MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13c128bbab60f67ce53c85c22cbef4dcd3dcd6445a7d2592ba640a7fd262fce9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13c128bbab60f67ce53c85c22cbef4dcd3dcd6445a7d2592ba640a7fd262fce9
SHA3-384 hash: 6d73dca61c398126ef8a33251c090a3b7df6510e2147032fc646fd627a7011e04ab2b688a97129e085413461f9b80827
SHA1 hash: 9f8b4101e5fce5d368b72283ef022e394e812091
MD5 hash: 14125442334d4296668b2f0ac9423dd0
humanhash: ack-ceiling-august-autumn
File name:14125442334d4296668b2f0ac9423dd0.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:38'568 bytes
First seen:2023-11-29 05:25:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:f8FhylJE+hwr5hN7F0I0bQyvUgq65DQVi:f8qlJEQwrDNuIyvD5sV
TLSH T10803D08344796A18CA15BE36011188E2F6D5B394F6582101F7CC9CFBBF2E784E75BA09
TrID 42.6% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
18.9% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
0.2% (.VXD) VXD Driver (29/21)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
194.49.94.80:29960

Intelligence

File Origin
# of uploads :
1
# of downloads :
338
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
14125442334d4296668b2f0ac9423dd0.exe
Verdict:
Malicious activity
Analysis date:
2023-11-29 05:28:13 UTC
Tags:
loader smoke smokeloader
Link:
https://app.any.run/tasks/8377dde1-669b-4ac8-8aaf-63c110146584

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/461111/
Detection(s):
Win.Packed.Smokeloader-10015040-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Connecting to a non-recommended domain
Sending an HTTP POST request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Heur.Generic
Link:
https://www.hybrid-analysis.com/sample/13c128bbab60f67ce53c85c22cbef4dcd3dcd6445a7d2592ba640a7fd262fce9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2cb5efe8-547a-4e16-8160-7e9487990edd
Result
Threat name:
Glupteba, LummaC Stealer, RedLine, Smoke
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1349718
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DNS related to crypt mining pools
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
UAC bypass detected (Fodhelper)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Yara detected XWorm
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1349718 Sample: qZTW6BQiPB.exe Startdate: 29/11/2023 Architecture: WINDOWS Score: 100 136 xmr-eu1.nanopool.org 2->136 138 pastebin.com 2->138 140 21 other IPs or domains 2->140 166 Multi AV Scanner detection for domain / URL 2->166 168 Found malware configuration 2->168 170 Malicious sample detected (through community Yara rule) 2->170 176 24 other signatures 2->176 13 qZTW6BQiPB.exe 2->13         started        16 XsdType.exe 2->16         started        18 sfjabdh 2->18         started        20 svchost.exe 2->20         started        signatures3 172 DNS related to crypt mining pools 136->172 174 Connects to a pastebin service (likely for C&C) 138->174 process4 dnsIp5 218 Found evasive API chain (may stop execution after checking system information) 13->218 220 Found API chain indicative of debugger detection 13->220 222 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->222 224 Creates a thread in another existing process (thread injection) 13->224 23 explorer.exe 22 23 13->23 injected 226 Multi AV Scanner detection for dropped file 16->226 228 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->228 230 Modifies the context of a thread in another process (thread injection) 16->230 232 Injects a PE file into a foreign processes 16->232 28 XsdType.exe 16->28         started        234 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 18->234 236 Maps a DLL or memory area into another process 18->236 238 Checks if the current machine is a virtual machine (disk enumeration) 18->238 142 127.0.0.1 unknown unknown 20->142 signatures6 process7 dnsIp8 144 185.196.8.238, 49735, 80 SIMPLECARRER2IT Switzerland 23->144 146 5.42.65.80, 49737, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 23->146 148 3 other IPs or domains 23->148 88 C:\Users\user\AppData\Roaming\sfjabdh, PE32 23->88 dropped 90 C:\Users\user\AppData\Roaming\hujabdh, PE32 23->90 dropped 92 C:\Users\user\AppData\Local\Temp\FF7A.exe, PE32 23->92 dropped 94 9 other malicious files 23->94 dropped 178 System process connects to network (likely due to code injection or exploit) 23->178 180 Benign windows process drops PE files 23->180 182 Deletes itself after installation 23->182 192 2 other signatures 23->192 30 C654.exe 23->30         started        34 DAD7.exe 23->34         started        36 A05C.exe 3 23->36         started        40 7 other processes 23->40 184 Writes to foreign memory regions 28->184 186 Modifies the context of a thread in another process (thread injection) 28->186 188 Sample uses process hollowing technique 28->188 190 Injects a PE file into a foreign processes 28->190 38 MSBuild.exe 28->38         started        file9 signatures10 process11 dnsIp12 116 C:\Users\user\AppData\Local\Temp\tuc3.exe, PE32 30->116 dropped 118 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 30->118 dropped 120 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 30->120 dropped 126 2 other malicious files 30->126 dropped 240 Multi AV Scanner detection for dropped file 30->240 43 tuc3.exe 30->43         started        47 toolspub2.exe 30->47         started        49 31839b57a4f11171d6abc8bbc4451ee4.exe 30->49         started        59 4 other processes 30->59 122 C:\Users\user\AppData\Local\Temp\...\DAD7.tmp, PE32 34->122 dropped 51 DAD7.tmp 34->51         started        242 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 36->242 244 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 36->244 246 Modifies the context of a thread in another process (thread injection) 36->246 53 A05C.exe 5 36->53         started        248 Sample uses process hollowing technique 38->248 250 Injects a PE file into a foreign processes 38->250 150 194.169.175.235, 42691, 49736 CLOUDCOMPUTINGDE Germany 40->150 152 ip-api.com 208.95.112.1 TUT-ASUS United States 40->152 154 9 other IPs or domains 40->154 124 C:\Users\user\AppData\Roaming\wabzaZXb.exe, PE32 40->124 dropped 252 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->252 254 Found many strings related to Crypto-Wallets (likely being stolen) 40->254 256 Tries to harvest and steal browser information (history, passwords, etc) 40->256 258 Tries to steal Crypto Currency Wallets 40->258 55 conhost.exe 40->55         started        57 conhost.exe 40->57         started        61 2 other processes 40->61 file13 signatures14 process15 file16 106 C:\Users\user\AppData\Local\Temp\...\tuc3.tmp, PE32 43->106 dropped 194 Multi AV Scanner detection for dropped file 43->194 63 tuc3.tmp 43->63         started        196 Detected unpacking (changes PE section rights) 47->196 198 Contains functionality to inject code into remote processes 47->198 200 Injects a PE file into a foreign processes 47->200 65 toolspub2.exe 47->65         started        202 Detected unpacking (overwrites its own PE header) 49->202 204 UAC bypass detected (Fodhelper) 49->204 206 Found Tor onion address 49->206 208 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 49->208 68 DAD7.exe 51->68         started        108 C:\Users\user\AppData\Local\...\XsdType.exe, PE32+ 53->108 dropped 210 Found many strings related to Crypto-Wallets (likely being stolen) 53->210 110 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 59->110 dropped 112 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 59->112 dropped 114 C:\Windows\System32\drivers\etc\hosts, ASCII 59->114 dropped 212 Modifies the hosts file 59->212 214 Adds a directory exclusion to Windows Defender 59->214 71 Broom.exe 59->71         started        signatures17 process18 file19 73 tuc3.exe 63->73         started        156 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 65->156 158 Maps a DLL or memory area into another process 65->158 160 Checks if the current machine is a virtual machine (disk enumeration) 65->160 162 Creates a thread in another existing process (thread injection) 65->162 86 C:\Users\user\AppData\Local\Temp\...\DAD7.tmp, PE32 68->86 dropped 76 DAD7.tmp 68->76         started        164 Multi AV Scanner detection for dropped file 71->164 signatures20 process21 file22 96 C:\Users\user\AppData\Local\Temp\...\tuc3.tmp, PE32 73->96 dropped 79 tuc3.tmp 73->79         started        98 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 76->98 dropped 100 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 76->100 dropped 102 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 76->102 dropped 104 12 other files (11 malicious) 76->104 dropped 216 Uses schtasks.exe or at.exe to add and modify task schedules 76->216 82 schtasks.exe 76->82         started        signatures23 process24 file25 128 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 79->128 dropped 130 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 79->130 dropped 132 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 79->132 dropped 134 12 other files (11 malicious) 79->134 dropped 84 conhost.exe 82->84         started        process26
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/13c128bbab60f67ce53c85c22cbef4dcd3dcd6445a7d2592ba640a7fd262fce9
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/13c128bbab60f67ce53c85c22cbef4dcd3dcd6445a7d2592ba640a7fd262fce9/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-11-23 21:03:33 UTC
File Type:
PE (Exe)
AV detection:
22 of 23 (95.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cpasro5lmd3hzzj4qxbczpxu3tj5zvselj6slev2mqfh7utc7tuq._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:redline family:smokeloader family:xworm family:zgrat botnet:@ytlogsbot botnet:livetraffic backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/231129-f4ve7see54/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Stops running service(s)
Detect Xworm Payload
Detect ZGRat V1
Glupteba
RedLine
RedLine payload
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Xworm
ZGRat
Malware Config
C2 Extraction:
http://194.49.94.210/fks/index.php
194.169.175.235:42691
personal-singing.gl.at.ply.gg:32927
195.10.205.16:2245
Unpacked files
SH256 hash:
13c128bbab60f67ce53c85c22cbef4dcd3dcd6445a7d2592ba640a7fd262fce9
MD5 hash:
14125442334d4296668b2f0ac9423dd0
SHA1 hash:
9f8b4101e5fce5d368b72283ef022e394e812091
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/d0719b88-c880-439c-bc5b-45ca26fc48c3/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/13c128bbab60/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/13c128bbab60f67ce53c85c22cbef4dcd3dcd6445a7d2592ba640a7fd262fce9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/461111/

Comments