MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 055c4dea7de65d53d4386e3467c54da364ed77fa7fb11b528e5f5ca00e8b1aa1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 055c4dea7de65d53d4386e3467c54da364ed77fa7fb11b528e5f5ca00e8b1aa1
SHA3-384 hash: 9b4f4b533483078f59b0ebff08df9395e97b50047156a6a3e694eeff7afff63df265a5567f82a340fd75f2b71a0cef4c
SHA1 hash: cabae651d405d38bca12741194179ea9bb7afa80
MD5 hash: bf07127222e7e09de78d4fd32149882b
humanhash: johnny-wyoming-march-beer
File name:bf07127222e7e09de78d4fd32149882b.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'829'376 bytes
First seen:2023-12-11 09:15:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:ehL7mNgrcW3Uqz7E67bBbrdKqxpJ0qlojJbDgS:NQPE8bBbwqxpg2S
TLSH T1968523023BD15022E9B117B41DF30787173A7EE19975923F178598EA5C33AE97832B36
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
http://castlesideopwas.pw/api

Intelligence

File Origin
# of uploads :
1
# of downloads :
300
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
055c4dea7de65d53d4386e3467c54da364ed77fa7fb11b528e5f5ca00e8b1aa1.zip
Verdict:
Malicious activity
Analysis date:
2023-12-11 14:06:20 UTC
Tags:
risepro
Link:
https://app.any.run/tasks/e52ebf0a-08be-459e-8d8f-3c35fce6e4e9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/464982/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Creating a file
Replacing files
Launching a process
Launching a service
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Sending a UDP request
Forced system process termination
Searching for synchronization primitives
Changing a file
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Forced shutdown of a system process
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer installer lolbin lolbin mokes packed rundll32 setupapi sfx shell32 xpack
Link:
https://www.filescan.io/uploads/6576d356855eb2633d6689cd/reports/2d2984ae-8b3d-4089-9844-c84af9d043bc/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/055c4dea7de65d53d4386e3467c54da364ed77fa7fb11b528e5f5ca00e8b1aa1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6627c47c-fe23-4490-8415-46127c6edaf1
Result
Threat name:
PrivateLoader, RedLine, RisePro Stealer,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1358197
Signature
.NET source code contains very large array initializations
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Exclude list of file types from scheduled, custom, and real-time scanning
Found malware configuration
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1358197 Sample: RVUfb4bIt5.exe Startdate: 11/12/2023 Architecture: WINDOWS Score: 100 88 time.windows.com 2->88 90 ipinfo.io 2->90 118 Snort IDS alert for network traffic 2->118 120 Multi AV Scanner detection for domain / URL 2->120 122 Found malware configuration 2->122 124 16 other signatures 2->124 10 RVUfb4bIt5.exe 1 4 2->10         started        13 OfficeTrackerNMP131.exe 10 501 2->13         started        16 OfficeTrackerNMP131.exe 2->16         started        18 20 other processes 2->18 signatures3 process4 file5 74 C:\Users\user\AppData\Local\...\BX7lI95.exe, PE32 10->74 dropped 76 C:\Users\user\AppData\Local\...\4dC065jy.exe, PE32 10->76 dropped 20 BX7lI95.exe 1 4 10->20         started        78 C:\...\gmWET8L_6Iwsh2gktJZ1ZgjYNKmoPLYL.zip, Zip 13->78 dropped 140 Antivirus detection for dropped file 13->140 142 Multi AV Scanner detection for dropped file 13->142 144 Tries to steal Mail credentials (via file / registry access) 13->144 158 4 other signatures 13->158 24 WerFault.exe 13->24         started        146 Disables Windows Defender (deletes autostart) 16->146 148 Tries to harvest and steal browser information (history, passwords, etc) 16->148 150 Exclude list of file types from scheduled, custom, and real-time scanning 16->150 152 Query firmware table information (likely to detect VMs) 18->152 154 Changes security center settings (notifications, updates, antivirus, firewall) 18->154 156 Machine Learning detection for dropped file 18->156 26 MpCmdRun.exe 18->26         started        28 WerFault.exe 18->28         started        30 WerFault.exe 18->30         started        signatures6 process7 file8 62 C:\Users\user\AppData\Local\...\3Fn30De.exe, PE32 20->62 dropped 64 C:\Users\user\AppData\Local\...