MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2afe2fed654c4514265a3d1b0f50cef25b9fc34351887a13d770457ba018492d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2afe2fed654c4514265a3d1b0f50cef25b9fc34351887a13d770457ba018492d
SHA3-384 hash: ffc10cb70e7e6fe6bdd910903b3b27b0160918e66fe543509f5a3639172cea9af02583af7056ba314e24e65057b84de2
SHA1 hash: 28ddbc9d2ecb7073fe329c59c73afa52e4973c1d
MD5 hash: a85a13ceb0a2fb1ac658a6cddc3628a5
humanhash: jupiter-echo-white-finch
File name:3_Документи.pdf.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'140'206 bytes
First seen:2024-01-25 17:50:51 UTC
Last seen:2024-01-25 19:35:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7d9029530789fe80b2caff1ced94c117 (2 x LummaStealer, 1 x RedLineStealer)
ssdeep 24576:JZ37GcN9ytIFGibL4fzXeoRVofL+0zA7TrjkoG0WIorgXIMLVPO2:JB7XK9iyjCT5A7T/SrdMLV22
Threatray 2'049 similar samples on MalwareBazaar
TLSH T1993522223AF18037F1B752705DF0B6B69ABAFE351B30A10F275C0A161EB65D5C669323
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 2ce8d0d8d46868d8 (2 x LummaStealer)
Reporter angel11VR
Tags:AutoIT exe LummaStealer


Avatar
angel11VR
it is Lumma Stealer according to JoeSandbox, previously this autoit loads Remcos

Intelligence

File Origin
# of uploads :
2
# of downloads :
441
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Документи.rar
Verdict:
Suspicious activity
Analysis date:
2024-01-25 13:32:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/72e327bb-f417-423c-b105-2f9db32117e4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.QuasarRAT-10018765-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Launching cmd.exe command interpreter
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Running batch commands
Creating a process from a recently created file
DNS request
Searching for the window
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/2afe2fed654c4514265a3d1b0f50cef25b9fc34351887a13d770457ba018492d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f023b398-7855-4c84-81d0-6f8ca5d877a7
Result
Threat name:
LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1381044
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Found API chain indicative of sandbox detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
LummaC encrypted strings found
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses an obfuscated file name to hide its real file extension (double extension)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1381044 Sample: 3_#U0414#U043e#U043a#U0443#... Startdate: 25/01/2024 Architecture: WINDOWS Score: 100 38 crisisestimatehealtwh.site 2->38 40 oqwFBqpqdNmBEVVzbOIH.oqwFBqpqdNmBEVVzbOIH 2->40 46 Found malware configuration 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected LummaC Stealer 2->50 52 3 other signatures 2->52 9 3_#U0414#U043e#U043a#U0443#U043c#U0435#U043d#U0442#U0438.pdf.exe 14 2->9         started        signatures3 process4 file5 34 C:\Users\user\AppData\Local\Temp\...\Tour, PE32 9->34 dropped 62 Contains functionality to register a low level keyboard hook 9->62 13 cmd.exe 1 9->13         started        16 conhost.exe 9->16         started        signatures6 process7 signatures8 64 Uses ping.exe to sleep 13->64 66 Drops PE files with a suspicious file extension 13->66 68 Uses ping.exe to check the status of other devices and networks 13->68 18 cmd.exe 1 13->18         started        21 conhost.exe 13->21         started        process9 signatures10 44 Uses ping.exe to sleep 18->44 23 Ri.pif 18->23         started        27 cmd.exe 2 18->27         started        30 cmd.exe 2 18->30         started        32 6 other processes 18->32 process11 dnsIp12 42 crisisestimatehealtwh.site 172.67.137.229, 443, 49714, 49715 CLOUDFLARENETUS United States 23->42 54 Query firmware table information (likely to detect VMs) 23->54 56 Found many strings related to Crypto-Wallets (likely being stolen) 23->56 58 Found API chain indicative of sandbox detection 23->58 60 3 other signatures 23->60 36 C:\Users\user\AppData\Local\Temp\...\Ri.pif, PE32 27->36 dropped file13 signatures14
Score:
86%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2afe2fed654c4514265a3d1b0f50cef25b9fc34351887a13d770457ba018492d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2afe2fed654c4514265a3d1b0f50cef25b9fc34351887a13d770457ba018492d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-01-25 17:51:06 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
8 of 38 (21.05%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fl7c73lfjrcrijs2hunq6ugo6jnz7q2dkgehue6xobcxxiayjewq._file
Verdict:
unknown
Similar samples:
140653704128a6aa88f80e80b387e87892367b26da00e392e9ccf181bb48408b
LummaStealer
2afe2fed654c4514265a3d1b0f50cef25b9fc34351887a13d770457ba018492d
LummaStealer
2d43530c81da22814e9debab6cc5dc8583d87b50c374e84c4ef153b0e51e4430
LummaStealer
345ff30f046fefaf38981f65238c022878d9ecab54437a88a7b5bddcba6ebc3d
LummaStealer
3726fd2adc46647baeedba9144d1fa6e0634c08f55f183fcf4c5e67c763b446a
LummaStealer
58d47e392f91578d5820d3625103ffd9461e66d7328a7016d0a69a39bc04f3af
LummaStealer
a567c1f01f6bed6d88712149472f5262d2ddc14aa4d6c1b0544e81dd0929931f
LummaStealer
b4a130338bd6099c1ca3c0e0866127db0b5df6ac51e74347654b5b6d2ee0de96
LummaStealer
cdf64a111349a82f90434e360e6312f107a45a6dafa24f8fcddb497e1584ee79
LummaStealer
fc3085b354e1e35b4a9b15166cbbead6a63fb3f2cd18f00f546868d5392408b7
LummaStealer
+ 2'039 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:kinsing family:lumma loader stealer
Link:
https://tria.ge/reports/240125-we5smsdadn/
Behaviour
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Kinsing
Lumma Stealer
Malware Config
C2 Extraction:
https://crisisestimatehealtwh.site/api
Unpacked files
SH256 hash:
9437b5cd85f01ae5f0fcffab34b33a10b18beee3d559431a512b977596576fd6
MD5 hash:
0e5f8c77f7d8e72afb90a58098bdfaf7
SHA1 hash:
4f7884661c4b200210ac250b914b2464ced3dd12
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/5cb7f36a-8413-48cf-ad01-1cc46c6b6d73/
Parent samples :
99792e2eda5c50df332f2ba9bde7dbe158398acd913c16f980ff54bfda274f36
32a3ae3f8473db4b0526e456c67da605202afbfc4db584db9275d62e80884bf5
4315c14af0772f50b9b383cae378f26e71e77156886209344791c7f931d6425c
c70a6bb61af33042ad6131ed456847c36ddf8a20cfd711646d2f673ec851c754
8eed969439caae425cac85ad5b221e4f19ab22b40182a8d6beeb035dc50cf6a1
fc3085b354e1e35b4a9b15166cbbead6a63fb3f2cd18f00f546868d5392408b7
2afe2fed654c4514265a3d1b0f50cef25b9fc34351887a13d770457ba018492d
b9371b217090aadf41da567face2032494d9fc5d7e4bb438dad702814c88fb97
2fcffd3914b2555cd521d7c2d3c43e8e8af300f9ee161d3ae0c028206f55775b
6a7afd800f236e6bf6cdaa2fc93869daade49c2b5698bbb39c3d8ecc13d0fd9c
6115d0dc0349f7cbab3fe4b4b769b389a60aab336519d4b42952bb0f0501428f
9f706c4488db8c3f51761fe450003199948b489b39bfaf56560eac498a954356
e326efbd611e0d48875fabb475c73e40628ec2948ef3f59eb1f8326374d92393
a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43
9ac629ed8e07b6c99b05edd46b86e1795e5f96908ab1fe85a06282b0a982cd1b
487aa8d7d2c3f85140a7dc9c8704329c6e42a296e6a89ec66a7e0de58d309ded
e3c6537ef0c305d9c7b242b88dcbff7b1a762b277b6d15d1372a41f44aa67c46
b756f04d1cd713bb11d5ae1032f8e8580d7cb11ad9e58f0219c9a9fb02c20d42
d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee
40aa56690dafef35b08b83eebf12c694f5cec88c6ba1ff9f499fff5a5da1ef02
baeced1519471f5b87271beb193b279983078f0bba9ba4daef9af842b3c361b8
a12adcef2a153e0926843befaad18c7378d8d1b698400c51a69b229f99979d54
7a3506f60a337bd104291e6f01bf18cbf3dad4058e9e79d7861fc2a1c11258c2
43c59cd33371691282d4f781b6f5d0b280da41d71fceeecc7b7052a1db11ac79
634bf075d6d8a187a316a7ff567c867dea7454f4c414fc1dfb5e8a6bae2ab38e
8b66a3ecbb30f4351758c45f1c11dfa8faa9804b2976e108e9557ba39bae3202
0464478d0f6c9992dcfd81471fe69b418deab070f4f7852d756a4138d21f5cac
bdf72e1c0964b7a7b96651b278b6f8d4b42849c01ff2aa6c6844b5ac2a893f3b
9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88
1814457fbd890028ff409edc2d23a11bbac93fb7318aa54523ada7e04f53ea7f
c27c1e00bb778d222efa52a9dbb9335230052cd7eaacf34a8d28b4436aae580c
8ac262e42dc9b061481f38467e202f22271f204cf595b610eb0ad4f5bbcd560b
c2ec58019152493525ab9962c758fff777c96af2407599751fc5f100874222f3
a857af8b33c62e7897af86264a2c8959545cacf74329b76730e2a84b35ef20a4
83f7e97876bb82d57f77f675e4b9ed0d3cd18c75e1cee4ec9661f653ba522e5b
6d4114742eb27a4e99c398904607bbfb07f91c2f2d25c921d888c0879f22d646
8bfa18179880147b29fd76adbba9c2818d5ba600ef22f17a5fcb9897287c4d34
fa8e3f10f85d54f5ac081ec4e9f5bb4c46716c55940c811489abd325d67a9fd1
44ed4970306de81ea87869369b9a1473e119d9a7d4a825fddd1405aa1f6dbe85
ec78b7b9f3560e19d0c723d7d114747d3833cb940631f9a3dbe83634e8d68491
087a6dafebbe457fd2085fc08162a3298891986290e3dd9fef21eec45e0df40f
4be740b7411f644b92749c5fd9be10b827f885c13690aaf7857a6d58b44e9c8c
d75697e57eee3f6f63114075c15995fef359eeb7a3f554e40d55dee19bead4fd
ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182
fa80871e2a0b0384f09f41d1a0a6715b7d32b915e70516152b10c32da4151556
80441fcf20760b653d36c4bc78c58c9e05b190e811767c7ed523a904e53b0684
f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2
379a446e3c57a9c7fd56eee88d1b9c8ad89c892307db989b3edd53be1d8913bf
0df79273aea792b72c2218a616b36324e31aaf7da59271969a23a0c392f58451
585d0e01d18cf7acfb8cb1b7ba54ffbb64e187e0a69372e2dc7f6f6b285a8493
707d8153cfae722c0c834bb06bb9dc04d6f3224a39a9b9c33aa524389561ffaa
2ad1b5261442f87a5e7a1c53cd0335c61652b39da8f54587fe0adc45e0813661
a8b2c1d4067978b61076e9ad9848c27ff31611c3a201cafa0b8a4005d80e7321
e4fe2b92480a8ad512c643358c7add07588e8028c1526e5e874d292e6053d4a6
3a339d1c2c786bde38552618b21b647fd61e583ba7cefb9eee6b0647201e5ca6
add35b72ac24e4056dac7aa46dc03ac8ccf717b0891026da8028fb9cbd8f5b7f
SH256 hash:
2afe2fed654c4514265a3d1b0f50cef25b9fc34351887a13d770457ba018492d
MD5 hash:
a85a13ceb0a2fb1ac658a6cddc3628a5
SHA1 hash:
28ddbc9d2ecb7073fe329c59c73afa52e4973c1d
Link:
https://www.unpac.me/results/5cb7f36a-8413-48cf-ad01-1cc46c6b6d73/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2afe2fed654c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2afe2fed654c4514265a3d1b0f50cef25b9fc34351887a13d770457ba018492d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

LummaStealer

Executable exe 2afe2fed654c4514265a3d1b0f50cef25b9fc34351887a13d770457ba018492d

(this sample)

Joe
Joe Sandbox
https://www.joesandbox.com/analysis/1381045/1/html
  
Delivery method
Distributed via e-mail attachment

Comments


Avatar
commented on 2024-01-25 18:17:15 UTC

#Lumma #Stealer #AutoIt #RAR #PWD #EXE
email attach .rar1 > (.rar2) PWD or (.rar2+rar3+rar4) PWD > .exe > C2
IOC`s
https://pastebin.com/pwL5HdeX