MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11e3351eaf488a5e535b2298f6bf297cd5c0b2ff388d51f4752bc0e1cd6ae249. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11e3351eaf488a5e535b2298f6bf297cd5c0b2ff388d51f4752bc0e1cd6ae249
SHA3-384 hash: 4eaab2d6a55be8301ca06785cfcc397e52414a2afd3870fa3407b65f294cfaf13f8795c6e21956573fa5a6cbe1ce8bc6
SHA1 hash: 23ba4dfb817d0e31dfdb18ebf3f9392278d5d697
MD5 hash: 110962b369a9be33655e8232d1a47ec5
humanhash: vegan-pennsylvania-fix-kitten
File name:110962b369a9be33655e8232d1a47ec5.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:955'392 bytes
First seen:2023-10-23 04:50:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:xyRHNW2ntY4XGU9i27LPFvc5ePvSiJ87cVN:kJhtY4z17LFkAaia7
Threatray 1'915 similar samples on MalwareBazaar
TLSH T193152343B7E89032DCB42B7019F603831D25BCE158BA879B6655B8A90CB33D5E57732B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
109.107.182.133:19084

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-10-18 02:42:38 UTC
Tags:
stealc stealer redline amadey botnet trojan opendir loader
Link:
https://app.any.run/tasks/1f764798-ad8d-4d97-9db1-14d231b92875

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Downloader.Crifi-10009289-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Sending a custom TCP request
Сreating synchronization primitives
Launching a service
Creating a file
Creating a window
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack amadey anti-vm CAB control explorer greyware installer installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/6535fbb64678fc28dfc5594f/reports/3924bce1-6de8-4a76-bad9-96c417057653/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/11e3351eaf488a5e535b2298f6bf297cd5c0b2ff388d51f4752bc0e1cd6ae249
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e132137e-64f8-4d94-a2a4-2942d3cdd7d6
Result
Threat name:
Amadey, LummaC Stealer, Mystic Stealer,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1330290
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1330290 Sample: mIwIG7MZ7E.exe Startdate: 23/10/2023 Architecture: WINDOWS Score: 100 162 raw.githubusercontent.com 2->162 164 my.gusel.mom 2->164 166 16 other IPs or domains 2->166 200 Snort IDS alert for network traffic 2->200 202 Found malware configuration 2->202 204 Malicious sample detected (through community Yara rule) 2->204 206 19 other signatures 2->206 15 mIwIG7MZ7E.exe 1 4 2->15         started        18 svchost.exe 2->18         started        21 rundll32.exe 2->21         started        23 2 other processes 2->23 signatures3 process4 dnsIp5 144 C:\Users\user\AppData\Local\...\BL0sw56.exe, PE32 15->144 dropped 146 C:\Users\user\AppData\Local\...\5ml1iI8.exe, PE32 15->146 dropped 25 BL0sw56.exe 1 4 15->25         started        168 127.0.0.1 unknown unknown 18->168 file6 process7 file8 112 C:\Users\user\AppData\Local\...\gG3of17.exe, PE32 25->112 dropped 114 C:\Users\user\AppData\Local\...\4OP667RT.exe, PE32 25->114 dropped 216 Antivirus detection for dropped file 25->216 218 Multi AV Scanner detection for dropped file 25->218 220 Machine Learning detection for dropped file 25->220 29 gG3of17.exe 1 4 25->29         started        33 4OP667RT.exe 2 25->33         started        signatures9 process10 dnsIp11 140 C:\Users\user\AppData\Local\...\vt0nd83.exe, PE32 29->140 dropped 142 C:\Users\user\AppData\Local\...