MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1db54ba35abbe3cb1e178971085be979a8c62351630bd9c6e616a6391ab270bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1db54ba35abbe3cb1e178971085be979a8c62351630bd9c6e616a6391ab270bf
SHA3-384 hash: e41128eccaa8b8d5eef71fb78efadda7759a7d853422c5b06726eeaa2f7a4ea9e1b8e4eee97b9069ade2df760330d79c
SHA1 hash: 49977e78c560c854ae0f5022aa3c5d6c59366c6e
MD5 hash: 2ac53a02ae356521f43bd47806c0727c
humanhash: michigan-delta-johnny-arizona
File name:2AC53A02AE356521F43BD47806C0727C.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'383'360 bytes
First seen:2023-12-21 19:55:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:FFOzsGwNJp72gr0XQZ/8VM+giH+pmGj1DrGpc85Rwxh:OfwnEg4hVvNCm6GpR5Rw
TLSH T1D9B5232392DC8472E9D4A3717EF4038A263738E118B9C66B2771748F9872ADDA531773
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
5.42.65.31:48396

Intelligence

File Origin
# of uploads :
1
# of downloads :
377
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1db54ba35abbe3cb1e178971085be979a8c62351630bd9c6e616a6391ab270bf.zip
Verdict:
Malicious activity
Analysis date:
2023-12-21 21:20:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/04505775-3e90-40e3-aead-80a08759530d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/468874/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer lolbin packed risepro rundll32 setupapi sfx shell32 xpack
Link:
https://www.filescan.io/uploads/658498557d4bdb7f8bf9ca4b/reports/b34857de-560c-4889-ab5d-4680e40d0ae9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1db54ba35abbe3cb1e178971085be979a8c62351630bd9c6e616a6391ab270bf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6055930-3e4c-4179-a824-5ea36892af02
Result
Threat name:
Amadey, Glupteba, LummaC Stealer, RedLin
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1365823
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking computer name)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
UAC bypass detected (Fodhelper)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1365823 Sample: U1MiP25NrU.exe Startdate: 21/12/2023 Architecture: WINDOWS Score: 100 132 host-host-file8.com 2->132 134 host-file-host6.com 2->134 136 18 other IPs or domains 2->136 194 Snort IDS alert for network traffic 2->194 196 Found malware configuration 2->196 198 Malicious sample detected (through community Yara rule) 2->198 200 25 other signatures 2->200 12 U1MiP25NrU.exe 1 4 2->12         started        15 rundll32.exe 2->15         started        17 Utsysc.exe 2->17         started        signatures3 process4 file5 106 C:\Users\user\AppData\Local\...\5Ca7ps8.exe, PE32 12->106 dropped 108 C:\Users\user\AppData\Local\...\2dl5705.exe, PE32 12->108 dropped 19 5Ca7ps8.exe 12->19         started        22 2dl5705.exe 15 3 12->22         started        process6 dnsIp7 202 Multi AV Scanner detection for dropped file 19->202 204 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 19->204 206 Maps a DLL or memory area into another process 19->206 210 2 other signatures 19->210 25 explorer.exe 14 26 19->25 injected 146 77.91.124.172, 49734, 80 ECOTEL-ASRU Russian Federation 22->146 208 Found many strings related to Crypto-Wallets (likely being stolen) 22->208 signatures8 process9 dnsIp10 150 185.215.113.68, 49740, 80 WHOLESALECONNECTIONSNL Portugal 25->150 152 5.42.65.125, 49743, 49746, 49749 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 25->152 154 3 other IPs or domains 25->154 90 C:\Users\user\AppData\Roaming\hajbwfi, PE32 25->90 dropped 92 C:\Users\user\AppData\Local\Temp\FE8E.exe, PE32 25->92 dropped 94 C:\Users\user\AppData\Local\Temp\F788.exe, PE32 25->94 dropped 96 8 other malicious files 25->96 dropped 230 System process connects to network (likely due to code injection or exploit) 25->230 232 Benign windows process drops PE files 25->232 234 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->234 30 EF5A.exe 25->30         started        34 E3DF.exe 4 25->34         started        36 16DB.exe 25->36         started        39 5 other processes 25->39 file11 signatures12 process13 dnsIp14 126 C:\Users\user\AppData\Local\...