MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61580a88a54a94eac16c3f8f856d44e365581b1ba266780a6c789855f23e04a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61580a88a54a94eac16c3f8f856d44e365581b1ba266780a6c789855f23e04a4
SHA3-384 hash: d8bf0cfd1438a888de145bfa95a7f72252df42daca4b1a10f34e650a63cf79d96b72458e504e43cdafc20a6800f6ec4a
SHA1 hash: f7be871b5ad1809158b699cd7c3863dad48953d9
MD5 hash: b2520ef3556faf72c9cd3f8740a3b79e
humanhash: colorado-gee-minnesota-quebec
File name:b2520ef3556faf72c9cd3f8740a3b79e.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'261'568 bytes
First seen:2023-12-18 06:05:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'854 x Amadey, 290 x Smoke Loader)
ssdeep 24576:cy1vLWWezuOZILd8ECfweWWraBJanqlrnxip:LNcECINT36gxi
Threatray 1'092 similar samples on MalwareBazaar
TLSH T1404523C2E6CD8130E5F61B716DFB02872F397E606C74555B2744A94EA8B37D0A0B1B2B
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
http://attachmentartikidw.fun/api

Intelligence

File Origin
# of uploads :
1
# of downloads :
340
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/468213/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Creating a file
Searching for the browser window
DNS request
Replacing files
Sending a custom TCP request
Reading critical registry keys
Launching a service
Sending a UDP request
Sending an HTTP GET request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer lolbin packed rundll32 setupapi sfx shell32 smokeloader stealer xpack
Link:
https://www.filescan.io/uploads/657fe14b314dbc3b9b58db6e/reports/ef0faf8f-0018-4a89-bd48-424016a6315e/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/61580a88a54a94eac16c3f8f856d44e365581b1ba266780a6c789855f23e04a4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RisePro Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/590afbc6-0261-4081-bbae-1c977d8af344
Result
Threat name:
PrivateLoader, RisePro Stealer, SmokeLoa
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1363770
Signature
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Contains functionality to inject threads in other processes
Contains functionality to modify clipboard data
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Exclude list of file types from scheduled, custom, and real-time scanning
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Phishing site detected (based on logo match)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected PrivateLoader
Yara detected RisePro Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1363770 Sample: YY74V8CaHP.exe Startdate: 18/12/2023 Architecture: WINDOWS Score: 100 79 ipinfo.io 2->79 97 Snort IDS alert for network traffic 2->97 99 Antivirus detection for dropped file 2->99 101 Antivirus / Scanner detection for submitted sample 2->101 103 10 other signatures 2->103 10 YY74V8CaHP.exe 1 4 2->10         started        13 OfficeTrackerNMP131.exe 10 33 2->13         started        16 OfficeTrackerNMP131.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 file5 65 C:\Users\user\AppData\Local\...\Vj0rG25.exe, PE32 10->65 dropped 67 C:\Users\user\AppData\Local\...\5ee0zu2.exe, PE32 10->67 dropped 20 Vj0rG25.exe 1 4 10->20         started        125 Multi AV Scanner detection for dropped file 13->125 127 Tries to steal Mail credentials (via file / registry access) 13->127 129 Machine Learning detection for dropped file 13->129 137 4 other signatures 13->137 69 C:\...\cR9hFROql9GFdid3S5R1HlI3VGd9sGXK.zip, Zip 16->69 dropped 131 Disables Windows Defender (deletes autostart) 16->131 133 Tries to harvest and steal browser information (history, passwords, etc) 16->133 135 Exclude list of file types from scheduled, custom, and real-time scanning 16->135 24 WerFault.exe 16->24         started        signatures6 process7 file8 61 C:\Users\user\AppData\Local\...\2pA7128.exe, PE32 20->61 dropped 63 C:\Users\user\AppData\Local\...\1cO66CS7.exe, PE32 20->63 dropped 105 Multi AV Scanner detection for dropped file 20->105 107 Binary is likely a compiled AutoIt script file 20->107 109 Machine Learning detection for dropped file 20->109 26 2pA7128.exe 11 69 20->26         started        31 1cO66CS7.exe 12 20->31         started        signatures9 process10 dnsIp11 93 91.92.249.253 THEZONEBG Bulgaria 26->93 95 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 26->95 71 C:\Users\user\AppData\...\FANBooster131.exe, PE32 26->71 dropped 73 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 26->73 dropped 75 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 26->75 dropped 77 2 other malicious files 26->77 dropped 111 Multi AV Scanner detection for dropped file 26->111 113 Tries to steal Mail credentials (via file / registry access) 26->113 115 Machine Learning detection for dropped file 26->115 123 10 other signatures 26->123 33 schtasks.exe 1 26->33         started        35 schtasks.exe 1 26->35         started        37 WerFault.exe 26->37         started        117 Binary is likely a compiled AutoIt script file 31->117 119 Found API chain indicative of sandbox detection 31->119 121 Contains functionality to modify clipboard data 31->121 39 chrome.exe 1 31->39         started        42 chrome.exe 31->42         started        44 chrome.exe 31->44         started        file12 signatures13 process14 dnsIp15 46 conhost.exe 33->46         started        48 conhost.exe 35->48         started        87 192.168.2.4 unknown unknown 39->87 89 192.168.2.30 unknown unknown 39->89 91 2 other IPs or domains 39->91 50 chrome.exe 39->50         started        53 chrome.exe 39->53         started        55 chrome.exe 39->55         started        57 chrome.exe 42->57         started        59 chrome.exe 44->59         started        process16 dnsIp17 81 142.250.189.142 GOOGLEUS United States 50->81 83 i.ytimg.com 142.250.189.150 GOOGLEUS United States 50->83 85 42 other IPs or domains 50->85
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/61580a88a54a94eac16c3f8f856d44e365581b1ba266780a6c789855f23e04a4
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/61580a88a54a94eac16c3f8f856d44e365581b1ba266780a6c789855f23e04a4/
Threat name:
Win32.Trojan.RisePro
Create hunting rule
Status:
Malicious
First seen:
2023-12-15 10:21:59 UTC
File Type:
PE (Exe)
Extracted files:
101
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mfmavcffjkkovqlmh6hyk3ke4nsvqgy3ujthqctmpcmfl4r6assa._file
Verdict:
malicious
Similar samples:
4df62c5d2e5c3ae6d0fe21ae33d398dce6ee8a166b032501f290f74b6f7b075a
LummaStealer
56b8de1a461b0ad592384bef98aaa5637efae7c6aa118e0426080e13764cd12f
LummaStealer
5f57e85e2eba8616976591ec6e3a4db172c1687a2c875c5b3ae10067867fbcbd
LummaStealer
60b2187fb7db90cc596f9ab3eb852ef99e5d8a53467b552440282d02df5b18b2
LummaStealer
67f6aa5c680b96907b75de39219afb903d747e4bb04ccb0667294f4f33722fc4
LummaStealer
8750bdd67a1ecaa07e2431fc016af78133ccf06a33b1118af63bfdddc5ec5670
LummaStealer
b31b3189b4f352ee38ed4c8e0a920149f787f79fe2c948268f1350708daa13a0
LummaStealer
+ 1'082 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:risepro family:smokeloader backdoor brand:google collection discovery loader persistence phishing spyware stealer trojan
Link:
https://tria.ge/reports/231218-gtqvpsafg4/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
AutoIT Executable
Drops file in System32 directory
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Detected google phishing page
PrivateLoader
RisePro
SmokeLoader
Malware Config
C2 Extraction:
91.92.249.253
http://185.215.113.68/fks/index.php
Unpacked files
SH256 hash:
986b558f0383b8d9db776c780f7f17542e945c7caa45ec03c586cbbc433711ac
MD5 hash:
a751645b64269cfe191238ec210a1577
SHA1 hash:
92e817ee2cb24e515bc4b479ba7c1ede88daa193
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/c2c84bce-dc7d-4e8b-ad13-5b1eb90b5873/
SH256 hash:
15ba6bbaae85e3ead46c3b50d4258f5773adae37a460d600cde4ddd302640cd7
MD5 hash:
4053b102a4ae631cee6103b6a34bdead
SHA1 hash:
bc8c2bee952f82c801fd06b411e78f3627fce4f1
Link:
https://www.unpac.me/results/c2c84bce-dc7d-4e8b-ad13-5b1eb90b5873/
SH256 hash:
ad55c15a7cec947f65d1ed995a1556a4461573823ff75f272a36116c13a9c718
MD5 hash:
7ea4142991c056012915e553a5ae20bf
SHA1 hash:
c52b8454b1dd15f23a783873dd2e9b95e6aedb72
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/c2c84bce-dc7d-4e8b-ad13-5b1eb90b5873/
SH256 hash:
61580a88a54a94eac16c3f8f856d44e365581b1ba266780a6c789855f23e04a4
MD5 hash:
b2520ef3556faf72c9cd3f8740a3b79e
SHA1 hash:
f7be871b5ad1809158b699cd7c3863dad48953d9
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/c2c84bce-dc7d-4e8b-ad13-5b1eb90b5873/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/61580a88a54a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61580a88a54a94eac16c3f8f856d44e365581b1ba266780a6c789855f23e04a4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/468213/

Comments