\3GA79bK.exe, PE32 29->142 dropped 260 Multi AV Scanner detection for dropped file 29->260 262 Machine Learning detection for dropped file 29->262 36 3GA79bK.exe 29->36         started        39 vt0nd83.exe 1 4 29->39         started        160 77.91.124.55, 19071 ECOTEL-ASRU Russian Federation 33->160 264 Antivirus detection for dropped file 33->264 file12 signatures13 process14 file15 208 Multi AV Scanner detection for dropped file 36->208 210 Machine Learning detection for dropped file 36->210 212 Writes to foreign memory regions 36->212 214 2 other signatures 36->214 42 AppLaunch.exe 36->42         started        45 AppLaunch.exe 36->45         started        47 AppLaunch.exe 36->47         started        49 AppLaunch.exe 36->49         started        108 C:\Users\user\AppData\Local\...\2Bx8629.exe, PE32 39->108 dropped 110 C:\Users\user\AppData\Local\...\1rc94Hu2.exe, PE32 39->110 dropped 51 1rc94Hu2.exe 39->51         started        53 2Bx8629.exe 12 39->53         started        signatures16 process17 dnsIp18 222 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 42->222 224 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 42->224 226 Maps a DLL or memory area into another process 42->226 234 2 other signatures 42->234 56 explorer.exe 35 40 42->56 injected 228 Multi AV Scanner detection for dropped file 51->228 230 Contains functionality to inject code into remote processes 51->230 232 Writes to foreign memory regions 51->232 236 2 other signatures 51->236 61 AppLaunch.exe 9 1 51->61         started        170 5.42.92.88, 49707, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 53->170 signatures19 process20 dnsIp21 178 5.42.65.80, 49726, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 56->178 180 77.91.68.249, 49712, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 56->180 182 6 other IPs or domains 56->182 116 C:\Users\user\AppData\Local\Temp\CF86.exe, PE32+ 56->116 dropped 118 C:\Users\user\AppData\Local\Temp\B5F2.exe, PE32 56->118 dropped 120 C:\Users\user\AppData\Local\Temp\B276.exe, PE32+ 56->120 dropped 122 14 other files (13 malicious) 56->122 dropped 238 System process connects to network (likely due to code injection or exploit) 56->238 240 Benign windows process drops PE files 56->240 242 Hides that the sample has been downloaded from the Internet (zone.identifier) 56->242 63 2B27.exe 56->63         started        67 3A7E.exe 56->67         started        69 3423.exe 56->69         started        72 6 other processes 56->72 244 Modifies windows update settings 61->244 246 Disable Windows Defender notifications (registry) 61->246 248 Disable Windows Defender real time protection (registry) 61->248 file22 signatures23 process24 dnsIp25 148 C:\Users\user\AppData\Local\...\Oj0XG9WN.exe, PE32 63->148 dropped 150 C:\Users\user\AppData\Local\...\6QT54ze.exe, PE32 63->150 dropped 190 Antivirus detection for dropped file 63->190 192 Machine Learning detection for dropped file 63->192 74 Oj0XG9WN.exe 63->74         started        152 C:\Users\user\AppData\Local\...\explothe.exe, PE32 67->152 dropped 194 Multi AV Scanner detection for dropped file 67->194 78 explothe.exe 67->78         started        172 109.107.182.133, 19084, 49725 TELEPORT-TV-ASRU Russian Federation 69->172 196 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 69->196 198 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 69->198 174 171.22.28.239 CMCSUS Germany 72->174 176 193.233.255.73, 49713, 49743, 80 FREE-NET-ASFREEnetEU Russian Federation 72->176 81 chrome.exe 72->81         started        83 chrome.exe 72->83         started        85 conhost.exe 72->85         started        87 conhost.exe 72->87         started        file26 signatures27 process28 dnsIp29 132 C:\Users\user\AppData\Local\...