MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0992247af30b73a9f393d38875d0651b1578b7011222b1e32ba53b2f1a89e30e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0992247af30b73a9f393d38875d0651b1578b7011222b1e32ba53b2f1a89e30e
SHA3-384 hash: 69b2e7793f8fa6eec041c5b6b187221030a0ac38d96f4445f3f6fb476a332f2db223c084b4a9010ae02b38af403ce544
SHA1 hash: 4201196ce31d1e0ca784631cf250ab829a5990ca
MD5 hash: b5c75ef13d89dc4880ce5b213f625227
humanhash: uniform-timing-river-two
File name:b5c75ef13d89dc4880ce5b213f625227.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'701'312 bytes
First seen:2023-12-08 23:10:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:PonBnj4ydoQMNqvDY/VcQZW7ZC8+LNYzUr5KFM8v7pcnsTqCowAklQLaoSJlsWjE:GJjrdo7X/CQZwUNLSzUr5KFD76sGrOO7
Threatray 584 similar samples on MalwareBazaar
TLSH T10CC533A5B8F990B3E5620B30DEFF03D7353779A511ECD36A1641EF871C92A92892131B
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
77.105.132.87:14418

Intelligence

File Origin
# of uploads :
1
# of downloads :
332
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/463808/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Creating a file
Replacing files
Launching a service
Changing a file
DNS request
Sending an HTTP GET request
Reading critical registry keys
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Creating a window
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
advpack anti-vm autoit CAB control explorer greyware installer keylogger lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/6573a287da3178d99cdd914d/reports/059c24d9-971d-49f2-86f0-7b355f5e26b0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0992247af30b73a9f393d38875d0651b1578b7011222b1e32ba53b2f1a89e30e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c379e6d4-a8a9-4cb0-9a50-2256ff151064
Result
Threat name:
PrivateLoader, PureLog Stealer, RedLine,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1356658
Signature
.NET source code contains potential unpacker
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Exclude list of file types from scheduled, custom, and real-time scanning
Found malware configuration
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies the context of a thread in another process (thread injection)
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected PrivateLoader
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1356658 Sample: xAyskQ8spR.exe Startdate: 09/12/2023 Architecture: WINDOWS Score: 100 114 time.windows.com 2->114 116 ipinfo.io 2->116 144 Snort IDS alert for network traffic 2->144 146 Found malware configuration 2->146 148 Malicious sample detected (through community Yara rule) 2->148 150 14 other signatures 2->150 13 xAyskQ8spR.exe 1 4 2->13         started        17 svchost.exe 2->17         started        19 svchost.exe 1 2->19         started        21 14 other processes 2->21 signatures3 process4 file5 104 C:\Users\user\AppData\Local\...\AS0Ce75.exe, PE32 13->104 dropped 106 C:\Users\user\AppData\Local\...\6tX8aH0.exe, PE32 13->106 dropped 212 Binary is likely a compiled AutoIt script file 13->212 23 AS0Ce75.exe 1 4 13->23         started        214 Changes security center settings (notifications, updates, antivirus, firewall) 17->214 216 Query firmware table information (likely to detect VMs) 19->216 signatures6 process7 file8 80 C:\Users\user\AppData\Local\...\aR3mj83.exe, PE32 23->80 dropped 82 C:\Users\user\AppData\Local\...\5tM5yS4.exe, PE32 23->82 dropped 186 Antivirus detection for dropped file 23->186 188 Machine Learning detection for dropped file 23->188 27 aR3mj83.exe 1 4 23->27         started        signatures9 process10 file11 84 C:\Users\user\AppData\Local\...\SN2jt52.exe, PE32 27->84 dropped 86 C:\Users\user\AppData\Local\...\4Is100Yv.exe, PE32 27->86 dropped 190 Antivirus detection for dropped file 27->190 192 Machine Learning detection for dropped file 27->192 31 SN2jt52.exe 1 4 27->31         started        35 4Is100Yv.exe 27->35         started        signatures12 process13 file14 108 C:\Users\user\AppData\Local\...\3iB53lY.exe, PE32 31->108 dropped 110 C:\Users\user\AppData\Local\...\1py49yx4.exe, PE32 31->110 dropped 132 Antivirus detection for dropped file 31->132 134 Machine Learning detection for dropped file 31->134 37 3iB53lY.exe 31->37         started        40 1py49yx4.exe 31->40         started        112 C:\...\05nfUjzhdMYZqdAA26r7XO0T1Rzuhzhw.zip, Zip 35->112 dropped 136 Tries to steal Mail credentials (via file / registry access) 35->136 138 Disables Windows Defender (deletes autostart) 35->138 140 Tries to harvest and steal browser information (history, passwords, etc) 35->140 142 3 other signatures 35->142 signatures15 process16 signatures17 170 Antivirus detection for dropped file 37->170 172 Machine Learning detection for dropped file 37->172 174 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 37->174 184 4 other signatures 37->184 42 explorer.exe 37->42 injected 176 Contains functionality to inject code into remote processes 40->176 178 Writes to foreign memory regions 40->178 180 Allocates memory in foreign processes 40->180 182 Injects a PE file into a foreign processes 40->182 47 AppLaunch.exe 11 508 40->47         started        49 AppLaunch.exe 40->49         started        process18 dnsIp19 122 185.196.8.238, 49725, 49731, 80 SIMPLECARRER2IT Switzerland 42->122 124 185.172.128.19, 80 NADYMSS-ASRU Russian Federation 42->124 126 81.19.131.34, 49709, 80 IVC-ASRU Russian Federation 42->126 88 C:\Users\user\AppData\Local\TempE.exe, PE32 42->88 dropped 90 C:\Users\user\AppData\Local\Temp789.exe, PE32 42->90 dropped 92 C:\Users\user\AppData\Local\Temp\799E.exe, PE32+ 42->92 dropped 100 4 other malicious files 42->100 dropped 194 System process connects to network (likely due to code injection or exploit) 42->194 196 Benign windows process drops PE files 42->196 51 6558.exe 42->51         started        55 74EA.exe 42->55         started        58 799E.exe 42->58         started        64 3 other processes 42->64 128 193.233.132.51, 49699, 49701, 50500 FREE-NET-ASFREEnetEU Russian Federation 47->128 130 ipinfo.io 34.117.59.81, 443, 49700, 49703 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 47->130 94 C:\Windows\System32behaviorgraphroupPolicybehaviorgraphPT.INI, ASCII 47->94 dropped 96 C:\...\bGGI9CV1EM_TJz6lcFCL3QFXk4Chy0wX.zip, Zip 47->96 dropped 98 C:\Users\user\AppData\...\FANBooster131.exe, PE32 47->98 dropped 102 2 other files (none is malicious) 47->102 dropped 198 Tries to steal Mail credentials (via file / registry access) 47->198 200 Disables Windows Defender (deletes autostart) 47->200 202 Exclude list of file types from scheduled, custom, and real-time scanning 47->202 210 3 other signatures 47->210 60 schtasks.exe 47->60         started        62 schtasks.exe 47->62         started        204 Found stalling execution ending in API Sleep call 49->204 206 Contains functionality to inject threads in other processes 49->206 208 Uses schtasks.exe or at.exe to add and modify task schedules 49->208 file20 signatures21 process22 dnsIp23 76 C:\Users\user\AppData\Roaming\...\File2.exe, PE32 51->76 dropped 78 C:\Users\user\AppData\Roaming\...\File1.exe, PE32 51->78 dropped 160 Machine Learning detection for dropped file 51->160 66 File2.exe 51->66         started        70 conhost.exe 51->70         started        120 77.105.132.87, 20104, 49719 PLUSTELECOM-ASRU Russian Federation 55->120 162 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 55->162 164 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 55->164 166 Modifies the context of a thread in another process (thread injection) 58->166 168 Injects a PE file into a foreign processes 58->168 72 conhost.exe 60->72         started        74 conhost.exe 62->74         started        file24 signatures25 process26 dnsIp27 118 176.123.7.190, 32927, 49713 ALEXHOSTMD Moldova Republic of 66->118 152 Antivirus detection for dropped file 66->152 154 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 66->154 156 Machine Learning detection for dropped file 66->156 158 2 other signatures 66->158 signatures28
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0992247af30b73a9f393d38875d0651b1578b7011222b1e32ba53b2f1a89e30e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0992247af30b73a9f393d38875d0651b1578b7011222b1e32ba53b2f1a89e30e/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-08 21:53:26 UTC
File Type:
PE (Exe)
Extracted files:
175
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bgjci6xtbnz2t44t2oehludfdmkxrnybcirldyzluu5s6guj4mha._file
Verdict:
malicious
Similar samples:
0242eddb9768c2a6d56474f89f628768e59609b44d7cc86c9fa08b705ca8961a
LummaStealer
328fe310cb920d9960528314b0c42eff2c9837dd1ee206f9e89d94a3c142f856
LummaStealer
4e70f9de2a4e122b0ba1db7c63ac443e39bbfd9e2b475e8fb29d12ad964bfd7e
LummaStealer
7de2ca4a5a35342f0344b2378ccdf91c140dc94516787248fc17bd39c12cd4a8
LummaStealer
9edcd387decaca808d976504370b06f8afe76bf6612d294c9b537680ff482bd6
LummaStealer
be51f7f25e5e0491812b9b00cc25fa60685e6a353e62b0058f4656fd5b3dff3b
LummaStealer
d3b872908454b2d5649fedd5848e02f414837ccd3efb182ebb57df9a715766f4
LummaStealer
dd03c4fca5313ff02b2cdeccab3b90ef0c51a6a6122cc7c0e92629f9197b0dae
LummaStealer
+ 574 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:risepro family:smokeloader backdoor loader persistence stealer trojan
Link:
https://tria.ge/reports/231208-2593yadcdj/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
PrivateLoader
RisePro
SmokeLoader
Malware Config
C2 Extraction:
193.233.132.51
http://81.19.131.34/fks/index.php
Unpacked files
SH256 hash:
94513f36ef94d07e4f4eb4fc1f16f720c517aae322ce9153cf716f08010e2a96
MD5 hash:
d09d113833f72b4cb1e4d32664b2c0c6
SHA1 hash:
a84d58464acb78d7a6bbe4ce97dec3224f643b70
Link:
https://www.unpac.me/results/66b02f99-f098-428a-b5d0-597f4b28e860/
SH256 hash:
6145d3f82746ff6b56518804ed6b4b7011afd6c535ff94713f369fec998bcf81
MD5 hash:
c5c0064ea05a4ea02c69e488f42adf04
SHA1 hash:
26d14bd7d7e41f922c0911858aee3715f429ae70
Link:
https://www.unpac.me/results/66b02f99-f098-428a-b5d0-597f4b28e860/
SH256 hash:
0992247af30b73a9f393d38875d0651b1578b7011222b1e32ba53b2f1a89e30e
MD5 hash:
b5c75ef13d89dc4880ce5b213f625227
SHA1 hash:
4201196ce31d1e0ca784631cf250ab829a5990ca
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/66b02f99-f098-428a-b5d0-597f4b28e860/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0992247af30b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0992247af30b73a9f393d38875d0651b1578b7011222b1e32ba53b2f1a89e30e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 0992247af30b73a9f393d38875d0651b1578b7011222b1e32ba53b2f1a89e30e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/463808/
  
URLhaus
https://urlhaus.abuse.ch/url/2738241/
  
Delivery method
Distributed via web download

Comments