\Utsysc.exe, PE32 30->126 dropped 250 Multi AV Scanner detection for dropped file 30->250 252 Contains functionality to inject code into remote processes 30->252 41 Utsysc.exe 30->41         started        128 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 34->128 dropped 254 Writes to foreign memory regions 34->254 256 Allocates memory in foreign processes 34->256 258 Sample uses process hollowing technique 34->258 260 Injects a PE file into a foreign processes 34->260 46 RegSvcs.exe 8 4 34->46         started        48 RegSvcs.exe 34->48         started        50 RegSvcs.exe 34->50         started        58 2 other processes 34->58 138 5.42.65.31 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 36->138 130 C:\Users\user\AppData\Local\...\qemu-ga.exe, PE32 36->130 dropped 262 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->262 264 Found many strings related to Crypto-Wallets (likely being stolen) 36->264 266 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 36->266 268 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 36->268 52 conhost.exe 36->52         started        140 185.172.128.33 NADYMSS-ASRU Russian Federation 39->140 142 attachmentartikidw.fun 104.21.76.167, 49750, 80 CLOUDFLARENETUS United States 39->142 144 176.123.7.190, 32927 ALEXHOSTMD Moldova Republic of 39->144 270 Found evasive API chain (may stop execution after checking computer name) 39->270 272 Tries to harvest and steal browser information (history, passwords, etc) 39->272 274 Tries to steal Crypto Currency Wallets 39->274 54 RegSvcs.exe 39->54         started        56 RegSvcs.exe 39->56         started        file15 signatures16 process17 dnsIp18 156 98.126.19.29 VPLSNETUS United States 41->156 158 arcticleopard.org 104.21.34.193 CLOUDFLARENETUS United States 41->158 160 africanmakaka.org 172.67.192.58, 443, 49755 CLOUDFLARENETUS United States 41->160 98 C:\Users\user\AppData\Local\...\etopt.exe, PE32 41->98 dropped 100 C:\...\31839b57a4f11171d6abc8bbc4451ee4.exe, PE32 41->100 dropped 102 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 41->102 dropped 104 5 other malicious files 41->104 dropped 236 Multi AV Scanner detection for dropped file 41->236 238 Creates an undocumented autostart registry key 41->238 240 Uses schtasks.exe or at.exe to add and modify task schedules 41->240 60 InstallSetup8.exe 41->60         started        64 toolspub2.exe 41->64         started        67 etopt.exe 41->67         started        69 4 other processes 41->69 162 195.20.16.103, 18305, 49744 EITADAT-ASFI Finland 46->162 242 Found many strings related to Crypto-Wallets (likely being stolen) 46->242 244 Tries to steal Crypto Currency Wallets 46->244 246 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 48->246 248 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 48->248 164 soupinterestoe.fun 172.67.221.65 CLOUDFLARENETUS United States 54->164 file19 signatures20 process21 dnsIp22 166 zonealarm.com 209.87.209.205 ZONEALARM-COMUS United States 60->166 168 api4.ipify.org 64.185.227.156, 49751, 80 WEBNXUS United States 60->168 174 5 other IPs or domains 60->174 110 C:\Users\user\AppData\Local\...\INetC.dll, PE32 60->110 dropped 112 C:\Users\user\AppData\...\nsf1070.tmp.exe, PE32 60->112 dropped 114 C:\Users\user\AppData\...\BroomSetup.exe, PE32 60->114 dropped 116 C:\Users\user\AppData\...\syncUpd[1].exe, PE32 60->116 dropped 71 nsf1070.tmp.exe 60->71         started        76 BroomSetup.exe 60->76         started        176 Detected unpacking (changes PE section rights) 64->176 178 Sample uses process hollowing technique 64->178 180 Injects a PE file into a foreign processes 64->180 78 toolspub2.exe 64->78         started        170 192.186.7.211 FEDERAL-ONLINE-GROUP-LLCUS United States 67->170 172 38.6.193.13 COGENT-174US United States 67->172 118 C:\Windows\servicingditions\RegExp.dll, PE32+ 67->118 dropped 120 C:\Users\user\AppData\Local\Temp\...\Zip.dll, PE32 67->120 dropped 122 C:\Users\user\AppData\Local\...\Checker.dll, PE32 67->122 dropped 124 2 other malicious files 67->124 dropped 182 Query firmware table information (likely to detect VMs) 67->182 184 Creates an undocumented autostart registry key 67->184 186 Multi AV Scanner detection for dropped file 69->186 188 Detected unpacking (overwrites its own PE header) 69->188 190 UAC bypass detected (Fodhelper) 69->190 192 3 other signatures 69->192 80 conhost.exe 69->80         started        file23 signatures24 process25 dnsIp26 148 77.91.76.36 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 71->148 82 C:\Users\user\AppData\...\softokn3[1].dll, PE32 71->82 dropped 84 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 71->84 dropped 86 C:\Users\user\AppData\...\mozglue[1].dll, PE32 71->86 dropped 88 9 other files (5 malicious) 71->88 dropped 212 Detected unpacking (changes PE section rights) 71->212 214 Detected unpacking (overwrites its own PE header) 71->214 216 Tries to steal Mail credentials (via file / registry access) 71->216 226 4 other signatures 71->226 218 Multi AV Scanner detection for dropped file 76->218 220 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 78->220 222 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 78->222 224 Maps a DLL or memory area into another process 78->224 228 2 other signatures 78->228 file27 signatures28
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1db54ba35abbe3cb1e178971085be979a8c62351630bd9c6e616a6391ab270bf
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1db54ba35abbe3cb1e178971085be979a8c62351630bd9c6e616a6391ab270bf/
Threat name:
ByteCode-MSIL.Trojan.RiseProStealer
Create hunting rule
Status:
Malicious
First seen:
2023-12-20 15:13:00 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dw2uxi22xpr4whqxrfyqqw7jpgummi2rmmf5trxgc2tdsgvsoc7q._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:asyncrat family:lumma family:redline family:smokeloader family:stealc family:zgrat botnet:666 botnet:@oleh_ps botnet:up3 backdoor discovery evasion infostealer persistence rat stealer themida trojan
Link:
https://tria.ge/reports/231221-ynnxlabgdr/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Launches sc.exe
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
.NET Reactor proctector
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Themida packer
Downloads MZ/PE file
Modifies Windows Firewall
Async RAT payload
Amadey
AsyncRat
Detect Lumma Stealer payload V4
Detect ZGRat V1
Lumma Stealer
RedLine
RedLine payload
SmokeLoader
Stealc
ZGRat
Malware Config
C2 Extraction:
http://185.215.113.68/fks/index.php
http://5.42.65.125
176.123.7.190:32927
185.172.128.33:38294
http://77.91.76.36
http://host-file-host6.com/
http://host-host-file8.com/
195.20.16.103:18305
Unpacked files
SH256 hash:
819aac500d3afa7aa4e5d7dda8f1b594297158b3327da1712e718cc189a7b4ac
MD5 hash:
e8767f2f93f8215b7c52290e9e387cfe
SHA1 hash:
ceab4655a5744bf70cabdc6ba5e79980c01daed6
Link:
https://www.unpac.me/results/53c04695-c1ed-49a4-9cd2-ad5f508e4e9b/
SH256 hash:
a0bfad8b1e180350ba8ad8cf27c4abc895535935e1d3a877132236a28e943032
MD5 hash:
eb29459f4a4e74ae219b16c449918ef5
SHA1 hash:
218322a58d639773426027742d3d9d1e41901a3c
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/53c04695-c1ed-49a4-9cd2-ad5f508e4e9b/
SH256 hash:
1db54ba35abbe3cb1e178971085be979a8c62351630bd9c6e616a6391ab270bf
MD5 hash:
2ac53a02ae356521f43bd47806c0727c
SHA1 hash:
49977e78c560c854ae0f5022aa3c5d6c59366c6e
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/53c04695-c1ed-49a4-9cd2-ad5f508e4e9b/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1db54ba35abb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1db54ba35abbe3cb1e178971085be979a8c62351630bd9c6e616a6391ab270bf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/468874/

Comments