\1Fz05dP5.exe, PE32 20->64 dropped 126 Antivirus detection for dropped file 20->126 128 Multi AV Scanner detection for dropped file 20->128 130 Machine Learning detection for dropped file 20->130 32 3Fn30De.exe 20->32         started        35 1Fz05dP5.exe 11 508 20->35         started        39 conhost.exe 26->39         started        signatures9 process10 dnsIp11 102 Antivirus detection for dropped file 32->102 104 Multi AV Scanner detection for dropped file 32->104 106 Machine Learning detection for dropped file 32->106 114 5 other signatures 32->114 41 explorer.exe 32->41 injected 92 193.233.132.51, 49701, 49702, 49703 FREE-NET-ASFREEnetEU Russian Federation 35->92 94 ipinfo.io 34.117.59.81, 443, 49704, 49705 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 35->94 66 C:\Users\user\AppData\...\FANBooster131.exe, PE32 35->66 dropped 68 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 35->68 dropped 70 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 35->70 dropped 72 2 other malicious files 35->72 dropped 108 Tries to steal Mail credentials (via file / registry access) 35->108 110 Found stalling execution ending in API Sleep call 35->110 112 Disables Windows Defender (deletes autostart) 35->112 116 6 other signatures 35->116 46 schtasks.exe 1 35->46         started        48 schtasks.exe 1 35->48         started        50 WerFault.exe 35->50         started        52 Conhost.exe 39->52         started        file12 signatures13 process14 dnsIp15 98 185.172.128.19, 49732, 80 NADYMSS-ASRU Russian Federation 41->98 100 81.19.131.34, 49731, 80 IVC-ASRU Russian Federation 41->100 80 C:\Users\user\AppData\Local\Temp\A81B.exe, PE32 41->80 dropped 82 C:\Users\user\AppData\Local\Temp\8A0D.exe, PE32 41->82 dropped 84 C:\Users\user\AppData\Local\Temp\81B4.exe, PE32 41->84 dropped 86 2 other malicious files 41->86 dropped 136 System process connects to network (likely due to code injection or exploit) 41->136 138 Benign windows process drops PE files 41->138 54 4620.exe 41->54         started        58 conhost.exe 46->58         started        60 conhost.exe 48->60         started        file16 signatures17 process18 dnsIp19 96 77.105.132.87 PLUSTELECOM-ASRU Russian Federation 54->96 132 Multi AV Scanner detection for dropped file 54->132 134 Machine Learning detection for dropped file 54->134 signatures20
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/055c4dea7de65d53d4386e3467c54da364ed77fa7fb11b528e5f5ca00e8b1aa1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/055c4dea7de65d53d4386e3467c54da364ed77fa7fb11b528e5f5ca00e8b1aa1/
Threat name:
Win32.Trojan.RisePro
Create hunting rule
Status:
Malicious
First seen:
2023-12-08 11:11:45 UTC
File Type:
PE (Exe)
Extracted files:
75
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=avoe32t54zovhvbyny2gprknunso2572p6yrwuuol5okaduldkqq._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:redline family:risepro family:smokeloader botnet:livetraffic backdoor collection discovery infostealer loader persistence spyware stealer trojan
Link:
https://tria.ge/reports/231211-k8fvtscae2/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
PrivateLoader
RedLine
RedLine payload
RisePro
SmokeLoader
Malware Config
C2 Extraction:
193.233.132.51
http://81.19.131.34/fks/index.php
77.105.132.87:6731
Unpacked files
SH256 hash:
86ad3acb3a719a4510fb372cdf77210d1e54c9b9af6e9bf54809ef385e64565f
MD5 hash:
b5b00e333aaf957de81cc3a7f63f0e21
SHA1 hash:
9fbe51ef35cc05e7e3a7272f4855b7717fac7c0f
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/ac1644c4-00e8-441a-be6f-5f0d6a8b7a9e/
Parent samples :
0c7117e7bd2eb23d5205b3dac031ad2ed5a636488c2f54eb3d6003262f03e2a2
055c4dea7de65d53d4386e3467c54da364ed77fa7fb11b528e5f5ca00e8b1aa1
SH256 hash:
3bca611dead53539a9d839033a1161b824105c39da9ce672eb4ad23e38f17bff
MD5 hash:
e8286bbb3d7880e492e28db2e5146e21
SHA1 hash:
4c35aaa1493570193522655365a796089c5ebb9f
Link:
https://www.unpac.me/results/ac1644c4-00e8-441a-be6f-5f0d6a8b7a9e/
SH256 hash:
055c4dea7de65d53d4386e3467c54da364ed77fa7fb11b528e5f5ca00e8b1aa1
MD5 hash:
bf07127222e7e09de78d4fd32149882b
SHA1 hash:
cabae651d405d38bca12741194179ea9bb7afa80
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/ac1644c4-00e8-441a-be6f-5f0d6a8b7a9e/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/055c4dea7de6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/055c4dea7de65d53d4386e3467c54da364ed77fa7fb11b528e5f5ca00e8b1aa1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/464982/

Comments