MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 139b12dd41cbd5265eb479b207e18bf881ebc1f26787be435067b7b1ffd717b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 139b12dd41cbd5265eb479b207e18bf881ebc1f26787be435067b7b1ffd717b4
SHA3-384 hash: a185eeee79e30e4e64b7ea5fed9dbd2bd12d29bfd4e09eb503f0c9785539f2f4744cdc7d716cb257274c5ba246f467f6
SHA1 hash: 1923531f83287c5868487da46168282fe63f3d90
MD5 hash: 20b45006d95c15c4f0cab113b928202f
humanhash: emma-purple-fillet-robert
File name:20b45006d95c15c4f0cab113b928202f.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'382'848 bytes
First seen:2023-12-15 06:10:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:18vSnJLx54y5aPWqnkOsbcpkQ1NOwMdwrHQ2mujs3wwpe0ORhxtBV+:WSnJLx54yI34bc2wEKnmUwpHORhxV+
Threatray 1 similar samples on MalwareBazaar
TLSH T122B5330397D88D71D9E4E3B03DB50386163F78A128E9CBA9377168DF9971AD850363A3
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
77.105.132.161:5723

Intelligence

File Origin
# of uploads :
1
# of downloads :
333
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/467524/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Creating a file
Running batch commands
Searching for the window
Reading critical registry keys
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer lolbin lolbin packed replace rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/657bedf710642636b38989b9/reports/a673931b-e61c-4646-ab12-285f1c17b5ca/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/139b12dd41cbd5265eb479b207e18bf881ebc1f26787be435067b7b1ffd717b4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aee7f63a-cfa6-48aa-821d-8b8d6f524a2c
Result
Threat name:
LummaC Stealer, RedLine, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1362514
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking computer name)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected LummaC Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1362514 Sample: mBXp23QYCq.exe Startdate: 15/12/2023 Architecture: WINDOWS Score: 100 123 soupinterestoe.fun 2->123 125 reviveincapablewew.pw 2->125 127 16 other IPs or domains 2->127 173 Snort IDS alert for network traffic 2->173 175 Multi AV Scanner detection for domain / URL 2->175 177 Found malware configuration 2->177 179 20 other signatures 2->179 10 mBXp23QYCq.exe 1 4 2->10         started        13 svchost.exe 2->13         started        15 svchost.exe 1 1 2->15         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 97 C:\Users\user\AppData\Local\...\5SG4VN2.exe, PE32 10->97 dropped 99 C:\Users\user\AppData\Local\...\2eF5131.exe, PE32 10->99 dropped 20 5SG4VN2.exe 10->20         started        23 2eF5131.exe 15 3 10->23         started        26 WerFault.exe 13->26         started        28 WerFault.exe 13->28         started        30 WerFault.exe 13->30         started        157 127.0.0.1 unknown unknown 15->157 32 conhost.exe 18->32         started        34 conhost.exe 18->34         started        file6 process7 dnsIp8 181 Multi AV Scanner detection for dropped file 20->181 183 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->183 185 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->185 195 3 other signatures 20->195 36 explorer.exe 20->36 injected 139 transfer.sh 144.76.136.153, 443, 49734 HETZNER-ASDE Germany 23->139 187 Found many strings related to Crypto-Wallets (likely being stolen) 23->187 189 Writes to foreign memory regions 23->189 191 Allocates memory in foreign processes 23->191 193 Injects a PE file into a foreign processes 23->193 41 RegAsm.exe 15 68 23->41         started        signatures9 process10 dnsIp11 129 185.215.113.68, 49744, 80 WHOLESALECONNECTIONSNL Portugal 36->129 131 5.42.65.125, 49756, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 36->131 137 2 other IPs or domains 36->137 81 C:\Users\user\AppData\Local\Temp\B755.exe, PE32 36->81 dropped 83 C:\Users\user\AppData\Local\Temp\9593.exe, PE32 36->83 dropped 85 C:\Users\user\AppData\Local\Temp\7BD0.exe, PE32 36->85 dropped 93 4 other malicious files 36->93 dropped 197 System process connects to network (likely due to code injection or exploit) 36->197 199 Benign windows process drops PE files 36->199 43 9593.exe 36->43         started        47 B755.exe 36->47         started        49 78E1.exe 36->49         started        57 7 other processes 36->57 133 91.92.249.253, 49735, 50500 THEZONEBG Bulgaria 41->133 135 ipinfo.io 34.117.59.81, 443, 49737 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 41->135 87 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 41->87 dropped 89 C:\...\J8qUkTsuMs8T8dA08rqQU7RHXf3o8uPm.zip, Zip 41->89 dropped 91 C:\Users\user\AppData\...