MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40261840439d099ebe46d51a276a5d503c2ac99c2adce42bf06c38da4255ca06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 18

Intelligence 18 IOCs YARA File information Comments

SHA256 hash:	40261840439d099ebe46d51a276a5d503c2ac99c2adce42bf06c38da4255ca06
SHA3-384 hash:	f212bffc5aedc8f168ce42da3b31db95935769b3ddc7d1387524a8c85feae52c44a30feb849c7cad1259508dc27b22ab
SHA1 hash:	0b7dcc656908f98f97886aeef4ab64a37fffd230
MD5 hash:	f155a7880ed2f82ac880a811a0798239
humanhash:	lemon-lemon-lion-orange
File name:	f155a7880ed2f82ac880a811a0798239.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	309'760 bytes
First seen:	2023-12-19 21:05:18 UTC
Last seen:	2023-12-19 22:18:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2f42c7240ce091676db27467fe8eb2d6 (2 x LummaStealer, 1 x Socks5Systemz, 1 x RedLineStealer)
ssdeep	3072:bcPkyGUHKmKoj+J2cicTmse6xOkhuB/B+6Xl8tHy0aajAs3fSjrD9cBa7cKlO/Cl:o7BKKj3voOGuBZ+6Xl8tZaVKfcHyk7G
TLSH	T1E7649E2292E0E471D56346728E29C6EC2A3EF8E14F553A8F1798193F1F765E2C27231D
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	e0ac94a4a4a4b0b2 (1 x Stealc, 1 x LummaStealer)
Reporter	abuse_ch
Tags:	exe LummaStealer

abuse_ch

LummaStealer C2:
http://underlinefreeapearew.fun/api

Intelligence

File Origin

# of uploads :

# of downloads :

335

Origin country :

Vendor Threat Intelligence

Malware family:

smoke

ID:

File name:

f155a7880ed2f82ac880a811a0798239.exe

Verdict:

Malicious activity

Analysis date:

2023-12-19 21:06:36 UTC

Tags:

loader smoke smokeloader

Link:

https://app.any.run/tasks/aa12cbd5-5978-485b-bc83-ea81c644ca84

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

SmokeLoader

Link:

https://www.capesandbox.com/analysis/468558/

Detection(s):

SecuriteInfo.com.Win32.DropperX-gen.12574.7155.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Sending an HTTP GET request

Query of malicious DNS domain

Sending a TCP request to an infection source

Unauthorized injection to a system process

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/658205bcb855eb3693e70e26/reports/c052268f-0a25-4a86-a915-7097ace3f867/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/40261840439d099ebe46d51a276a5d503c2ac99c2adce42bf06c38da4255ca06

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/213e4e1c-57dc-4eba-be61-5b8b4d4f9c64

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1364785

Signature

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/40261840439d099ebe46d51a276a5d503c2ac99c2adce42bf06c38da4255ca06

Detection:

smokeloader

Link:

https://mwdb.cert.pl/sample/40261840439d099ebe46d51a276a5d503c2ac99c2adce42bf06c38da4255ca06/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-12-19 21:06:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 37 (45.95%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=iatbqqcdtuez5psg2unco2s5ka6cvsm4flooik7qnq4nuqsvzida._file

Verdict:

malicious

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader botnet:pub1 backdoor trojan

Link:

https://tria.ge/reports/231219-zxqcfsbhen/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Deletes itself

SmokeLoader

Malware Config

C2 Extraction:

http://humydrole.com/tmp/index.php
http://trunk-co.ru/tmp/index.php
http://weareelight.com/tmp/index.php
http://pirateking.online/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php