\Jr1gb5uz.exe, PE32 74->132 dropped 134 C:\Users\user\AppData\Local\...\5KO40ys.exe, PE32 74->134 dropped 250 Antivirus detection for dropped file 74->250 252 Machine Learning detection for dropped file 74->252 89 Jr1gb5uz.exe 74->89         started        184 77.91.124.1 ECOTEL-ASRU Russian Federation 78->184 136 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 78->136 dropped 138 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 78->138 dropped 254 Multi AV Scanner detection for dropped file 78->254 256 Creates an undocumented autostart registry key 78->256 258 Uses schtasks.exe or at.exe to add and modify task schedules 78->258 92 cmd.exe 78->92         started        94 schtasks.exe 78->94         started        186 192.168.2.8, 19071, 19084, 443 unknown unknown 81->186 188 239.255.255.250 unknown Reserved 81->188 96 chrome.exe 81->96         started        99 chrome.exe 81->99         started        101 chrome.exe 81->101         started        103 chrome.exe 83->103         started        file30 signatures31 process32 dnsIp33 124 C:\Users\user\AppData\Local\...\Fv8Mo1PY.exe, PE32 89->124 dropped 126 C:\Users\user\AppData\Local\...\4DQ755Gv.exe, PE32 89->126 dropped 105 Fv8Mo1PY.exe 89->105         started        154 play.google.com 142.251.163.113 GOOGLEUS United States 96->154 156 www.google.com 142.251.167.106, 443, 49733 GOOGLEUS United States 96->156 158 9 other IPs or domains 96->158 file34 process35 file36 128 C:\Users\user\AppData\Local\...\Zk2oz4wh.exe, PE32 105->128 dropped 130 C:\Users\user\AppData\Local\...\3oU2TM40.exe, PE32 105->130 dropped
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/11e3351eaf488a5e535b2298f6bf297cd5c0b2ff388d51f4752bc0e1cd6ae249
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/11e3351eaf488a5e535b2298f6bf297cd5c0b2ff388d51f4752bc0e1cd6ae249/
Threat name:
Win32.Trojan.Stealerc
Create hunting rule
Status:
Malicious
First seen:
2023-10-18 00:02:07 UTC
File Type:
PE (Exe)
Extracted files:
154
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=chrtkhvpjcff4u23ekmpnpzjptk4bmx7hcgvd5dvfpaodtlk4jeq._file
Verdict:
malicious
Similar samples:
16d1a075654019ae8daaa42fdd5de6900f9956c9bcd76d0213678af49acacacf
LummaStealer
23c75b462ee1e4841407d4238fdcac1842a610078813b7765e6c11f9f4514778
LummaStealer
48f7a5ea24629389edc536091f1926ebc0ed159a000f31e847e90c9fa5d5ab34
LummaStealer
4fcea54a9c17fac90f3b6b0d80308d5f2b7ae10c2bf51e495aed311cf2dee18a
LummaStealer
7c5e9ace70e1d7b0e4b4b326839a1f1d82ae8c1c4136fe3e86b627b278d59b4a
LummaStealer
95b032534407f098cd6afaf8388a08348f7c3ce991059cd65eb66885451018cf
LummaStealer
97a6ff69b40f3587e4a792235f4cddd5dbc76940ae8630e9e474c807ad1634e4
LummaStealer
b3ef8346783b53a63fd52fa50cfba5f0322ee95dc1f723bee0405c4d5c44263b
LummaStealer
f88cd251b69365735b28791a22f55c246039ea1358b594f08972ca465fae617c
LummaStealer
fe4f8b33ff60d985d2f5d380316ea4ce24694023bb908a2dca98a35a7ca6cdf6
LummaStealer
+ 1'905 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:asyncrat family:dcrat family:glupteba family:redline family:smokeloader botnet:5141679758_99 botnet:breha botnet:default botnet:homed botnet:kinder botnet:up3 botnet:yt&team cloud backdoor brand:google discovery dropper evasion infostealer loader persistence phishing rat rootkit spyware stealer trojan
Link:
https://tria.ge/reports/231023-fgtkdsga82/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMonFS driver.