\FANBooster131.exe, PE32 41->91 dropped 95 2 other files (none is malicious) 41->95 dropped 201 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 41->201 203 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 41->203 205 Found many strings related to Crypto-Wallets (likely being stolen) 41->205 207 3 other signatures 41->207 51 cmd.exe 1 41->51         started        53 cmd.exe 41->53         started        55 WerFault.exe 41->55         started        file12 signatures13 process14 dnsIp15 101 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 43->101 dropped 209 Multi AV Scanner detection for dropped file 43->209 211 Writes to foreign memory regions 43->211 213 Allocates memory in foreign processes 43->213 223 2 other signatures 43->223 71 4 other processes 43->71 103 C:\Users\user\AppData\Local\Temp\tuc3.exe, PE32 47->103 dropped 105 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 47->105 dropped 107 C:\Users\user\AppData\...\InstallSetup9.exe, PE32 47->107 dropped 109 C:\...\31839b57a4f11171d6abc8bbc4451ee4.exe, PE32 47->109 dropped 60 InstallSetup9.exe 47->60         started        73 2 other processes 47->73 111 C:\Users\user\AppData\Roaming\...\File2.exe, PE32 49->111 dropped 113 C:\Users\user\AppData\Roaming\...\File1.exe, PE32 49->113 dropped 64 File1.exe 49->64         started        67 File2.exe 49->67         started        69 conhost.exe 49->69         started        215 Uses schtasks.exe or at.exe to add and modify task schedules 51->215 75 2 other processes 51->75 77 2 other processes 53->77 141 diagramfiremonkeyowwa.fun 104.21.18.224, 49749, 80 CLOUDFLARENETUS United States 57->141 143 soupinterestoe.fun 104.21.24.252, 49745, 80 CLOUDFLARENETUS United States 57->143 145 6 other IPs or domains 57->145 217 Detected unpacking (changes PE section rights) 57->217 219 Detected unpacking (overwrites its own PE header) 57->219 221 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 57->221 225 3 other signatures 57->225 79 4 other processes 57->79 file16 signatures17 process18 dnsIp19 147 api4.ipify.org 104.237.62.212 WEBNXUS United States 60->147 149 91.92.254.7 THEZONEBG Bulgaria 60->149 155 2 other IPs or domains 60->155 115 C:\Users\user\AppData\...\nsyECD9.tmp.exe, PE32 60->115 dropped 117 C:\Users\user\AppData\Local\Temp\...\Math.dll, PE32 60->117 dropped 119 C:\Users\user\AppData\Local\...\INetC.dll, PE32 60->119 dropped 121 2 other files (1 malicious) 60->121 dropped 151 176.123.10.211, 47430, 49757 ALEXHOSTMD Moldova Republic of 64->151 159 Multi AV Scanner detection for dropped file 64->159 161 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 64->161 163 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 64->163 153 195.20.16.103, 18305, 49758 EITADAT-ASFI Finland 71->153 165 Tries to harvest and steal browser information (history, passwords, etc) 71->165 167 Tries to steal Crypto Currency Wallets 71->167 169 Sample uses process hollowing technique 73->169 171 Injects a PE file into a foreign processes 73->171 file20 signatures21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/139b12dd41cbd5265eb479b207e18bf881ebc1f26787be435067b7b1ffd717b4
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/139b12dd41cbd5265eb479b207e18bf881ebc1f26787be435067b7b1ffd717b4/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-15 06:11:06 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=conrfxkbzpksmxvupgzapyml7ca6xqpsm6d34q2qm633d76xc62a._file
Verdict:
malicious
Similar samples:
139b12dd41cbd5265eb479b207e18bf881ebc1f26787be435067b7b1ffd717b4
LummaStealer
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:redline family:smokeloader botnet:@oleh_ps backdoor collection discovery infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/231215-gxledscdc6/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Detect Lumma Stealer payload V4
Lumma Stealer
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
http://185.215.113.68/fks/index.php
176.123.7.190:32927
Unpacked files
SH256 hash:
0aa9f8be2a6cb4862d1fd423159080d2100f7adf8ced157d463460230049c31a
MD5 hash:
492ff386974529e80c08385cfef08765
SHA1 hash:
73ac0062ec57d058fd0f1ba161eb1f94cbc1120e
Link:
https://www.unpac.me/results/d302be86-0100-45b3-9c29-0f706c0743a1/
SH256 hash:
5beb56c9ec498f92b6f0ec37f333f2b1ba04e416e7485564e5aa85fcea3c1f11
MD5 hash:
e677ece7dc48bd78b9202533e2437cc5
SHA1 hash:
7060a79602288077377e4f9aff0d52e93b4a4872
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/d302be86-0100-45b3-9c29-0f706c0743a1/
Parent samples :
139b12dd41cbd5265eb479b207e18bf881ebc1f26787be435067b7b1ffd717b4
14d49605e8785b94ec8bfb7f2783d513f35793f291c45504aa7a58530eb61116
SH256 hash:
139b12dd41cbd5265eb479b207e18bf881ebc1f26787be435067b7b1ffd717b4
MD5 hash:
20b45006d95c15c4f0cab113b928202f
SHA1 hash:
1923531f83287c5868487da46168282fe63f3d90
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/d302be86-0100-45b3-9c29-0f706c0743a1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/139b12dd41cbd5265eb479b207e18bf881ebc1f26787be435067b7b1ffd717b4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 139b12dd41cbd5265eb479b207e18bf881ebc1f26787be435067b7b1ffd717b4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2738241/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/467524/

Comments