MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 586020db0bcf7bc5ade93c0a3bddb7c0b4a425c78489e5b87c84f9cb18263534. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 7

Intelligence 7 IOCs YARA 6 File information Comments 1

SHA256 hash:	586020db0bcf7bc5ade93c0a3bddb7c0b4a425c78489e5b87c84f9cb18263534
SHA3-384 hash:	83842ebca56a644d9525683a0e463021c9846855c6e43535fac9d47c52235e8f8fa471529d213b7705f0ca7462f871d7
SHA1 hash:	1c66891eef5a9e5b8bba37f109073fe670cc0382
MD5 hash:	942ea4c617b238dca82d1ad2046ad169
humanhash:	river-twenty-ohio-william
File name:	Cheat Lab 2.7.2.msi
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	1'982'976 bytes
First seen:	2023-12-01 12:46:04 UTC
Last seen:	2023-12-02 02:18:05 UTC
File type:	msi
MIME type:	application/x-msi
ssdeep	49152:LVkldbW8zBQSc0ZnSK/uxtZCZKumZrL/01uG5I:wo0ZnPux4KP8AaI
Threatray	7 similar samples on MalwareBazaar
TLSH	T11C95CF217686C437C97E05302A2ADBAB567DBD604B7204DBB3C83E6E2E705C15336E67
TrID	80.0% (.MSI) Microsoft Windows Installer (454500/1/170) 10.7% (.MST) Windows SDK Setup Transform script (61000/1/5) 7.8% (.MSP) Windows Installer Patch (44509/10/5) 1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter	Xev
Tags:	Downloader lua LummaStealer msi RedLineStealer Stealc Tasker

NIXLovesCooper

Distributed via: https://cheat-lab.net/
https://transfer.sh/get/cGqLmDzjB3/Cheat%20Lab%202.7.2.msi

LummaStealer C2: http://tirechinecarpett.pw/api
LummaStealer C2: http://slabbymenusportef.pw/api
RedLineStealer C2: http://213.248.43.68/loader/screen/OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms
RedLineStealer C2: http://213.248.43.68/task/OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms

Intelligence

File Origin

# of uploads :

# of downloads :

155

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/461712/

Verdict:

Suspicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/586020db0bcf7bc5ade93c0a3bddb7c0b4a425c78489e5b87c84f9cb18263534

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/586020db0bcf7bc5ade93c0a3bddb7c0b4a425c78489e5b87c84f9cb18263534

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

n/a

Detection:

suspicious

Classification:

evad

Score:

30 / 100

Link:

https://www.joesandbox.com/analysis/1351386

Behaviour

Behavior Graph:

n/a

Score:

11%

Verdict:

Benign

File Type:

MSI

Link:

https://malprob.io/report/586020db0bcf7bc5ade93c0a3bddb7c0b4a425c78489e5b87c84f9cb18263534

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/586020db0bcf7bc5ade93c0a3bddb7c0b4a425c78489e5b87c84f9cb18263534/

Threat name:

Win32.Trojan.ScarletFlash

Status:

Malicious

First seen:

2023-12-01 07:06:13 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

7 of 23 (30.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lbqcbwylz554llpjhqfdxxnxyc2kijohqse6lod4qt44wgbggu2a._file

Verdict:

unknown

LummaStealer

55faaecc0dd6f950b2c5ea27aeb2fe10864a2e0a65e5662066824c8bccb5e91d

LummaStealer

586020db0bcf7bc5ade93c0a3bddb7c0b4a425c78489e5b87c84f9cb18263534

LummaStealer

f4d7a9daea3ede7da995c3bc9e993b3b7e1b75c61e73858de9820ae1892af3d6

LummaStealer

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/231201-pz7dmshh7z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates connected drives

Loads dropped DLL

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Redline

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/586020db0bcf7bc5ade93c0a3bddb7c0b4a425c78489e5b87c84f9cb18263534

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_LATAM_MSI_Banker Create hunting rule

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_OLE_file_magic_number Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	suspicious_msi_file Create hunting rule
Author:	Johnk3r
Description:	Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

msi 586020db0bcf7bc5ade93c0a3bddb7c0b4a425c78489e5b87c84f9cb18263534

(this sample)

Dropping

RedLineStealer LummaStealer e2b9823a9f547cdfd1c70284a90a5641e1c8a4aeb53c0c56bf66d1906e65ee50

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2736497/

Cape

https://www.capesandbox.com/analysis/461712/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

commented on 2023-12-01 12:48:21 UTC

https://tria.ge/231201-pnpdpahg53/behavioral4