MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 1f3c77c33691626963a381711d31b2479d0aed92508e3f89a7ce88eeae49a522. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
LummaStealer
Vendor detections: 16
| SHA256 hash: | 1f3c77c33691626963a381711d31b2479d0aed92508e3f89a7ce88eeae49a522 |
|---|---|
| SHA3-384 hash: | 0b0a68bf2446d2f47346f8bfc31e142c0168bb5145dbc73b69825ac5fbeb3dd6092b9c095c607bc642e214e330ac5f0a |
| SHA1 hash: | ad262d25be6b5b6db3a62651092cfc117da2b28b |
| MD5 hash: | 047f5b1edee767388daca5dd91795939 |
| humanhash: | eight-utah-magnesium-kansas |
| File name: | AsustrapperBtsr.exe |
| Download: | download sample |
| Signature | LummaStealer |
| File size: | 1'059'173 bytes |
| First seen: | 2025-07-21 17:00:26 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 46ce5c12b293febbeb513b196aa7f843 (12 x GuLoader, 5 x VIPKeylogger, 3 x LummaStealer) |
| ssdeep | 24576:G404dQP3VV6mbdYHzETvyRvyMzafLmCZsI1F:vEvVVlbdDpLmCSI1F |
| Threatray | 351 similar samples on MalwareBazaar |
| TLSH | T13E35235532D44466DC2CD9B3C82F1B3AB9E9878831F8974B2B252E54D9C41AD6C3C3EB |
| TrID | 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1) |
| Magika | pebin |
| dhash icon | 0000010616050000 (1 x LummaStealer) |
| Reporter |  burger |
| Tags: | exe LummaStealer |
Intelligence
File Origin
# of uploads :
1
# of downloads :
35
Origin country :
NLVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AsustrapperBtsr.exe
Verdict:
Malicious activity
Analysis date:
2025-07-21 17:00:28 UTC
Tags:
autoit lumma stealer
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Verdict:
Malicious
Score:
99.9%
Tags:
autoit emotet
Result
Verdict:
Suspicious
Maliciousness:
Behaviour
Creating a file in the %temp% directory
Creating a file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Moving a file to the %temp% directory
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a window
Creating a process from a recently created file
DNS request
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
installer microsoft_visual_cc obfuscated overlay packed packer_detected
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Verdict:
Unknown
Result
Threat name:
LummaC Stealer
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
C2 URLs / IPs found in malware configuration
Creates files with lurking names (e.g. Crack.exe)
Drops PE files with a suspicious file extension
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Search for Antivirus process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Score:
99%
Verdict:
Malware
File Type:
PE
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Verdict:
Malicious
Threat:
Backdoor.Win32.UDP
Threat name:
Win32.Spyware.Lummastealer
Status:
Malicious
First seen:
