MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3505e27eaf2c4113fe1504da03873536e469aae8ca007e8bd077ffec24b7f252. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3505e27eaf2c4113fe1504da03873536e469aae8ca007e8bd077ffec24b7f252
SHA3-384 hash: 0628a4fa84130863172ee36b45817d08a7c86632813ce2316f89b578f64cf8f75dff5167f2a3898c83045648d5ebf2ed
SHA1 hash: 8b6b6c94cf32334cec066f2c775e350e53ac9bb0
MD5 hash: a5050402ceb0a865b0ae6d146af53779
humanhash: louisiana-potato-virginia-may
File name:a5050402ceb0a865b0ae6d146af53779.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'001'472 bytes
First seen:2023-10-18 16:45:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:8yP+EPa0n0qkdo1VYs8NiAaOesn7IB+LaKxnPreQu:rPRaakqYxiAaOes7NaK
Threatray 1'504 similar samples on MalwareBazaar
TLSH T132252312BBC8C136E4B517715CF7038719357C566DB8829B5B408A9F1CB2B98B932B3B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
95.217.243.178:8443

Intelligence

File Origin
# of uploads :
1
# of downloads :
319
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Creating a file
Сreating synchronization primitives
Unauthorized injection to a recently created process
Blocking the Windows Defender launch
Disabling the operating system update service
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer lolbin packed redcap rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/65300bcbafc17c7912f8039b/reports/25c9dc06-2685-4f17-a626-b5567bc0fa4c/overview
Verdict:
Malicious
Labled as:
TR/Dldr.Agent_AGen
Link:
https://www.hybrid-analysis.com/sample/3505e27eaf2c4113fe1504da03873536e469aae8ca007e8bd077ffec24b7f252
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f8bebf64-5d2e-44dd-a8b8-816523ef71c3
Result
Threat name:
Amadey, Babadeda, LummaC Stealer, Mystic
Create hunting rule
Detection:
malicious
Classification:
n/a
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1328217
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many IPs within the same subnet mask (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Phishing site detected (based on logo match)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected LummaC Stealer
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1328217 Sample: gngC5RcGyJ.exe Startdate: 18/10/2023 Architecture: WINDOWS Score: 100 148 yt3.ggpht.com 2->148 150 youtube.com 2->150 152 19 other IPs or domains 2->152 186 Snort IDS alert for network traffic 2->186 188 Found malware configuration 2->188 190 Malicious sample detected (through community Yara rule) 2->190 192 21 other signatures 2->192 15 gngC5RcGyJ.exe 1 4 2->15         started        18 rundll32.exe 2->18         started        20 rundll32.exe 2->20         started        22 auhtjbf 2->22         started        signatures3 process4 file5 136 C:\Users\user\AppData\Local\...\nh2KC83.exe, PE32 15->136 dropped 138 C:\Users\user\AppData\Local\...\6Lp4nd9.exe, PE32 15->138 dropped 24 nh2KC83.exe 1 4 15->24         started        28 lt6rr0zj.exe 18->28         started        process6 file7 120 C:\Users\user\AppData\Local\...\wb0vP51.exe, PE32 24->120 dropped 122 C:\Users\user\AppData\Local\...\5HY5mt1.exe, PE32 24->122 dropped 234 Antivirus detection for dropped file 24->234 236 Multi AV Scanner detection for dropped file 24->236 238 Machine Learning detection for dropped file 24->238 30 wb0vP51.exe 1 4 24->30         started        124 C:\Users\user\AppData\Local\...\2IZ993Qj.exe, PE32 28->124 dropped 126 C:\Users\user\AppData\Local\...\1Md47IE6.exe, PE32 28->126 dropped 34 2IZ993Qj.exe 28->34         started        36 1Md47IE6.exe 28->36         started        signatures8 process9 file10 128 C:\Users\user\AppData\Local\...\xk7BG90.exe, PE32 30->128 dropped 130 C:\Users\user\AppData\Local\...\4GT227dh.exe, PE32 30->130 dropped 248 Antivirus detection for dropped file 30->248 250 Multi AV Scanner detection for dropped file 30->250 252 Machine Learning detection for dropped file 30->252 38 xk7BG90.exe 1 4 30->38         started        42 4GT227dh.exe 4 30->42         started        254 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->254 256 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 34->256 signatures11 process12 dnsIp13 116 C:\Users\user\AppData\Local\...\CP3Of07.exe, PE32 38->116 dropped 118 C:\Users\user\AppData\Local\...\3lC60CJ.exe, PE32 38->118 dropped 224 Multi AV Scanner detection for dropped file 38->224 45 3lC60CJ.exe 1 38->45         started        48 CP3Of07.exe 1 4 38->48         started        160 77.91.124.55 ECOTEL-ASRU Russian Federation 42->160 226 Antivirus detection for dropped file 42->226 228 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->228 230 Machine Learning detection for dropped file 42->230 232 2 other signatures 42->232 file14 signatures15 process16 file17 240 Multi AV Scanner detection for dropped file 45->240 242 Contains functionality to inject code into remote processes 45->242 244 Writes to foreign memory regions 45->244 246 2 other signatures 45->246 51 AppLaunch.exe 45->51         started        54 conhost.exe 45->54         started        56 AppLaunch.exe 45->56         started        98 C:\Users\user\AppData\Local\...\2nK6271.exe, PE32 48->98 dropped 100 C:\Users\user\AppData\Local\...\1uC49IO5.exe, PE32 48->100 dropped 58 1uC49IO5.exe 9 1 48->58         started        60 2nK6271.exe 12 48->60         started        signatures18 process19 dnsIp20 194 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 51->194 196 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 51->196 198 Maps a DLL or memory area into another process 51->198 208 2 other signatures 51->208 63 explorer.exe 51->63 injected 200 Multi AV Scanner detection for dropped file 58->200 202 Modifies windows update settings 58->202 204 Disable Windows Defender notifications (registry) 58->204 206 Disable Windows Defender real time protection (registry) 58->206 162 5.42.92.88 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 60->162 signatures21 process22 dnsIp23 166 77.91.68.29 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 63->166 168 171.22.28.213 CMCSUS Germany 63->168 170 3 other IPs or domains 63->170 102 C:\Users\user\AppData\Local\Temp3B8.exe, PE32 63->102 dropped 104 C:\Users\user\AppData\Local\Temp\D252.exe, PE32 63->104 dropped 106 C:\Users\user\AppData\Local\Temp\C3AB.exe, PE32 63->106 dropped 108 11 other files (10 malicious) 63->108 dropped 182 Benign windows process drops PE files 63->182 184 Hides that the sample has been downloaded from the Internet (zone.identifier) 63->184 68 8070.exe 63->68         started        72 AC67.exe 63->72         started        74 9C97.exe 63->74         started        76 6 other processes 63->76 file24 signatures25 process26 dnsIp27 110 C:\Users\user\AppData\Local\...\VQ3cQ1mB.exe, PE32 68->110 dropped 112 C:\Users\user\AppData\Local\...\6nW78pJ.exe, PE32 68->112 dropped 210 Antivirus detection for dropped file 68->210 212 Machine Learning detection for dropped file 68->212 79 VQ3cQ1mB.exe 68->79         started        114 C:\Users\user\AppData\Local\...\explothe.exe, PE32 72->114 dropped 214 Multi AV Scanner detection for dropped file 72->214 83 explothe.exe 72->83         started        216 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 74->216 218 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 74->218 220 Tries to harvest and steal browser information (history, passwords, etc) 74->220 164 85.209.176.128 ASDETUKhttpwwwheficedcomGB United Kingdom 76->164 222 Found many strings related to Crypto-Wallets (likely being stolen) 76->222 86 chrome.exe 76->86         started        88 chrome.exe 76->88         started        90 conhost.exe 76->90         started        92 2 other processes 76->92 file28 signatures29 process30 dnsIp31 140 C:\Users\user\AppData\Local\...\tw3DQ2tp.exe, PE32 79->140 dropped 142 C:\Users\user\AppData\Local\...\5GR59qM.exe, PE32 79->142 dropped 172 Antivirus detection for dropped file 79->172 174 Machine Learning detection for dropped file 79->174 94 tw3DQ2tp.exe 79->94         started        154 77.91.124.1 ECOTEL-ASRU Russian Federation 83->154 144 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 83->144 dropped 146 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 83->146 dropped 176 Multi AV Scanner detection for dropped file 83->176 178 Creates an undocumented autostart registry key 83->178 180 Uses schtasks.exe or at.exe to add and modify task schedules 83->180 156 192.168.2.6 unknown unknown 86->156 158 239.255.255.250 unknown Reserved 86->158 file32 signatures33 process34 file35 132 C:\Users\user\AppData\Local\...\nE6Wu4gA.exe, PE32 94->132 dropped 134 C:\Users\user\AppData\Local\...\4Aj799Hg.exe, PE32 94->134 dropped 258 Antivirus detection for dropped file 94->258 260 Machine Learning detection for dropped file 94->260 signatures36
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3505e27eaf2c4113fe1504da03873536e469aae8ca007e8bd077ffec24b7f252
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3505e27eaf2c4113fe1504da03873536e469aae8ca007e8bd077ffec24b7f252/
Threat name:
Win32.Trojan.Stealc
Create hunting rule
Status:
Malicious
First seen:
2023-10-18 16:46:05 UTC
File Type:
PE (Exe)
Extracted files:
194
AV detection:
18 of 22 (81.82%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=guc6e7vpfrarh7qvatnahbzvg3sgtkxiziah5c6qo776yjfx6jja._file
Verdict:
malicious
Similar samples:
2434a9706c210bbda5c8bc42d5245f307d288625722889a79e784a4af11c6723
LummaStealer
274602f22d15c9edfaa9170361b6fae8593699ed5d37efd259e2363a66bd666b
LummaStealer
3b75fef36f2d68ceed33969816c1c90b4094db8c1a2bc98d848857f904da21e2
LummaStealer
6c4eeafcda86d5bd3f31bbb5d53dcbeb18542a14b599d2a5e222d8a1cdb5baae
LummaStealer
6e3da629f58585ed8b4a732516294693db5158c8e5c551b1c35d93e46e009a23
LummaStealer
a226ae502f3cbe11a01bd8d37eb2fdb50c7eb800067e5e55650534b30c7d7267
LummaStealer
ad79b4136b9e78f7c6c3e18b60d3bfe663ef741b926c294a908bc4416b4b42db
LummaStealer
ef084f589ca9e0e3395495e211edf5903e986b77307ae0e515dc51886dfbffc5
LummaStealer
f0c223a0f7a1c23a6ae1841202d16dce212051ac42777add4007b408db029df7
LummaStealer
f34053453587ed5bb5cc44041732dda7101f5fab23a8080dee965dbec596d2c2
LummaStealer
+ 1'494 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:dcrat family:glupteba family:redline family:sectoprat family:smokeloader botnet:5141679758_99 botnet:@ytlogsbot botnet:breha botnet:kukish botnet:motion botnet:pixelscloud2.0 backdoor brand:google brand:microsoft discovery dropper evasion infostealer loader persistence phishing rat rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/231018-t9ylpshh27/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Detected potential entity reuse from brand microsoft.
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMonFS driver.
