MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf
SHA3-384 hash: b39cc92181ec1ed4b05d6a3726636fd4fe8197eca3df50051e51cdc73c8802d088d33414a9c87085e3b31568ce01774a
SHA1 hash: c4762734094f38f2032edad4df4817363f7df304
MD5 hash: c51233a3b0cc2f9cbbeff772ee068238
humanhash: lemon-magnesium-kentucky-stairway
File name:56F2F2548297D7B72AF40B7898D1DABE2DCB809038898.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:32'573'744 bytes
First seen:2023-11-15 21:45:06 UTC
Last seen:2023-11-15 23:20:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 608505ff1e7e27ff4a42ea9c4e9f4192 (5 x LummaStealer, 3 x NetSupport, 2 x ConnectWise)
ssdeep 786432:cfd+0AfrbXCStGd0ZiL+ew/k7mAonhybq3j:ed+0WrbDlZi6e1EEW3j
Threatray 805 similar samples on MalwareBazaar
TLSH T1C467E021724AC12AD56A4DB0192C9BFBD12CAE657B7104CBB3DC3A2A5B747C31332E57
TrID 58.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
34.3% (.OCX) Windows ActiveX control (116521/4/18)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.3% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 1cf8c4c0c2d8f072 (1 x LummaStealer)
Reporter abuse_ch
Tags:exe LummaStealer signed

Code Signing Certificate

Organisation:The FTL Team
Issuer:The FTL Team
Algorithm:sha256WithRSAEncryption
Valid from:2023-09-26T19:25:12Z
Valid to:2024-09-26T19:45:12Z
Serial number: 4d4e733ecb362c9043d87b7b250957e4
Thumbprint Algorithm:SHA256
Thumbprint: c0ad099b1ab3dc1f88d2cca9b67f1b3c7d173b32061e185c4a0ccde8a0e341b6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
LummaStealer C2:
http://noladuer.pw/api