2025-07-21 17:00:29 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
18 of 24 (75.00%)
Threat level:
2/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
lummastealer
Similar samples:
+ 341 additional samples on MalwareBazaar
Result
Malware family:
lumma
Score:
10/10
Tags:
family:lumma discovery spyware stealer
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://seruneqy.live/akiz
https://tunenrnc.top/xodz
https://permwgp.xyz/xlak
https://recopcwr.top/atki
https://ultracpj.xyz/apgk
https://vegemuoe.top/xauy
https://siniavzv.life/xajz
https://strujqwn.xyz/xkkd
https://tunenrnc.top/xodz
https://permwgp.xyz/xlak
https://recopcwr.top/atki
https://ultracpj.xyz/apgk
https://vegemuoe.top/xauy
https://siniavzv.life/xajz
https://strujqwn.xyz/xkkd
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
1f3c77c33691626963a381711d31b2479d0aed92508e3f89a7ce88eeae49a522
MD5 hash:
047f5b1edee767388daca5dd91795939
SHA1 hash:
ad262d25be6b5b6db3a62651092cfc117da2b28b
SH256 hash:
986db3fc7426d1475b2048be9554fc6f4e4114050b3a43e1e980b5daeb6ec005
MD5 hash:
d9407a70b1727c420820cffbdc6e6082
SHA1 hash:
ba8ce5aef380edc29780ca2226193df26e6bfac4
SH256 hash:
222e0cdbe022be9bb3b4ea0943036d1c8b78f29f093963a74b063737d8893709
MD5 hash:
0e6cd048a76adde6c723f8a4e01dcc6f
SHA1 hash:
6221eae90b2fac479c60c6a68785ae63bd2c806e
Detections:
AutoIT_Compiled
Parent samples :
51c317b6902b8eba36bfe0d3fd37ea678db221c01dfe9fa449ed2c901e82ae29
f72ff7d169c4c0a940667127f37701dac14b0d84374ad6e43e85ffcc726a68b3
4b47faff7b263f41d793c672180137082540566b36fc09edad7b989e69b48d99
dd5691dd8c38d6c0d5958373603fffc3e0bec43b279f1a49154ba0dec3d5deee
6d75b4922025d7859a1a5722b621b2f24de54a1a5329d0c8781839bf6255a717
33635d2e6d00ec50497def4568a33bf742a396e322498997b9524d9f2e0f38e1
6920efd832e31f0ff94436c4242f00443dc3d3df4511a6fbaa8b899767bdb001
e10dfec034a6b02f742d6ad433eb8093dcae1146c4a6770de6d6d2d5b72e2098
64d6d6f8d4b8911e0f4ba9030382ca1664d7eba8775d00544d56e2dc336208da
9252554a1b23a6176d96112dc681cbcc770ca5f145997400cdece5c1857fbcd2
badbf65775ddf265a3dd2eeb5dae28d29b13158a0a5f153bc6b80320eaae9766
d4961daaa5ad74ff738009724a37c620f29b77466128c6f9904e980a27e477db
e0a7d335923c17e8aa3a9d2a2470eab4c0c702fee4bc7ac68b8132ea3a8e9be7
cb6f2bac0167f527d2bbf2e80c1f85b0a213036ee46580a41a8df84cb3ba3682
cae777f6d88874325a18a95690fbf16b3d2ef3a3eea9872a66f9276681532321
2006e4294f495b50c83fc3af87da570cca4ba734dd070a39d216788d275ef14d
06eb897938487b4f61c9700dc16e25c588e384f0d2b1494282ed15f43c72f379
361947959afaf7e693744d24b2c6255f15d52cf5cacc8327688a6ec99c39de67
e2c59fe0739496885e68ca445bd9bca98d7ebcd4eaebdd23372458310a2b67cf
7b5d27a8c83193458095b40fec18fd1a2b210c37b98a04f457d6cb00e738abff
a23fccf55b1723554101f8fb4e1edb642fc10b751da75aff77998bff533f4c68
e248994d1e415aeb2ec170f513316130788bbb05545e5fb9f662d64f3103195b
0199f546f8bf01c87988e2842af69b624988c0f59040f4a15121e835e2c977e3
065be426a2c3cd1c507830b823d0692fff540d8b7d9735909ba9440c48e3eacd
d91fe8b3fa9a25a1ea150e318a454184c43c624052115d8e678f9b77cfc08c36
f3320e52f9ff893c6cbf220d7f4a9dddfdaaad64c1d60b7b267d22d7a078def1
1f3c77c33691626963a381711d31b2479d0aed92508e3f89a7ce88eeae49a522
0551b0aeb48adf90e5bab83569d46c866d78b2b7606c8abea03071266a4865d9
40e3105cd34d54cacd7e2559e19f1fa28e6e9ee2a09bec6a5a083262f334fa14
31c73da21862c01ecb0756a853404ea93ddf1db86ce2a6cb52ccd0ce1cfd01c3
ad8d2d36547bb6c3fd44a137948dae585b9c66f7f3e6c36adcb0fd1f6a130a37
628035c14718c064036edf3cd0fe349007bc37d22cca740f4880e2cde3a78bc7
8bbb9d145a516df1da43ecaa97efa6fd0ec63a2f7a7de4d378bf3c71282041fb
3f6af0243792dc32b9264f6001302cb782f0a98042cef498b87ea73441e0895a
6b715e8feeb3258e7b087ec2f6a49c421cfadc55af15a9cd157a6e6c34186d4d
ca96fc2d143f1c95db784f29912f41591d19db4ba92f525df7c4fa65e46f27b8
d2e01156051ad7112d93eb59632df9e67c20f32c09ace834e21746bef13dfd7e
125edb38ce9edda52a7ccace6d5d7adfd37b7e9ebfd38cf7dd072c16124bc1c3
280c766b56a8d5ae804d40c9f916593fb1b834e7b31ecf84cf85b6f28b866bad
e8f406637b174c38a8ab6a53011e3582a43d6d2beccf3c88dc843f00e6681803
e1df25e08b0d4abbfa0ff2762a8a653bb07be8feb79333a1049ed0afb68f6b2f
f1edf22002a14f6e9051114c1fe39e4d001fac227ac66789568d6cf958b104ea
445c2b7e309849a87a14d0cc4973101a774dfaaccfb39956f5d7dd664709bbc0
f9665f6f71dd641d32333f2a69609c7d6117b9901b38df9e72f0f8303192e491
08f5b86c67cd29b0ee69b4e5cb1a519c88e8bc0b529dd31cd153984a81146998
b889976d25b916ea716f7508bc9cf3139c313c29df36cf59d0a1d7bb57232585
9461f71f1624999d38d8b565c7e87a118371abfa11bb53005a800add90ff2653
53e9cb85656943c6be73087b3b43ee170f241f28638709dc5c272c890e7d663d
f8dca22fefddd91121473797629afad8182ed265d4556e48e443b1d804b8e731
782be5b43d925282bd13bf7e1505f2adc2044128cc2c222c16c44659797a97f3
63d7760f91c7129bb067776bac96ca7e7eac65f288e8a98d62a51272740a81d8
e7b70294a3acb6b76bac1cc1c3a7f01bbf5bb873c7bec447b1d516c5b2f16370
4669c2df4877615a620c08b298739d883aa874c8a8e97de3c9dc99dc34dd757c
61d434c485bcadf7a99049d0a9deba8755a37f572ad36fa7d713ce5e055d7d43
4f74c9436d6e306fee66bc786f8a4c373a7d268a60e14c51fad83b0c17e9faaa
7ef04f3a1e80ad5f4b04aae62765e89a0ac5ec8c91b0b23dbc76ca43abc227ff
0c5eae2dff6ef68137771eac539f48a2805cb18b637940783eb83e47b4a7431e
67031bdb411115a4b2fa222617c0064ac5294c28b9aa7e38fa5a84fb23548d4d
049c6830765643461e9eb7da0ae99df6046b700cd7f70572c2cd8e0053eb71a2
434d2ab1d62b64593ddb18c2b4f72947d2e78aee2c3dc4acb6d700fdcf3ae02e
23b7f89dbe25730939afb4bae4ebc99f86107b09c9842e65a51e2a7eee698a80
bd9855bea0fb4610f17220b381493b4155525c28ee9fe832fd698d78b8d9a864
cfe1a1f491591e88446d3c980f7b5d90c618946f4b5359c71f6eadda9e6eef42
d87fb4f7c8d5023adeb8d1203fa083c683e1875451a02c717b8d1b5f63215a53
dc1743c2975b3779937a38f5b5119f73c05b97fda2a453e99291521602f5c22d
a89086ac12f022d02b464b8a7493a2cb48bd043e38fa0371eac607f0f4dee5b8
a6613babd861b08bb41cf07083a4e71fba2121652d800974f14fd222bec2ef47
98cb76f26bd16bd8566285da0516f7736a5fdbcdc6129ec3a0f38bc09db6fc13
1144f6c33d9ca7c1b9b23fa1bf8d64b441f10cd1d0a35638827771cc9df5d2d3
98032e7110937432f683fe27e8eb942e885010e468d5bfacaa63fda8e63ef8f3
c666625bcef1fb5597f949257f37664390427322959c483cd16027db33db4bb7
7a24c4f86f94cd9d79aa543c58e6c079795ffedf981ebf63dd91f01532e56e01
b7fccdb3313848b8d6002a580781065ab7e8356b5f327b056aa6c9ebf7e76ae4
99b66d8309edba2ad061e5274a148288012f93a05839a99ff071fea6fe16d2a5
7b232254d4b4be67111e92f5c2e34bc331403393c2d019b31e256ca7d798cd08
b24514c4d862a8ec284f1e3b80ce7394dd68ea69b0ea3867526467a8086eba74
afa7b8bdf56270a87c326a46d11cb9ddd3880c3bbe711079753223ed01c4343b
9bfbf455319d2708851fc80207b23758debf9d2e27e79a37eab61bdce97ec77f
7d535ced79cd715cc19958b60bf36c8c1767512badbe52cd5de772794343f891
39f9313b61a51d858cd6c87914ab9750133d81901595ee83d8f722bf21bf16eb
377dbb4bb7cab67ba00659c9086ab22fe8d2adf0e8c6f23b98f456e9b62519eb
84e0c2a0b99db9bc662e25f6e33308732db054d2c2110335dcf50573d6452e03
1e53be9313b624ca36e549021df95a17b8b63e09dfe1f16813b21c8d6ce954dc
f72ff7d169c4c0a940667127f37701dac14b0d84374ad6e43e85ffcc726a68b3
4b47faff7b263f41d793c672180137082540566b36fc09edad7b989e69b48d99
dd5691dd8c38d6c0d5958373603fffc3e0bec43b279f1a49154ba0dec3d5deee
6d75b4922025d7859a1a5722b621b2f24de54a1a5329d0c8781839bf6255a717
33635d2e6d00ec50497def4568a33bf742a396e322498997b9524d9f2e0f38e1
6920efd832e31f0ff94436c4242f00443dc3d3df4511a6fbaa8b899767bdb001
e10dfec034a6b02f742d6ad433eb8093dcae1146c4a6770de6d6d2d5b72e2098
64d6d6f8d4b8911e0f4ba9030382ca1664d7eba8775d00544d56e2dc336208da
9252554a1b23a6176d96112dc681cbcc770ca5f145997400cdece5c1857fbcd2
badbf65775ddf265a3dd2eeb5dae28d29b13158a0a5f153bc6b80320eaae9766
d4961daaa5ad74ff738009724a37c620f29b77466128c6f9904e980a27e477db
e0a7d335923c17e8aa3a9d2a2470eab4c0c702fee4bc7ac68b8132ea3a8e9be7
cb6f2bac0167f527d2bbf2e80c1f85b0a213036ee46580a41a8df84cb3ba3682
cae777f6d88874325a18a95690fbf16b3d2ef3a3eea9872a66f9276681532321
2006e4294f495b50c83fc3af87da570cca4ba734dd070a39d216788d275ef14d
06eb897938487b4f61c9700dc16e25c588e384f0d2b1494282ed15f43c72f379
361947959afaf7e693744d24b2c6255f15d52cf5cacc8327688a6ec99c39de67
e2c59fe0739496885e68ca445bd9bca98d7ebcd4eaebdd23372458310a2b67cf
7b5d27a8c83193458095b40fec18fd1a2b210c37b98a04f457d6cb00e738abff
a23fccf55b1723554101f8fb4e1edb642fc10b751da75aff77998bff533f4c68
e248994d1e415aeb2ec170f513316130788bbb05545e5fb9f662d64f3103195b
0199f546f8bf01c87988e2842af69b624988c0f59040f4a15121e835e2c977e3
065be426a2c3cd1c507830b823d0692fff540d8b7d9735909ba9440c48e3eacd
d91fe8b3fa9a25a1ea150e318a454184c43c624052115d8e678f9b77cfc08c36
f3320e52f9ff893c6cbf220d7f4a9dddfdaaad64c1d60b7b267d22d7a078def1
1f3c77c33691626963a381711d31b2479d0aed92508e3f89a7ce88eeae49a522
0551b0aeb48adf90e5bab83569d46c866d78b2b7606c8abea03071266a4865d9
40e3105cd34d54cacd7e2559e19f1fa28e6e9ee2a09bec6a5a083262f334fa14
31c73da21862c01ecb0756a853404ea93ddf1db86ce2a6cb52ccd0ce1cfd01c3
ad8d2d36547bb6c3fd44a137948dae585b9c66f7f3e6c36adcb0fd1f6a130a37
628035c14718c064036edf3cd0fe349007bc37d22cca740f4880e2cde3a78bc7
8bbb9d145a516df1da43ecaa97efa6fd0ec63a2f7a7de4d378bf3c71282041fb
3f6af0243792dc32b9264f6001302cb782f0a98042cef498b87ea73441e0895a
6b715e8feeb3258e7b087ec2f6a49c421cfadc55af15a9cd157a6e6c34186d4d
ca96fc2d143f1c95db784f29912f41591d19db4ba92f525df7c4fa65e46f27b8
d2e01156051ad7112d93eb59632df9e67c20f32c09ace834e21746bef13dfd7e
125edb38ce9edda52a7ccace6d5d7adfd37b7e9ebfd38cf7dd072c16124bc1c3
280c766b56a8d5ae804d40c9f916593fb1b834e7b31ecf84cf85b6f28b866bad
e8f406637b174c38a8ab6a53011e3582a43d6d2beccf3c88dc843f00e6681803
e1df25e08b0d4abbfa0ff2762a8a653bb07be8feb79333a1049ed0afb68f6b2f
f1edf22002a14f6e9051114c1fe39e4d001fac227ac66789568d6cf958b104ea
445c2b7e309849a87a14d0cc4973101a774dfaaccfb39956f5d7dd664709bbc0
f9665f6f71dd641d32333f2a69609c7d6117b9901b38df9e72f0f8303192e491
08f5b86c67cd29b0ee69b4e5cb1a519c88e8bc0b529dd31cd153984a81146998
b889976d25b916ea716f7508bc9cf3139c313c29df36cf59d0a1d7bb57232585
9461f71f1624999d38d8b565c7e87a118371abfa11bb53005a800add90ff2653
53e9cb85656943c6be73087b3b43ee170f241f28638709dc5c272c890e7d663d
f8dca22fefddd91121473797629afad8182ed265d4556e48e443b1d804b8e731
782be5b43d925282bd13bf7e1505f2adc2044128cc2c222c16c44659797a97f3
63d7760f91c7129bb067776bac96ca7e7eac65f288e8a98d62a51272740a81d8
e7b70294a3acb6b76bac1cc1c3a7f01bbf5bb873c7bec447b1d516c5b2f16370
4669c2df4877615a620c08b298739d883aa874c8a8e97de3c9dc99dc34dd757c
61d434c485bcadf7a99049d0a9deba8755a37f572ad36fa7d713ce5e055d7d43
4f74c9436d6e306fee66bc786f8a4c373a7d268a60e14c51fad83b0c17e9faaa
7ef04f3a1e80ad5f4b04aae62765e89a0ac5ec8c91b0b23dbc76ca43abc227ff
0c5eae2dff6ef68137771eac539f48a2805cb18b637940783eb83e47b4a7431e
67031bdb411115a4b2fa222617c0064ac5294c28b9aa7e38fa5a84fb23548d4d
049c6830765643461e9eb7da0ae99df6046b700cd7f70572c2cd8e0053eb71a2
434d2ab1d62b64593ddb18c2b4f72947d2e78aee2c3dc4acb6d700fdcf3ae02e
23b7f89dbe25730939afb4bae4ebc99f86107b09c9842e65a51e2a7eee698a80
bd9855bea0fb4610f17220b381493b4155525c28ee9fe832fd698d78b8d9a864
cfe1a1f491591e88446d3c980f7b5d90c618946f4b5359c71f6eadda9e6eef42
d87fb4f7c8d5023adeb8d1203fa083c683e1875451a02c717b8d1b5f63215a53
dc1743c2975b3779937a38f5b5119f73c05b97fda2a453e99291521602f5c22d
a89086ac12f022d02b464b8a7493a2cb48bd043e38fa0371eac607f0f4dee5b8
a6613babd861b08bb41cf07083a4e71fba2121652d800974f14fd222bec2ef47
98cb76f26bd16bd8566285da0516f7736a5fdbcdc6129ec3a0f38bc09db6fc13
1144f6c33d9ca7c1b9b23fa1bf8d64b441f10cd1d0a35638827771cc9df5d2d3
98032e7110937432f683fe27e8eb942e885010e468d5bfacaa63fda8e63ef8f3
c666625bcef1fb5597f949257f37664390427322959c483cd16027db33db4bb7
7a24c4f86f94cd9d79aa543c58e6c079795ffedf981ebf63dd91f01532e56e01
b7fccdb3313848b8d6002a580781065ab7e8356b5f327b056aa6c9ebf7e76ae4
99b66d8309edba2ad061e5274a148288012f93a05839a99ff071fea6fe16d2a5
7b232254d4b4be67111e92f5c2e34bc331403393c2d019b31e256ca7d798cd08
b24514c4d862a8ec284f1e3b80ce7394dd68ea69b0ea3867526467a8086eba74
afa7b8bdf56270a87c326a46d11cb9ddd3880c3bbe711079753223ed01c4343b
9bfbf455319d2708851fc80207b23758debf9d2e27e79a37eab61bdce97ec77f
7d535ced79cd715cc19958b60bf36c8c1767512badbe52cd5de772794343f891
39f9313b61a51d858cd6c87914ab9750133d81901595ee83d8f722bf21bf16eb
377dbb4bb7cab67ba00659c9086ab22fe8d2adf0e8c6f23b98f456e9b62519eb
84e0c2a0b99db9bc662e25f6e33308732db054d2c2110335dcf50573d6452e03
1e53be9313b624ca36e549021df95a17b8b63e09dfe1f16813b21c8d6ce954dc
SH256 hash:
b121689861b506dbc9c3797b49bc8a90d555cb7db58cb959165cc758391c00bb
MD5 hash:
8fe362ffdfa66269b8a64e3a87f68e52
SHA1 hash:
b5daaa60a6b8591a670da9fc3a2d6f896d55f568
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Detect_NSIS_Nullsoft_Installer |
|---|---|
| Author: | Obscurity Labs LLC |
| Description: | Detects NSIS installers by .ndata section + NSIS header string |
| Rule name: | Sus_Obf_Enc_Spoof_Hide_PE |
|---|---|
| Author: | XiAnzheng |
| Description: | Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP) |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| COM_BASE_API | Can Download & Execute components | ole32.dll::CoCreateInstance |
| SECURITY_BASE_API | Uses Security Base API | ADVAPI32.dll::AdjustTokenPrivileges |
| SHELL_API | Manipulates System Shell | SHELL32.dll::ShellExecuteExW SHELL32.dll::SHFileOperationW SHELL32.dll::SHGetFileInfoW |
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::CreateProcessW ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDiskFreeSpaceW KERNEL32.dll::GetCommandLineW |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileW KERNEL32.dll::MoveFileExW |
| WIN_BASE_USER_API | Retrieves Account Information | ADVAPI32.dll::LookupPrivilegeValueW |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW |
| WIN_USER_API | Performs GUI Actions | USER32.dll::AppendMenuW USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::OpenClipboard USER32.dll::PeekMessageW USER32.dll::CreateWindowExW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.