MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13d6f98ef436d7eed963b37a4dedbad253cacb4f3ff164f9e5061c6bb9291e77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13d6f98ef436d7eed963b37a4dedbad253cacb4f3ff164f9e5061c6bb9291e77
SHA3-384 hash: 922abebeacb0d9b5001b6a0a90c53d2e09767e46a31129433a28c7d08dd9e9986194751dad15d321498dcad2a3f25319
SHA1 hash: ac4adf84461231d520510686e67857fd79dd1446
MD5 hash: 22a82ac400f4d28fd989241a9a7ed147
humanhash: floor-robin-foxtrot-july
File name:SecuriteInfo.com.Win32.PWSX-gen.21535.2911
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'388'032 bytes
First seen:2024-01-18 17:34:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fc5d3d653af3c3decf6e755f0007c4f6 (11 x Amadey, 1 x LummaStealer)
ssdeep 24576:qOirYjVT3Nohenc5GT4XJvAD0zJLSaqhH10DfGwXrZ76XYtcGuPYz38DbEF0:LirCQh8csTMv60z8aqhHOzT7Z76XYNzK
TLSH T16755339AE16AC30EDC94B77ABCFF1CADE225BE948D60D369B1C73042C9D37048799419
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter SecuriteInfoCom
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
336
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
13d6f98ef436d7eed963b37a4dedbad253cacb4f3ff164f9e5061c6bb9291e77.exe
Verdict:
Malicious activity
Analysis date:
2024-01-18 17:46:55 UTC
Tags:
amadey botnet stealer redline loader stealc fabookie
Link:
https://app.any.run/tasks/c6cb0512-31ad-40b6-94a3-0f5f129e9d2a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471546/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.21535.2911.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
enigma lolbin masquerade obfuscated packed packed shell32
Link:
https://www.filescan.io/uploads/65a9614994d1aebfb2a5c4ec/reports/d89c8025-c581-4aaa-9d31-dcfc4ef3a582/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/13d6f98ef436d7eed963b37a4dedbad253cacb4f3ff164f9e5061c6bb9291e77
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Spark
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95b5b0d6-9ce7-4dfa-822b-ca27b61c0533
Result
Threat name:
LummaC, Amadey, Fabookie, Glupteba, Lumm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1376948
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected RedLine Stealer
Yara detected Stealc
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1376948 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 18/01/2024 Architecture: WINDOWS Score: 100 109 www.aorp.org.br 2->109 111 lastbishopmultiplyeow.site 2->111 113 8 other IPs or domains 2->113 135 Snort IDS alert for network traffic 2->135 137 Found malware configuration 2->137 139 Malicious sample detected (through community Yara rule) 2->139 141 21 other signatures 2->141 10 SecuriteInfo.com.Win32.PWSX-gen.21535.2911.exe 5 2->10         started        14 iojmibhyhiws.exe 2->14         started        16 svchost.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 file5 89 C:\Users\user\AppData\Local\...\explorhe.exe, PE32 10->89 dropped 169 Detected unpacking (changes PE section rights) 10->169 171 Hides threads from debuggers 10->171 20 explorhe.exe 53 10->20         started        173 Antivirus detection for dropped file 14->173 175 Multi AV Scanner detection for dropped file 14->175 177 Tries to evade debugger and weak emulator (self modifying code) 14->177 179 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->179 25 WerFault.exe 16->25         started        27 WerFault.exe 16->27         started        signatures6 process7 dnsIp8 115 185.215.113.68, 49706, 49707, 49712 WHOLESALECONNECTIONSNL Portugal 20->115 117 aorp.org.br 192.185.223.216, 443, 49711, 49714 UNIFIEDLAYER-AS-1US United States 20->117 119 2 other IPs or domains 20->119 73 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 20->73 dropped 75 C:\Users\user\AppData\Local\...\planet.exe, PE32 20->75 dropped 77 C:\Users\user\AppData\Local\...\322321.exe, PE32+ 20->77 dropped 79 23 other malicious files 20->79 dropped 143 Multi AV Scanner detection for dropped file 20->143 145 Detected unpacking (changes PE section rights) 20->145 147 Creates an undocumented autostart registry key 20->147 149 4 other signatures 20->149 29 latestrocki.exe 20->29         started        33 newbuild.exe 20->33         started        35 crypted.exe 20->35         started        37 8 other processes 20->37 file9 signatures10 process11 dnsIp12 91 C:\Users\user\AppData\Local\...\toolspub1.exe, PE32 29->91 dropped 93 C:\Users\user\AppData\Local\Temp\rty25.exe, PE32+ 29->93 dropped 95 C:\Users\user\AppData\...\InstallSetup7.exe, PE32 29->95 dropped 97 C:\...\31839b57a4f11171d6abc8bbc4451ee4.exe, PE32 29->97 dropped 181 Multi AV Scanner detection for dropped file 29->181 40 InstallSetup7.exe 29->40         started        45 toolspub1.exe 29->45         started        47 31839b57a4f11171d6abc8bbc4451ee4.exe 29->47         started        99 C:\Users\user\AppData\...\ms_updater.exe, PE32 33->99 dropped 101 C:\Users\user\AppData\Roaming\ms_tool.exe, PE32 33->101 dropped 49 ms_updater.exe 33->49         started        183 Writes to foreign memory regions 35->183 185 Allocates memory in foreign processes 35->185 187 Injects a PE file into a foreign processes 35->187 51 RegAsm.exe 35->51         started        121 80.79.4.61, 18236, 49717 SISTEMEMD Moldova Republic of 37->121 123 5.42.65.31, 48396, 49720 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 37->123 103 C:\Users\user\AppData\Local\...\qemu-ga.exe, PE32 37->103 dropped 105 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 37->105 dropped 107 C:\ProgramData\...\iojmibhyhiws.exe, PE32+ 37->107 dropped 189 System process connects to network (likely due to code injection or exploit) 37->189 191 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->191 193 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 37->193 195 4 other signatures 37->195 53 RegAsm.exe 37->53         started        55 cmd.exe 37->55         started        57 sc.exe 37->57         started        59 9 other processes 37->59 file13 signatures14 process15 dnsIp16 125 185.172.128.53 NADYMSS-ASRU Russian Federation 40->125 127 185.172.128.90 NADYMSS-ASRU Russian Federation 40->127 81 C:\Users\user\AppData\Local\...\nsa4A6C.tmp, PE32 40->81 dropped 83 C:\Users\user\AppData\Local\...\INetC.dll, PE32 40->83 dropped 85 C:\Users\user\AppData\...\BroomSetup.exe, PE32 40->85 dropped 87 C:\Users\user\AppData\...\syncUpd[1].exe, PE32 40->87 dropped 151 Detected unpacking (changes PE section rights) 45->151 153 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 45->153 155 Checks if the current machine is a virtual machine (disk enumeration) 45->155 157 Detected unpacking (overwrites its own PE header) 47->157 129 94.156.65.198 TERASYST-ASBG Bulgaria 49->129 159 Multi AV Scanner detection for dropped file 49->159 161 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 49->161 163 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 49->163 131 144.76.1.85, 25894, 49723 HETZNER-ASDE Germany 51->131 133 20.79.30.95 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 53->133 165 Tries to harvest and steal browser information (history, passwords, etc) 53->165 167 Tries to steal Crypto Currency Wallets 53->167 61 conhost.exe 55->61         started        63 choice.exe 55->63         started        65 conhost.exe 57->65         started        67 conhost.exe 59->67         started        69 conhost.exe 59->69         started        71 conhost.exe 59->71         started        file17 signatures18 process19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/13d6f98ef436d7eed963b37a4dedbad253cacb4f3ff164f9e5061c6bb9291e77
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13d6f98ef436d7eed963b37a4dedbad253cacb4f3ff164f9e5061c6bb9291e77/
Threat name:
Win32.Spyware.Risepro
Create hunting rule
Status:
Suspicious
First seen:
2024-01-18 17:35:07 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cplptdxug3l65wldwn5e33n22jj4vs2ph7ywj6pfayogxojjdz3q._file
Verdict:
suspicious
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240118-v51e6sehb4/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
13d6f98ef436d7eed963b37a4dedbad253cacb4f3ff164f9e5061c6bb9291e77
MD5 hash:
22a82ac400f4d28fd989241a9a7ed147
SHA1 hash:
ac4adf84461231d520510686e67857fd79dd1446
Detections:
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/091ba83d-7a54-4c77-b5ec-84ecc4155320/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13d6f98ef436d7eed963b37a4dedbad253cacb4f3ff164f9e5061c6bb9291e77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 13d6f98ef436d7eed963b37a4dedbad253cacb4f3ff164f9e5061c6bb9291e77

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/471546/
  
URLhaus
https://urlhaus.abuse.ch/url/2749106/
  
Delivery method
Distributed via web download

Comments