Intelligence

File Origin
# of uploads :
2
# of downloads :
360
Origin country :
NL NL
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Searching for the window
Searching for synchronization primitives
Sending an HTTP GET request
Creating a file in the %temp% directory
Sending a custom TCP request
Launching a process
Modifying a system file
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control fingerprint greyware lolbin msiexec overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/65553c1c3f56544041f75a2a/reports/3f955c0b-ecd8-41a6-9d2c-7c8c4357fcb0/overview
Verdict:
Malicious
Labled as:
PUP.Generic
Link:
https://www.hybrid-analysis.com/sample/56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
78 / 100
Link:
https://www.joesandbox.com/analysis/1343284
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Contains functionality to behave differently if execute on a Russian/Kazak computer
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1343284 Sample: 56F2F2548297D7B72AF40B7898D... Startdate: 15/11/2023 Architecture: WINDOWS Score: 78 150 noladuer.pw 2->150 152 r1-download.torrent-magnet.zone 2->152 154 2 other IPs or domains 2->154 162 Snort IDS alert for network traffic 2->162 164 Malicious sample detected (through community Yara rule) 2->164 166 Antivirus detection for URL or domain 2->166 168 7 other signatures 2->168 13 msiexec.exe 18 74 2->13         started        17 56F2F2548297D7B72AF40B7898D1DABE2DCB809038898.exe 42 2->17         started        19 ruplp.exe 2->19         started        signatures3 process4 file5 122 C:\Windows\Installer\MSIC4E7.tmp, PE32 13->122 dropped 124 C:\Windows\Installer\MSIC4B7.tmp, PE32 13->124 dropped 126 C:\Windows\Installer\MSIC497.tmp, PE32 13->126 dropped 134 13 other malicious files 13->134 dropped 194 Drops executables to the windows directory (C:\Windows) and starts them 13->194 21 MSIC1D5.tmp 13->21         started        23 CSVed.exe 13->23         started        26 msiexec.exe 16 13->26         started        31 2 other processes 13->31 128 C:\Users\user\AppData\Roaming\...\gstall.exe, PE32 17->128 dropped 130 C:\Users\user\AppData\Local\...\MSI9707.tmp, PE32 17->130 dropped 132 C:\Users\user\AppData\Local\...\MSI96E7.tmp, PE32 17->132 dropped 136 3 other files (2 malicious) 17->136 dropped 29 msiexec.exe 2 17->29         started        signatures6 process7 file8 33 gstall.exe 21->33         started        180 Writes to foreign memory regions 23->180 182 Allocates memory in foreign processes 23->182 184 Injects a PE file into a foreign processes 23->184 38 aspnet_compiler.exe 23->38         started        116 C:\Users\user\AppData\Local\...\scr2D10.txt, Unicode 26->116 dropped 118 C:\Users\user\AppData\Local\...\scr2D0F.ps1, Unicode 26->118 dropped 120 C:\Users\user\AppData\Local\...\pss2D21.ps1, Unicode 26->120 dropped 40 powershell.exe 6 29 26->40         started        42 powershell.exe 27 26->42         started        186 Bypasses PowerShell execution policy 31->186 signatures9 process10 dnsIp11 144 pastebin.com 104.20.67.143, 443, 49737 CLOUDFLARENETUS United States 33->144 146 h.dl.spb.su 104.21.90.183, 443, 49741 CLOUDFLARENETUS United States 33->146 102 C:\Users\user\AppData\Local\...\INetC.dll, PE32 33->102 dropped 104 C:\Users\user\AppData\Local\Temp\PACK.EXE, PE32 33->104 dropped 106 C:\Users\user\AppData\...\tsjtmfdm[1].pkg, PE32 33->106 dropped 108 15 other files (11 malicious) 33->108 dropped 170 Multi AV Scanner detection for dropped file 33->170 172 Creates an undocumented autostart registry key 33->172 174 Sample is not signed and drops a device driver 33->174 44 cmd.exe 33->44         started        47 rundll32.exe 33->47         started        50 regsvr32.exe 33->50         started        61 3 other processes 33->61 148 noladuer.pw 104.21.41.190, 49722, 49723, 49724 CLOUDFLARENETUS United States 38->148 176 Tries to harvest and steal browser information (history, passwords, etc) 38->176 178 Contains functionality to behave differently if execute on a Russian/Kazak computer 38->178 52 powershell.exe 15 15 40->52         started        55 conhost.exe 40->55         started        57 msiexec.exe 40->57         started        59 conhost.exe 42->59         started        file12 signatures13 process14 dnsIp15 190 Uses schtasks.exe or at.exe to add and modify task schedules 44->190 63 PACK.EXE 44->63         started        67 conhost.exe 44->67         started        138 C:\Windows\System32\drivers\SET2113.tmp, PE32+ 47->138 dropped 192 Creates an autostart registry key pointing to binary in C:\Windows 47->192 69 runonce.exe 47->69         started        156 r1-download.torrent-magnet.zone 172.67.137.146, 443, 49718 CLOUDFLARENETUS United States 52->156 71 conhost.exe 52->71         started        file16 signatures17 process18 file19 140 C:\Users\user\AppData\Local\Temp\...\ya.exe, PE32 63->140 dropped 142 C:\Users\user\AppData\Local\Temp\...\me.exe, PE32 63->142 dropped 158 Multi AV Scanner detection for dropped file 63->158 160 Suspicious powershell command line found 63->160 73 ya.exe 63->73         started        77 powershell.exe 63->77         started        79 powershell.exe 63->79         started        81 powershell.exe 63->81         started        83 grpconv.exe 69->83         started        signatures20 process21 file22 112 C:\Users\user\AppData\Local\...\inst100.bat, DOS 73->112 dropped 114 C:\Users\user\AppData\Local\...\System.dll, PE32 73->114 dropped 188 Multi AV Scanner detection for dropped file 73->188 85 cmd.exe 73->85         started        88 conhost.exe 77->88         started        90 conhost.exe 79->90         started        92 conhost.exe 81->92         started        signatures23 process24 file25 110 C:\Users\user\AppData\Local\Temp\g100.bat, DOS 85->110 dropped 94 conhost.exe 85->94         started        96 schtasks.exe 85->96         started        98 schtasks.exe 85->98         started        100 powershell.exe 85->100         started        process26
Score:
83%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf
Gathering data
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2023-10-15 03:13:21 UTC
File Type:
PE (Exe)
Extracted files:
145
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k3zpevecs7l3okxubn4jruo2xyw4xaeqhceylmqy6rcs2gu4n27q._file
Verdict:
malicious
Similar samples:
2cf7764d7c90c8bd63c0f5f4d1a5554fbca5276210c5b5d7e013b7dbaa42d6fb
LummaStealer
4875a5a5dd058961caad327b2b718e01fbf2821e4873f13b85e790a09c371209
LummaStealer
7e744136336ec22c55586bcd75d19897ecc78a58eebe836ad0147a7861bc32f3
LummaStealer
c3b54b1b12f48682ca31c77c5783db4c235268c52fcf11f2f7a3ee0364c9f8df
LummaStealer
ccfcf5938187220213ac646ba77513343a2fd83e044c755ffa874009d16105d0
LummaStealer
ee8da3a8a77be8552b6d84498f01511752d61486e17a30bc5da880bf828188d8
LummaStealer
f155342f5bb62210ca274f42d22e4345fd8ca58a1c4c05d06e1ff86b8888a8cb
LummaStealer
+ 795 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/231115-1ml3qaec54/
Behaviour
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Blocklisted process makes network request
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/56f2f2548297/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Windows_Trojan_Donutloader_f40e3759
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments