ac73d84d7d85e7c954db040.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	354'304 bytes
First seen:	2023-01-11 15:57:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	23dff981b91df1879141d9140cd71ef9 (10 x Smoke Loader, 5 x RedLineStealer, 4 x Tofsee)
ssdeep	6144:iLqXjR6E+xUMc1TIOojk9EnTfseSa/myDqCFTaG9:iej81qdIOkkif+sOCEG
Threatray	63 similar samples on MalwareBazaar
TLSH	T12974BE117AB19871C517FE314F19CBE06AFFB8204B24A7676324679F1FB0392E6A3215
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	bc7c949494948cc0 (1 x Smoke Loader, 1 x Tofsee, 1 x LummaStealer)
Reporter	abuse_ch
Tags:	exe LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

195

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

387217a16ac73d84d7d85e7c954db040.exe

Verdict:

Malicious activity

Analysis date:

2023-01-11 16:03:23 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/9af153fe-8645-4d3f-8b66-afc4d64adb65

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/352002/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63bedc8ba70bef46551ecb39/reports/5976a1a0-1f6b-45a3-a6c1-d928ec5e67bb/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f314c54f-5f54-4b0e-840c-531a40ce5203

Result

Threat name:

LummaC Stealer

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1149713

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Query firmware table information (likely to detect VMs)

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fd8cd7be845f1373752fdeefccedf44c6bc855deaeac2e682f6b0d910301689e/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2023-01-11 07:27:28 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7wgnppuel4jxg5jp33x4z3pujrv4qvo6v2wc42bpnmgzcaybncpa._file

Verdict:

malicious

LummaStealer

1e2900a2e5335d8e39efbe152f5b885c9a4a2e44361b85038e96c9eee3da8cbd

LummaStealer

3419f8887e6f4a2e3520510e30a24c383364e26930329d911c2c40207dab096b

LummaStealer

6513d3ca0604ec33242e2dd8bcabe29fe62cb2acabada15ad959fc6d7cef576f

LummaStealer

72d6cd338baba81b7cef1bcd1ea4eed199adcce0ac57fe1e674527ad7258ea8d

LummaStealer

781b268a96c09be7b60c94eb48f0343e56b79bbf2a86e05b0547bd095784f4dc

LummaStealer

7a9f4a82a6d02681b4262765e66177ed7198fed403e768bed1d28987974f8be0

LummaStealer

7bd7346f3ef17dd2c0cc405b6754ddcd7effd90619b94a1715fa90f9a5fea9ac

LummaStealer

c516fc3286df7ec543273f5cce533a9d356c56ab014c2d92337ba420712da32c

LummaStealer

c837a63ce5b9c5828fbf262e570947fbdc78ef081411f1cd0f22bd534ef55788

LummaStealer

+ 53 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/230111-teg1gahc7t/

Behaviour

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Reads user/profile data of web browsers

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/cb2fd7fd-cc41-4d01-a36f-7a095e828e0f

Unpacked files

SH256 hash:

2269b102555426d3a4cb0a3e359bbf03f2a25ccf0aeb30c4d549a769ef5a03a3

MD5 hash:

58b97c22ce79ed06da5b569e92987ace

SHA1 hash:

34f970992b862c6b7db110facecdfcf54b954a05

Link:

https://www.unpac.me/results/80774155-270d-4d9b-a0c6-895d9ac2795f/

SH256 hash:

fd8cd7be845f1373752fdeefccedf44c6bc855deaeac2e682f6b0d910301689e

MD5 hash:

387217a16ac73d84d7d85e7c954db040

SHA1 hash:

971e8340ea42da31af7fdf752a4990fb8558b643

Link:

https://www.unpac.me/results/80774155-270d-4d9b-a0c6-895d9ac2795f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fd8cd7be845f1373752fdeefccedf44c6bc855deaeac2e682f6b0d910301689e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/352002/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample