MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3dd7ed859b116f03fb4e081d90987a1022e3f7fc0bc50361e4f94e64515e8a7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3dd7ed859b116f03fb4e081d90987a1022e3f7fc0bc50361e4f94e64515e8a7b
SHA3-384 hash: d144c5f89c5615c95b6269fc65dfc45dd99079fb5e73d9d226b4ee84913840a9f43e2c3712d5b0821f0ba66c6d22599c
SHA1 hash: 838cb4313fc34fc0de098ea72efc1c8cc257f55a
MD5 hash: e1ceccfe294fd7b46c209d672f615365
humanhash: indigo-seven-iowa-sixteen
File name:E1CECCFE294FD7B46C209D672F615365.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'383'360 bytes
First seen:2023-12-20 15:25:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:jtOzsGwNJp72gr0XQZ/8VM+giH+pmGj1DrGpc85Rwxh:4fwnEg4hVvNCm6GpR5Rw
Threatray 134 similar samples on MalwareBazaar
TLSH T188B5232392D8C472E8D4A3717AF41386263738E108B9C66B6771B48FD872AD9E535373
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
http://attachmentartikidw.fun/api

Intelligence

File Origin
# of uploads :
1
# of downloads :
363
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/468637/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer lolbin packed risepro rundll32 setupapi sfx shell32 smokeloader xpack
Link:
https://www.filescan.io/uploads/6583078dffafd83ebc9601b9/reports/518ce6ec-f8e1-40c3-b087-175511b079a2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3dd7ed859b116f03fb4e081d90987a1022e3f7fc0bc50361e4f94e64515e8a7b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d9dacd21-e49b-4e25-a95c-d18c900132ff
Result
Threat name:
Glupteba, LummaC Stealer, Petite Virus,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1365119
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
UAC bypass detected (Fodhelper)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected Petite Virus
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socks5Systemz
Yara detected Stealc
Yara detected Telegram RAT
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1365119 Sample: 7C3J00l6fa.exe Startdate: 20/12/2023 Architecture: WINDOWS Score: 100 164 api.telegram.org 2->164 166 host-host-file8.com 2->166 168 10 other IPs or domains 2->168 204 Multi AV Scanner detection for domain / URL 2->204 206 Found malware configuration 2->206 208 Malicious sample detected (through community Yara rule) 2->208 212 27 other signatures 2->212 15 7C3J00l6fa.exe 1 4 2->15         started        18 svchost.exe 1 1 2->18         started        21 rundll32.exe 2->21         started        23 TrustedInstaller.exe 2->23         started        signatures3 210 Uses the Telegram API (likely for C&C communication) 164->210 process4 dnsIp5 150 C:\Users\user\AppData\Local\...\5XZ6hz9.exe, PE32 15->150 dropped 152 C:\Users\user\AppData\Local\...\2Kv2944.exe, PE32 15->152 dropped 25 5XZ6hz9.exe 15->25         started        28 2Kv2944.exe 15 3 15->28         started        170 127.0.0.1 unknown unknown 18->170 file6 process7 dnsIp8 250 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 25->250 252 Maps a DLL or memory area into another process 25->252 254 Checks if the current machine is a virtual machine (disk enumeration) 25->254 256 Creates a thread in another existing process (thread injection) 25->256 31 explorer.exe 35 21 25->31 injected 186 77.91.124.172, 49734, 80 ECOTEL-ASRU Russian Federation 28->186 258 Found many strings related to Crypto-Wallets (likely being stolen) 28->258 signatures9 process10 dnsIp11 192 185.215.113.68, 49741, 80 WHOLESALECONNECTIONSNL Portugal 31->192 194 5.42.65.125, 49744, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 31->194 196 4 other IPs or domains 31->196 112 C:\Users\user\AppData\Roaming\diereib, PE32 31->112 dropped 114 C:\Users\user\AppData\Local\Temp1AE.exe, PE32 31->114 dropped 116 C:\Users\user\AppData\Local\Temp\12B3.exe, PE32 31->116 dropped 118 6 other files (none is malicious) 31->118 dropped 198 System process connects to network (likely due to code injection or exploit) 31->198 200 Benign windows process drops PE files 31->200 202 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->202 36 39E.exe 31->36         started        39 consent.exe 31->39         started        42 E1AE.exe 4 31->42         started        44 2 other processes 31->44 file12 signatures13 process14 dnsIp15 130 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 36->130 dropped 132 C:\...\31839b57a4f11171d6abc8bbc4451ee4.exe, PE32 36->132 dropped 134 C:\Users\user\AppData\Local\Temp\tuc3.exe, PE32 36->134 dropped 136 C:\Users\user\AppData\...\InstallSetup9.exe, PE32 36->136 dropped 47 tuc3.exe 36->47         started        50 InstallSetup9.exe 36->50         started        53 toolspub2.exe 36->53         started        62 2 other processes 36->62 246 Writes to foreign memory regions 39->246 56 svchost.exe 39->56 injected 138 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 42->138 dropped 248 Sample uses process hollowing technique 42->248 58 RegSvcs.exe 42->58         started        60 RegSvcs.exe 42->60         started        188 attachmentartikidw.fun 172.67.197.124 CLOUDFLARENETUS United States 44->188 190 176.123.7.190 ALEXHOSTMD Moldova Republic of 44->190 file16 signatures17 process18 dnsIp19 154 C:\Users\user\AppData\Local\Temp\...\tuc3.tmp, PE32 47->154 dropped 64 tuc3.tmp 47->64         started        172 api4.ipify.org 173.231.16.77 WEBNXUS United States 50->172 174 91.92.254.7 THEZONEBG Bulgaria 50->174 178 2 other IPs or domains 50->178 156 C:\Users\user\AppData\...\nsz2B5C.tmp.exe, PE32 50->156 dropped 158 C:\Users\user\AppData\Local\Temp\...\Math.dll, PE32 50->158 dropped 160 C:\Users\user\AppData\Local\...\INetC.dll, PE32 50->160 dropped 162 2 other files (none is malicious) 50->162 dropped 66 nsz2B5C.tmp.exe 50->66         started        71 BroomSetup.exe 50->71         started        232 Detected unpacking (changes PE section rights) 53->232 234 Contains functionality to inject code into remote processes 53->234 236 Injects a PE file into a foreign processes 53->236 73 toolspub2.exe 53->73         started        75 consent.exe 56->75         started        77 consent.exe 56->77         started        176 195.20.16.103, 18305 EITADAT-ASFI Finland 58->176 238 Detected unpacking (overwrites its own PE header) 62->238 240 UAC bypass detected (Fodhelper) 62->240 242 Found Tor onion address 62->242 244 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 62->244 79 cmd.exe 62->79         started        file20 signatures21 process22 dnsIp23 81 tuc3.exe 64->81         started        180 77.91.76.36 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 66->180 122 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 66->122 dropped 124 C:\Users\user\AppData\...\softokn3[1].dll, PE32 66->124 dropped 126 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 66->126 dropped 128 9 other files (none is malicious) 66->128 dropped 214 Detected unpacking (changes PE section rights) 66->214 216 Detected unpacking (overwrites its own PE header) 66->216 218 Tries to steal Mail credentials (via file / registry access) 66->218 228 4 other signatures 66->228 220 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 73->220 222 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 73->222 224 Maps a DLL or memory area into another process 73->224 230 2 other signatures 73->230 226 Writes to foreign memory regions 75->226 84 fodhelper.exe 79->84         started        86 conhost.exe 79->86         started        88 fodhelper.exe 79->88         started        90 fodhelper.exe 79->90         started        file24 signatures25 process26 file27 120 C:\Users\user\AppData\Local\Temp\...\tuc3.tmp, PE32 81->120 dropped 92 tuc3.tmp 81->92         started        96 31839b57a4f11171d6abc8bbc4451ee4.exe 84->96         started        process28 file29 142 C:\Program Files (x86)\...\stdbutton.exe, PE32 92->142 dropped 144 C:\Program Files (x86)\...\is-J06U9.tmp, PE32 92->144 dropped 146 C:\Program Files (x86)\...\is-9VH4J.tmp, PE32 92->146 dropped 148 106 other files (none is malicious) 92->148 dropped 260 Uses schtasks.exe or at.exe to add and modify task schedules 92->260 98 net.exe 92->98         started        100 stdbutton.exe 92->100         started        103 schtasks.exe 92->103         started        105 stdbutton.exe 92->105         started        262 Found Tor onion address 96->262 108 powershell.exe 96->108         started        signatures30 process31 dnsIp32 182 dtjsqxo.info 185.196.8.22 SIMPLECARRER2IT Switzerland 100->182 184 95.216.227.177 HETZNER-ASDE Germany 100->184 110 conhost.exe 103->110         started        140 C:\ProgramData\M73Bitrate\M73Bitrate.exe, PE32 105->140 dropped file33 process34
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3dd7ed859b116f03fb4e081d90987a1022e3f7fc0bc50361e4f94e64515e8a7b
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3dd7ed859b116f03fb4e081d90987a1022e3f7fc0bc50361e4f94e64515e8a7b/
Threat name:
Win32.Trojan.RiseProStealer
Create hunting rule
Status:
Malicious
First seen:
2023-12-15 18:03:56 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
17 of 22 (77.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hxl63bm3cfxqh62obaozbgd2caroh574bpcqgype7fhgiuk6rj5q._file
Verdict:
malicious
Similar samples:
3b73c4da6f2bda6ebc26552afccbfd8c097a5a3195fd2593840d9ea7712b7120
LummaStealer
50c1d754d7837fc0b4085436b80acb900a1b3a35d3f3fa27420b8aa9a4a9f29d
LummaStealer
5c88a340b3b0502c9777fe6159f01d66875341dc739e23a56a21ee18479890f2
LummaStealer
779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64
LummaStealer
cf17ba3233bc2dab9db27c1c73682990e0403054fad2a4ba39316d66c53bb406
LummaStealer
d2667ebba32efa519eec816fac01b3be538c57c2830a23eb8e43bca561e091d7
LummaStealer
e629fcf41de2187cafd4c8c38b1e9408a5c521d29459971bb96fae5da26fa9d5
LummaStealer
e6c757449536eefcf5903526df6e6dafa4e352fb7b55024ef005a51f7c853e86
LummaStealer
e85172898e1439bc95876cd84f60ac685bd13ee9de2bda81f497807e7f7822b3
LummaStealer
ed5858af8476036c1914ff346745b794c74a98bbb2fa8edba77bfc497a6471a8
LummaStealer
+ 124 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:glupteba family:lumma family:redline family:smokeloader family:stealc family:zgrat botnet:666 botnet:@oleh_ps botnet:livetraffic botnet:up3 backdoor discovery dropper evasion infostealer loader persistence ransomware rat spyware stealer themida trojan
Link:
https://tria.ge/reports/231220-st6rpsfbcp/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Launches sc.exe
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Detect Lumma Stealer payload V4
Detect ZGRat V1
Detected Djvu ransomware
Djvu Ransomware
Glupteba
Glupteba payload
Lumma Stealer
RedLine
RedLine payload
SmokeLoader
Stealc
ZGRat
Malware Config
C2 Extraction:
http://185.215.113.68/fks/index.php
176.123.7.190:32927
http://host-file-host6.com/
http://host-host-file8.com/
http://77.91.76.36
77.105.132.87:17066
195.20.16.103:18305
http://zexeq.com/test1/get.php
http://attachmentartikidw.fun/api
Unpacked files
SH256 hash:
2fdc00f9ba1a756f4e222a5d02a69e11c96fdaf244de2fbcddbbd1112f190918
MD5 hash:
f0e53cb577b50c04b9830e5d49affd86
SHA1 hash:
a9019bddb53a2d3b37c0f11d5b07838ff248522c
Link:
https://www.unpac.me/results/5f4acc7c-a34d-47b0-9da8-29434a048155/
SH256 hash:
fbfb6490caeae31b00ce7fe3b58b856ac7f925e70deaca29aa6fd770861b9462
MD5 hash:
4d17c1fa0242df3a3cd510f95d9f3bad
SHA1 hash:
261ae0993087118887b828608d70399c52401dae
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/5f4acc7c-a34d-47b0-9da8-29434a048155/
SH256 hash:
3dd7ed859b116f03fb4e081d90987a1022e3f7fc0bc50361e4f94e64515e8a7b
MD5 hash:
e1ceccfe294fd7b46c209d672f615365
SHA1 hash:
838cb4313fc34fc0de098ea72efc1c8cc257f55a
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/5f4acc7c-a34d-47b0-9da8-29434a048155/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3dd7ed859b11/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3dd7ed859b116f03fb4e081d90987a1022e3f7fc0bc50361e4f94e64515e8a7b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/468637/

Comments