MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c40f114a892a7e4877e787b88479492da2cc6a9c1ff44f5743fc20694d19fb0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c40f114a892a7e4877e787b88479492da2cc6a9c1ff44f5743fc20694d19fb0
SHA3-384 hash: 22d4010c38888d3d7947364619950f841830dc61d14317e6acd5bcf7a51153594d7c42456434bb149c2051cea824cfa4
SHA1 hash: 5e89591adc3af56da9ecd2d0bea3be15cf6810f3
MD5 hash: 0d5615563e5f5304858950784fb5ba4b
humanhash: timing-diet-black-uncle
File name:0d5615563e5f5304858950784fb5ba4b.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'931'264 bytes
First seen:2023-12-10 20:20:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:+b6QTFuclmxlO0NcMsoFXICSky2IriTkbivR1zKJsl65zD:E6QBuclmxBc/oFXPSk1ciTgae15zD
TLSH T198952313AAE44533E4B527B618B723631B377E624CF0532B2285150D28F65E499BAF3F
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
http://ratefacilityframw.fun/api

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/464718/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Sending a custom TCP request
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Creating a file
Replacing files
Launching a service
Changing a file
DNS request
Sending an HTTP GET request
Sending a UDP request
Reading critical registry keys
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
advpack anti-vm CAB control explorer installer lolbin lolbin mokes packed rundll32 setupapi sfx shell32 smokeloader
Link:
https://www.filescan.io/uploads/65761db0855eb2633d65feb7/reports/1f30028f-0990-40ca-b9e3-cb79f5743998/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3c40f114a892a7e4877e787b88479492da2cc6a9c1ff44f5743fc20694d19fb0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6c8777e1-653d-4db5-800c-3e953bb4f5be
Result
Threat name:
PrivateLoader, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1357712
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has a writeable .text section
Yara detected PrivateLoader
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1357712 Sample: Hq7cDebUzS.exe Startdate: 10/12/2023 Architecture: WINDOWS Score: 84 47 Antivirus detection for dropped file 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 Yara detected PrivateLoader 2->51 53 4 other signatures 2->53 9 Hq7cDebUzS.exe 1 4 2->9         started        process3 file4 35 C:\Users\user\AppData\Local\...\KN2rk13.exe, PE32 9->35 dropped 37 C:\Users\user\AppData\Local\...\5eO7MU4.exe, PE32 9->37 dropped 12 KN2rk13.exe 1 4 9->12         started        process5 file6 39 C:\Users\user\AppData\Local\...\Sp7KL42.exe, PE32 12->39 dropped 41 C:\Users\user\AppData\Local\...\4Zq746Ep.exe, PE32 12->41 dropped 57 Antivirus detection for dropped file 12->57 59 Machine Learning detection for dropped file 12->59 16 Sp7KL42.exe 1 4 12->16         started        signatures7 process8 file9 31 C:\Users\user\AppData\Local\...\3EE35uz.exe, PE32 16->31 dropped 33 C:\Users\user\AppData\Local\...\1xk20Fk9.exe, PE32 16->33 dropped 43 Antivirus detection for dropped file 16->43 45 Machine Learning detection for dropped file 16->45 20 1xk20Fk9.exe 16->20         started        signatures10 process11 signatures12 55 Machine Learning detection for dropped file 20->55 23 AppLaunch.exe 20->23         started        25 AppLaunch.exe 20->25         started        27 AppLaunch.exe 20->27         started        29 33 other processes 20->29 process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3c40f114a892a7e4877e787b88479492da2cc6a9c1ff44f5743fc20694d19fb0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c40f114a892a7e4877e787b88479492da2cc6a9c1ff44f5743fc20694d19fb0/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-08 18:20:00 UTC
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hrapcffiskt6jb36pb5yqr4uslnczrvjyh7uj5luh7banfgrt6ya._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:risepro family:smokeloader backdoor loader persistence stealer trojan
Link:
https://tria.ge/reports/231210-y4zn2adab5/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
PrivateLoader
RisePro
SmokeLoader
Malware Config
C2 Extraction:
193.233.132.51
http://81.19.131.34/fks/index.php
Unpacked files
SH256 hash:
94513f36ef94d07e4f4eb4fc1f16f720c517aae322ce9153cf716f08010e2a96
MD5 hash:
d09d113833f72b4cb1e4d32664b2c0c6
SHA1 hash:
a84d58464acb78d7a6bbe4ce97dec3224f643b70
Link:
https://www.unpac.me/results/918401c0-a6f8-4b4f-bee1-714cc6c17d12/
SH256 hash:
78ae23df3b06702cba044f947252c918006f7db9e6ac365d7db641f03dbc21f2
MD5 hash:
4fc42d657c43796cab2c924204da84a9
SHA1 hash:
e457098ed4bffdd5ff449c8fa5d302626dc94a22
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/918401c0-a6f8-4b4f-bee1-714cc6c17d12/
Parent samples :
b107afc55476c58af62b82d8f181f4ab90b725e95ccb524851f540b621bdebbb
63a2ca4d70cc4601a03ca16d80b6f965fb9aebb62a0a9915f66b3e32ad625e85
732c972b120ed0c3d375eb811225e133945c56a0744ebd78e137af2446756fd8
3c40f114a892a7e4877e787b88479492da2cc6a9c1ff44f5743fc20694d19fb0
78dd9812c391c45f55ae45735371b6ac7d9f84aba107da824895be3b1d3250e1
d038617c050409f6595fa78e697880e4d3acbdd761ad08ad95f3e58955d0bc0e
SH256 hash:
3c40f114a892a7e4877e787b88479492da2cc6a9c1ff44f5743fc20694d19fb0
MD5 hash:
0d5615563e5f5304858950784fb5ba4b
SHA1 hash:
5e89591adc3af56da9ecd2d0bea3be15cf6810f3
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/918401c0-a6f8-4b4f-bee1-714cc6c17d12/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3c40f114a892/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c40f114a892a7e4877e787b88479492da2cc6a9c1ff44f5743fc20694d19fb0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/464718/

Comments