MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46ac37f4635f315ac0e174392855fa549410746e8826b2d3b066d2352b1d6ca4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46ac37f4635f315ac0e174392855fa549410746e8826b2d3b066d2352b1d6ca4
SHA3-384 hash: 422eef91587a2137a83ba7f67fae1fe4ca4c12988e8d7aa0f5792a08d6f438f7b0e69cac195d406605b4536cde776200
SHA1 hash: 4a0cad3fec3871f69abb4217f1793db5499ea049
MD5 hash: d470377f9b683b10aa2230b05a5fcdcd
humanhash: low-salami-fruit-south
File name:d470377f9b683b10aa2230b05a5fcdcd.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'607'104 bytes
First seen:2023-12-28 01:00:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:/VQlMW+hFp202ey0+dlagJTy7wyYYLysn5uaRa9ZfP3UW0vSckwc0LoDZoqOCzAZ:WSWMp+V0+dlaeyXuWulPMlrc08J9zA2S
TLSH T14DC53383F3E60162DC7513305CEA22C31B757C97CE74A35B6B61128E49B3AA9357272B
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
195.20.16.103:20440

Intelligence

File Origin
# of uploads :
1
# of downloads :
499
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
RisePro
Create hunting rule
Link:
https://www.capesandbox.com/analysis/469482/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Packed.Stealerc-10017072-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Sending a custom TCP request
Сreating synchronization primitives
Searching for the browser window
Searching for the window
DNS request
Running batch commands
Blocking the Windows Defender launch
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer lolbin lolbin packed risepro rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/658cc8cf6b1c2460460bfa8f/reports/3cb58ce4-467d-4a2e-bd99-1d310974bed3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/46ac37f4635f315ac0e174392855fa549410746e8826b2d3b066d2352b1d6ca4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ed7698b7-5b84-42ba-9b88-1afd8b39c917
Result
Threat name:
RisePro Stealer, SmokeLoader, Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1367536
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Contains functionality to modify clipboard data
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
GPT-4 Vision identified phishing page
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
PE file has nameless sections
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Suspicious execution chain found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1367536 Sample: wl4ESZQ0ZH.exe Startdate: 28/12/2023 Architecture: WINDOWS Score: 100 138 ipinfo.io 2->138 172 Snort IDS alert for network traffic 2->172 174 Antivirus detection for URL or domain 2->174 176 Antivirus detection for dropped file 2->176 178 13 other signatures 2->178 11 wl4ESZQ0ZH.exe 1 4 2->11         started        14 FANBooster131.exe 2->14         started        17 OfficeTrackerNMP131.exe 2->17         started        19 7 other processes 2->19 signatures3 process4 dnsIp5 126 2 other malicious files 11->126 dropped 22 cv7VU08.exe 1 4 11->22         started        112 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 14->112 dropped 114 C:\...\tN1fXbfzBrzfav8HLIwCVPOQOynk5HhK.zip, Zip 14->114 dropped 200 Antivirus detection for dropped file 14->200 202 Multi AV Scanner detection for dropped file 14->202 204 Detected unpacking (changes PE section rights) 14->204 218 3 other signatures 14->218 26 WerFault.exe 14->26         started        116 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 17->116 dropped 118 C:\...\woFROC62JHtLFai6X2Z4Utv4fQozycqT.zip, Zip 17->118 dropped 206 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->206 208 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 17->208 210 Machine Learning detection for dropped file 17->210 28 powershell.exe 17->28         started        30 powershell.exe 17->30         started        32 powershell.exe 17->32         started        38 10 other processes 17->38 140 127.0.0.1 unknown unknown 19->140 120 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 19->120 dropped 122 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 19->122 dropped 124 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 19->124 dropped 128 3 other malicious files 19->128 dropped 212 Tries to steal Mail credentials (via file / registry access) 19->212 214 Modifies Windows Defender protection settings 19->214 216 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 19->216 34 powershell.exe 19->34         started        36 powershell.exe 19->36         started        40 13 other processes 19->40 file6 signatures7 process8 file9 104 C:\Users\user\AppData\Local\...h9VZ39.exe, PE32 22->104 dropped 106 C:\Users\user\AppData\Local\...\6AT6wL0.exe, PE32 22->106 dropped 186 Antivirus detection for dropped file 22->186 188 Multi AV Scanner detection for dropped file 22->188 190 Machine Learning detection for dropped file 22->190 42 Eh9VZ39.exe 1 4 22->42         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 conhost.exe 36->54         started        56 conhost.exe 38->56         started        58 8 other processes 38->58 60 10 other processes 40->60 signatures10 process11 file12 108 C:\Users\user\AppData\Local\...\5cN0su3.exe, PE32 42->108 dropped 110 C:\Users\user\AppData\Local\...\2GR5823.exe, PE32 42->110 dropped 192 Antivirus detection for dropped file 42->192 194 Multi AV Scanner detection for dropped file 42->194 196 Binary is likely a compiled AutoIt script file 42->196 198 Machine Learning detection for dropped file 42->198 62 5cN0su3.exe 21 40 42->62         started        67 2GR5823.exe 12 42->67         started        signatures13 process14 dnsIp15 152 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 62->152 154 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 62->154 130 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 62->130 dropped 132 C:\Users\user\AppData\...\FANBooster131.exe, PE32 62->132 dropped 134 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 62->134 dropped 136 2 other malicious files 62->136 dropped 156 Antivirus detection for dropped file 62->156 158 Multi AV Scanner detection for dropped file 62->158 160 Detected unpacking (changes PE section rights) 62->160 170 10 other signatures 62->170 69 cmd.exe 62->69         started        72 powershell.exe 62->72         started        74 cmd.exe 62->74         started        83 12 other processes 62->83 162 Binary is likely a compiled AutoIt script file 67->162 164 Machine Learning detection for dropped file 67->164 166 Found API chain indicative of sandbox detection 67->166 168 Contains functionality to modify clipboard data 67->168 76 chrome.exe 1 67->76         started        79 chrome.exe 67->79         started        81 chrome.exe 67->81         started        file16 signatures17 process18 dnsIp19 180 Uses schtasks.exe or at.exe to add and modify task schedules 69->180 96 2 other processes 69->96 182 Found many strings related to Crypto-Wallets (likely being stolen) 72->182 85 conhost.exe 72->85         started        98 2 other processes 74->98 148 192.168.2.4 unknown unknown 76->148 150 239.255.255.250 unknown Reserved 76->150 184 Suspicious execution chain found 76->184 87 chrome.exe 76->87         started        100 2 other processes 76->100 90 chrome.exe 79->90         started        92 chrome.exe 81->92         started        94 conhost.exe 83->94         started        102 10 other processes 83->102 signatures20 process21 dnsIp22 142 www.google.com 142.250.113.105 GOOGLEUS United States 87->142 144 142.250.113.113 GOOGLEUS United States 87->144 146 27 other IPs or domains 87->146
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/46ac37f4635f315ac0e174392855fa549410746e8826b2d3b066d2352b1d6ca4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/46ac37f4635f315ac0e174392855fa549410746e8826b2d3b066d2352b1d6ca4/
Threat name:
Win32.Spyware.Risepro
Create hunting rule
Status:
Malicious
First seen:
2023-12-28 01:01:10 UTC
File Type:
PE (Exe)
Extracted files:
202
AV detection:
16 of 23 (69.57%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i2wdp5ddl4yvvqhboq4sqvp2kskba5doratlfu5qm3jdkky5nssa._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:smokeloader backdoor brand:google collection discovery evasion persistence phishing spyware stealer trojan
Link:
https://tria.ge/reports/231228-bc7t1afgfp/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Detect Lumma Stealer payload V4
Detected google phishing page
Lumma Stealer
Modifies Windows Defender Real-time Protection settings
SmokeLoader
Malware Config
C2 Extraction:
http://185.215.113.68/fks/index.php
http://soupinterestoe.fun/api
Unpacked files
SH256 hash:
5e59bfe31ce7ba50ed9af5085a6ec42d6bf9629ad90ae629fe2158ec36e32ef9
MD5 hash:
5e850ea3fbd2bb43885263e673d8f211
SHA1 hash:
b90f3b0f68acc2988f19aae2f78bad6f16a07e63
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/84bd6c38-ff09-4a5e-bdcf-0355ebbe23ff/
SH256 hash:
46ac37f4635f315ac0e174392855fa549410746e8826b2d3b066d2352b1d6ca4
MD5 hash:
d470377f9b683b10aa2230b05a5fcdcd
SHA1 hash:
4a0cad3fec3871f69abb4217f1793db5499ea049
Link:
https://www.unpac.me/results/84bd6c38-ff09-4a5e-bdcf-0355ebbe23ff/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/46ac37f4635f315ac0e174392855fa549410746e8826b2d3b066d2352b1d6ca4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 46ac37f4635f315ac0e174392855fa549410746e8826b2d3b066d2352b1d6ca4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2744391/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/469482/

Comments