.NET Reactor proctector
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
Uses the VBS compiler for execution
Windows security modification
Downloads MZ/PE file
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Amadey
DcRat
Detected google phishing page
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
SectopRAT
SectopRAT payload
SmokeLoader
Malware Config
C2 Extraction:
77.91.124.55:19071
http://77.91.68.29/fks/
http://77.91.124.1/theme/index.php
85.209.176.128:80
185.216.70.238:37515
https://pastebin.com/raw/8baCJyMF
168.119.126.250:19180
Unpacked files
SH256 hash:
a63682cddfeb906d3906209a0d7ccfba932ddf5cf83c2cc5f424ea3cc71e7a5b
MD5 hash:
8b8c33bf4d8712e251e8de36031fe6d6
SHA1 hash:
aa24eacc9268e0aad42aa0562fcfedef4844fbb2
Link:
https://www.unpac.me/results/a5aa804e-dedc-41e6-a4fa-112f5e53ac46/
SH256 hash:
f023d33fbddc121859881a6d95518189b9aa8acac0a268a60ba9ad237c50c497
MD5 hash:
1dfb9e41294bdceb01be880236102ab0
SHA1 hash:
3f33e263463cf1ca21135b6339862246fcad8667
Link:
https://www.unpac.me/results/a5aa804e-dedc-41e6-a4fa-112f5e53ac46/
SH256 hash:
de2ca838491bf864ac9adadd708ab68c9a569b5e8aa19552d39290e4c8ab7f46
MD5 hash:
3c03b4843e4384c739bf0398f0774d05
SHA1 hash:
cc5a2ed758bddd638c018683f2124e048c9f86f7
Link:
https://www.unpac.me/results/a5aa804e-dedc-41e6-a4fa-112f5e53ac46/
SH256 hash:
9df686a4c236c37577e56fb80cbfbea10ab794b83aa805628508c81bb543ac44
MD5 hash:
94abe6dd67ee7078a1943797be11d0fc
SHA1 hash:
3b3b368867c1a9c2b9b4c2db1f5b9c2ca7952197
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/a5aa804e-dedc-41e6-a4fa-112f5e53ac46/
Parent samples :
5406d6e08cabee38ebc37b2c1003e43d6bc2420eb304191ac84ab1fe32e5c0cb
746fa5cc5686ccf10b77ff979e292d993ef637c0499f55c643f3f579aaa1b25d
4040499e8eccbfbb5adcbf94ae9de18ba0cff7df77acb29980a9dc90da988b43
f55b9f7a1011222ad2e7803993690520247b549ef8a27e7a3996a958c48fa21e
3505e27eaf2c4113fe1504da03873536e469aae8ca007e8bd077ffec24b7f252
SH256 hash:
c1737011cc9fff9aef227ad401cc5d2e82bb538a045ab028a12bab955c6a5687
MD5 hash:
34d04656583363eeb09bd58597786325
SHA1 hash:
6d74e1d1077429247f1fab59dbda38f26a17757a
Detections:
Amadey
Create hunting rule
win_amadey_auto
Create hunting rule
Link:
https://www.unpac.me/results/a5aa804e-dedc-41e6-a4fa-112f5e53ac46/
Parent samples :
a1bfe37c9b7ae382a21af70a149b2f70c983f5875ba8b23ec3cf9b9edbe96a3a
bded2dcd500421456a73fe9e9a3969fdf21ca0f6fabf3f88e621e8d0957ccc9e
3a1c3178c43c4fe5468ed77d69bb62d928d4ec0648fda6e4fad3e9d231a1d241
a8db6bf72fb914dd1b8ae8c9d42fb5e1a9a096fcd573d64fc3e48d05a94074ec
3505e27eaf2c4113fe1504da03873536e469aae8ca007e8bd077ffec24b7f252
SH256 hash:
460495486a9d2ad52ea5a16afb71681d80dd1b6e6c28bda33e67e99bbbfe13c6
MD5 hash:
ed0c7068b1b128bc17ecaf62dd7484e5
SHA1 hash:
e655be76c919808010bd98fcfe9b4ef34f30a8d6
Link:
https://www.unpac.me/results/a5aa804e-dedc-41e6-a4fa-112f5e53ac46/
SH256 hash:
3505e27eaf2c4113fe1504da03873536e469aae8ca007e8bd077ffec24b7f252
MD5 hash:
a5050402ceb0a865b0ae6d146af53779
SHA1 hash:
8b6b6c94cf32334cec066f2c775e350e53ac9bb0
Link:
https://www.unpac.me/results/a5aa804e-dedc-41e6-a4fa-112f5e53ac46/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3505e27eaf2c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3505e27eaf2c4113fe1504da03873536e469aae8ca007e8bd077ffec24b7f252

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 3505e27eaf2c4113fe1504da03873536e469aae8ca007e8bd077ffec24b7f252

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2715539/
  
Delivery method
Distributed via web download

Comments