MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f57e85e2eba8616976591ec6e3a4db172c1687a2c875c5b3ae10067867fbcbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f57e85e2eba8616976591ec6e3a4db172c1687a2c875c5b3ae10067867fbcbd
SHA3-384 hash: 9e3bf3942165c42a4e3273bd9641e0ffb173b74be6efb2e2133a1f342e7f3008c2e1057604689588112ccd5a315b9717
SHA1 hash: 9eee6174fa8c2b7c1e8793ff521154183a3fa7ee
MD5 hash: 6163b5954dc5244d55d0036e6038b59e
humanhash: robert-coffee-august-fillet
File name:6163b5954dc5244d55d0036e6038b59e.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'571'328 bytes
First seen:2023-12-13 09:20:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:eyvxfvNpxKdfTnV3vrc9vUTbPc1DBCW7NkXDEHEEUdKRlENB4qDyDKTfFL0:tZfvNpxKd7nVQNUTbPcVBCW7NysUdK2f
Threatray 1'267 similar samples on MalwareBazaar
TLSH T17E75230273F8417BCCB62FB158F712C34A3ABD688AB847AF2256944A44A35C47D7179F
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
http://soupinterestoe.fun/api

Intelligence

File Origin
# of uploads :
1
# of downloads :
500
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/467112/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Searching for the browser window
Searching for the window
DNS request
Sending a custom TCP request
Behavior that indicates a threat
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/6579777f56f85d0de416f88f/reports/4fd8c7a9-55d9-4a8a-8752-d7f66b4b6bb0/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/5f57e85e2eba8616976591ec6e3a4db172c1687a2c875c5b3ae10067867fbcbd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RisePro Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/72a2f7f7-238e-435e-a763-86723b17259b
Result
Threat name:
PrivateLoader, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1361249
Signature
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Contains functionality to inject threads in other processes
Contains functionality to modify clipboard data
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Exclude list of file types from scheduled, custom, and real-time scanning
Found API chain indicative of sandbox detection
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Phishing site detected (based on logo match)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected PrivateLoader
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1361249 Sample: tTV265f95E.exe Startdate: 13/12/2023 Architecture: WINDOWS Score: 100 83 ipinfo.io 2->83 99 Snort IDS alert for network traffic 2->99 101 Antivirus detection for dropped file 2->101 103 Antivirus / Scanner detection for submitted sample 2->103 105 8 other signatures 2->105 10 tTV265f95E.exe 1 4 2->10         started        13 OfficeTrackerNMP131.exe 2->13         started        16 OfficeTrackerNMP131.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 file5 77 C:\Users\user\AppData\Local\...\Wo7ck94.exe, PE32 10->77 dropped 79 C:\Users\user\AppData\Local\...\7Ez2qD12.exe, PE32 10->79 dropped 20 Wo7ck94.exe 1 4 10->20         started        127 Multi AV Scanner detection for dropped file 13->127 129 Tries to steal Mail credentials (via file / registry access) 13->129 131 Machine Learning detection for dropped file 13->131 139 4 other signatures 13->139 81 C:\...\2MgEVJmpFuMnSLslEwk4DpZfkofD5Q9T.zip, Zip 16->81 dropped 133 Disables Windows Defender (deletes autostart) 16->133 135 Tries to harvest and steal browser information (history, passwords, etc) 16->135 137 Exclude list of file types from scheduled, custom, and real-time scanning 16->137 signatures6 process7 file8 65 C:\Users\user\AppData\Local\...\2sX2253.exe, PE32 20->65 dropped 67 C:\Users\user\AppData\Local\...\1CL83uX8.exe, PE32 20->67 dropped 107 Multi AV Scanner detection for dropped file 20->107 109 Binary is likely a compiled AutoIt script file 20->109 111 Machine Learning detection for dropped file 20->111 24 2sX2253.exe 11 508 20->24         started        29 1CL83uX8.exe 12 20->29         started        signatures9 process10 dnsIp11 95 193.233.132.51 FREE-NET-ASFREEnetEU Russian Federation 24->95 97 ipinfo.io 34.117.59.81 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 24->97 69 C:\Users\user\AppData\...\FANBooster131.exe, PE32 24->69 dropped 71 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 24->71 dropped 73 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 24->73 dropped 75 2 other malicious files 24->75 dropped 113 Multi AV Scanner detection for dropped file 24->113 115 Tries to steal Mail credentials (via file / registry access) 24->115 117 Machine Learning detection for dropped file 24->117 125 8 other signatures 24->125 31 schtasks.exe 24->31         started        33 schtasks.exe 24->33         started        35 WerFault.exe 24->35         started        119 Binary is likely a compiled AutoIt script file 29->119 121 Found API chain indicative of sandbox detection 29->121 123 Contains functionality to modify clipboard data 29->123 37 chrome.exe 1 29->37         started        40 chrome.exe 29->40         started        42 chrome.exe 29->42         started        44 7 other processes 29->44 file12 signatures13 process14 dnsIp15 46 conhost.exe 31->46         started        48 conhost.exe 33->48         started        91 192.168.2.4 unknown unknown 37->91 93 239.255.255.250 unknown Reserved 37->93 50 chrome.exe 37->50         started        61 2 other processes 37->61 53 chrome.exe 40->53         started        55 chrome.exe 42->55         started        57 chrome.exe 44->57         started        59 chrome.exe 44->59         started        63 5 other processes 44->63 process16 dnsIp17 85 twitter.com 104.244.42.1 TWITTERUS United States 50->85 87 104.244.42.2 TWITTERUS United States 50->87 89 87 other IPs or domains 50->89
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5f57e85e2eba8616976591ec6e3a4db172c1687a2c875c5b3ae10067867fbcbd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f57e85e2eba8616976591ec6e3a4db172c1687a2c875c5b3ae10067867fbcbd/
Threat name:
Win32.Trojan.RisePro
Create hunting rule
Status:
Malicious
First seen:
2023-12-13 09:21:07 UTC
File Type:
PE (Exe)
Extracted files:
165
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l5l6qxroxkdbnf3fshwg4osnwfzmc2d2fsdvywz24eagpbt7xs6q._file
Verdict:
malicious
Similar samples:
4df62c5d2e5c3ae6d0fe21ae33d398dce6ee8a166b032501f290f74b6f7b075a
LummaStealer
4e70f9de2a4e122b0ba1db7c63ac443e39bbfd9e2b475e8fb29d12ad964bfd7e
LummaStealer
60b2187fb7db90cc596f9ab3eb852ef99e5d8a53467b552440282d02df5b18b2
LummaStealer
67f6aa5c680b96907b75de39219afb903d747e4bb04ccb0667294f4f33722fc4
LummaStealer
8750bdd67a1ecaa07e2431fc016af78133ccf06a33b1118af63bfdddc5ec5670
LummaStealer
b31b3189b4f352ee38ed4c8e0a920149f787f79fe2c948268f1350708daa13a0
LummaStealer
be51f7f25e5e0491812b9b00cc25fa60685e6a353e62b0058f4656fd5b3dff3b
LummaStealer
f9e70f08b45a835123e4239ecf4af774377671e342f13a35ceebf9ed55260b2d
LummaStealer
+ 1'257 additional samples on MalwareBazaar
Result
Malware family:
risepro
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:risepro loader persistence stealer
Link:
https://tria.ge/reports/231213-lbbehsafek/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Enumerates system info in registry
Enumerates physical storage devices
AutoIT Executable
Drops file in System32 directory
Adds Run key to start application
Drops startup file
Executes dropped EXE
Loads dropped DLL
PrivateLoader
RisePro
Malware Config
C2 Extraction:
193.233.132.51
Unpacked files
SH256 hash:
bf3ce2a7e4325e106633c95dbb07b1383dc5987aaca998f92afa0a3fc4ff5005
MD5 hash:
75db95a512b7d2351fed5fa1df4d24e3
SHA1 hash:
32c755679718d5dfef3e75c629ce553cd6d48ed0
Link:
https://www.unpac.me/results/e26edf2e-f2be-418f-b0b2-bf05cfd4ee96/
SH256 hash:
f05e94cd23e4f6a592080b41f641c47111bab63f54b038bf0638ecd4f0d9c0ea
MD5 hash:
36b7525ec0c7a9ec19adf4a222d803cc
SHA1 hash:
2124bded5d73933cbdce5db8faeb7e026d8845d2
Link:
https://www.unpac.me/results/e26edf2e-f2be-418f-b0b2-bf05cfd4ee96/
SH256 hash:
dc8528e43797e6d13465142a1cc1d1f6b79617dcc452232ddf2bc18b7248ce7f
MD5 hash:
7e8942fca933351d600c32bf1d08f5ac
SHA1 hash:
443955aa3fe848e430a9fe715ea0cdc7a668b5d9
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/e26edf2e-f2be-418f-b0b2-bf05cfd4ee96/
SH256 hash:
5f57e85e2eba8616976591ec6e3a4db172c1687a2c875c5b3ae10067867fbcbd
MD5 hash:
6163b5954dc5244d55d0036e6038b59e
SHA1 hash:
9eee6174fa8c2b7c1e8793ff521154183a3fa7ee
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/e26edf2e-f2be-418f-b0b2-bf05cfd4ee96/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5f57e85e2eba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f57e85e2eba8616976591ec6e3a4db172c1687a2c875c5b3ae10067867fbcbd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 5f57e85e2eba8616976591ec6e3a4db172c1687a2c875c5b3ae10067867fbcbd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2738241/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/467112/

Comments