Modifies boot configuration data using bcdedit
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Stops running service(s)
Async RAT payload
Amadey
AsyncRat
DcRat
Detected google phishing page
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Windows security bypass
Malware Config
C2 Extraction:
77.91.124.55:19071
http://77.91.68.29/fks/
109.107.182.133:19084
http://77.91.124.1/theme/index.php
https://pastebin.com/raw/8baCJyMF
185.216.70.238:37515
http://host-file-host6.com/
http://host-host-file8.com/
89.23.100.93:4449
Unpacked files
SH256 hash:
160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
MD5 hash:
22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 hash:
db8326c4fad0064ce3020226e8556e7cce8ce04e
Link:
https://www.unpac.me/results/bd10627f-d691-4898-a227-dc8d68719c70/
Parent samples :
24b66c0d6f26f5de09b4cb7a2496bf87ad0ed9d45e846870dee70941b565bc3c
d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200
SH256 hash:
f78203ebf40c0daaf16a8a6688741035b7111dc6b96ba3d2c734eddb1227ecd9
MD5 hash:
536909dccc196cb255f72d39784d78e4
SHA1 hash:
be8e4cc4d7fc09242707ad62bb48e699dd40d25c
Link:
https://www.unpac.me/results/bd10627f-d691-4898-a227-dc8d68719c70/
SH256 hash:
ae7690bc4389cb9ece251c13016c695ba04e4cb7bb347737e02d5756c4fb9980
MD5 hash:
fe3032fd9395475a96db5ae565f897f0
SHA1 hash:
3653d73f235d264b21d68b18e16fc0928ec863bf
Link:
https://www.unpac.me/results/bd10627f-d691-4898-a227-dc8d68719c70/
SH256 hash:
7f221d0dfa9fdf2f49392c09fda67c40f8e0c38b5bbefb6642a6d076708bb40f
MD5 hash:
e6e3048f2f6682f8da6a47b09eb41644
SHA1 hash:
41bfad845759e46d7d17ef807633fa9575658a3b
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/bd10627f-d691-4898-a227-dc8d68719c70/
Parent samples :
ef16f375089c6984ae1326a75d99286c0f3db65df99faafbbca6f460c4ad2513
cc45e1788e5bff3ee10134539c0fdcb4ad37aa0897c7c56d8006983b09094cfb
f68aa2678500c7f6c6485629b58d26c2aa99c7b55df33a75c75f56dcd112c675
38754b705fa71cd3c0868a4a41105693bbb48017da92c1b5bb580f52e3960f91
3b7e76a597382a194137293fdc587ea0154b1eb70d0666765cf9cd3377516367
11e3351eaf488a5e535b2298f6bf297cd5c0b2ff388d51f4752bc0e1cd6ae249
SH256 hash:
2a04b6d19067d605550da1bf09a15003f968120458bf55e01320f1100f206e19
MD5 hash:
5e80de50a8680853b74d449b03ec87f1
SHA1 hash:
bbaeaa39256c4baaaa1bae4c5191a3bc976ea3c7
Detections:
Amadey
Create hunting rule
win_amadey_auto
Create hunting rule
Link:
https://www.unpac.me/results/bd10627f-d691-4898-a227-dc8d68719c70/
Parent samples :
8457743aaba419d629a240435fdfd954f80c38caa91acb9fc70918c91a40b218
cc45e1788e5bff3ee10134539c0fdcb4ad37aa0897c7c56d8006983b09094cfb
331851528995da5cbcf726e0bacca9bd6c9282edc6274f141bb3a57b6d959834
f68aa2678500c7f6c6485629b58d26c2aa99c7b55df33a75c75f56dcd112c675
38754b705fa71cd3c0868a4a41105693bbb48017da92c1b5bb580f52e3960f91
3b7e76a597382a194137293fdc587ea0154b1eb70d0666765cf9cd3377516367
11e3351eaf488a5e535b2298f6bf297cd5c0b2ff388d51f4752bc0e1cd6ae249
SH256 hash:
11e3351eaf488a5e535b2298f6bf297cd5c0b2ff388d51f4752bc0e1cd6ae249
MD5 hash:
110962b369a9be33655e8232d1a47ec5
SHA1 hash:
23ba4dfb817d0e31dfdb18ebf3f9392278d5d697
Link:
https://www.unpac.me/results/bd10627f-d691-4898-a227-dc8d68719c70/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/11e3351eaf48/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments