MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67eb16719c749c5a811674744972d27eb660d809f09660a1fc4afac2ddd161e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67eb16719c749c5a811674744972d27eb660d809f09660a1fc4afac2ddd161e7
SHA3-384 hash: a4ed1823db0d03c2ef8231d8df688a47afb2b52d1db440cd16b87b6001690e6360f5ccd2e984096313943d1def628733
SHA1 hash: a609630d7e57af38c1be91c929f7f113712c207a
MD5 hash: 7e15954d88b5efda2b1b01481a8463ee
humanhash: sierra-ack-nuts-alpha
File name:SecuriteInfo.com.Win32.PWSX-gen.11847.1098
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'894'400 bytes
First seen:2024-02-06 12:29:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:l/5b3Ei+hpEbsCZdYFfw1TgV/kCAWeywupuyksp4q1Av5y:l/5CGsCZmF2sBkCA9QuyVpV85
TLSH T17495336D7C6B2AFBD09D18B0A6B20007A1744A357DDE849753AC8FA333926474DF963C
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter SecuriteInfoCom
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
67eb16719c749c5a811674744972d27eb660d809f09660a1fc4afac2ddd161e7.exe
Verdict:
Malicious activity
Analysis date:
2024-02-06 12:30:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5fbfa4ea-058d-402d-b864-f4f1cf31dd2e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/474853/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.11847.1098.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm masquerade packed
Link:
https://www.filescan.io/uploads/65c2264f2dd4529ad25599dd/reports/ba00c033-8caf-49e9-a9c6-cc9ab3dbfad7/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/67eb16719c749c5a811674744972d27eb660d809f09660a1fc4afac2ddd161e7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5080c7a6-d5c6-49db-9fcf-a76e62476376
Result
Threat name:
LummaC, Amadey, LummaC Stealer, PureLog
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1387494
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Capture Wi-Fi password
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Instant Messenger accounts or passwords
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected LummaC Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1387494 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 06/02/2024 Architecture: WINDOWS Score: 100 103 triangleseasonbenchwj.shop 2->103 105 secretionsuitcasenioise.shop 2->105 107 5 other IPs or domains 2->107 125 Snort IDS alert for network traffic 2->125 127 Multi AV Scanner detection for domain / URL 2->127 129 Found malware configuration 2->129 131 23 other signatures 2->131 10 explorgu.exe 35 2->10         started        15 explorgu.exe 2->15         started        17 SecuriteInfo.com.Win32.PWSX-gen.11847.1098.exe 5 2->17         started        19 4 other processes 2->19 signatures3 process4 dnsIp5 117 185.215.113.32, 49705, 49706, 49708 WHOLESALECONNECTIONSNL Portugal 10->117 119 193.233.132.167, 49707, 49746, 49754 FREE-NET-ASFREEnetEU Russian Federation 10->119 121 109.107.182.3, 49712, 49721, 80 TELEPORT-TV-ASRU Russian Federation 10->121 87 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 10->87 dropped 89 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 10->89 dropped 91 C:\Users\user\AppData\Local\...\art22.exe, PE32+ 10->91 dropped 99 11 other malicious files 10->99 dropped 155 Hides threads from debuggers 10->155 157 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->157 159 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 10->159 21 lumma123142124.exe 10->21         started        24 rundll32.exe 10->24         started        26 mrk1234.exe 10->26         started        37 3 other processes 10->37 161 Antivirus detection for dropped file 15->161 163 Multi AV Scanner detection for dropped file 15->163 165 Detected unpacking (changes PE section rights) 15->165 179 3 other signatures 15->179 93 C:\Users\user\AppData\Local\...\explorgu.exe, PE32 17->93 dropped 167 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 17->167 169 Tries to evade debugger and weak emulator (self modifying code) 17->169 171 Tries to detect virtualization through RDTSC time measurements 17->171 95 C:\Windows\Temp\rljxappkaarw.sys, PE32+ 19->95 dropped 97 C:\Windows\Temp\ejecottirzko.sys, PE32+ 19->97 dropped 173 Injects code into the Windows Explorer (explorer.exe) 19->173 175 Modifies the context of a thread in another process (thread injection) 19->175 177 Sample is not signed and drops a device driver 19->177 28 explorer.exe 19->28         started        31 WerFault.exe 19->31         started        33 WerFault.exe 19->33         started        35 WerFault.exe 19->35         started        file6 signatures7 process8 dnsIp9 133 Multi AV Scanner detection for dropped file 21->133 135 Machine Learning detection for dropped file 21->135 137 Contains functionality to inject code into remote processes 21->137 139 LummaC encrypted strings found 21->139 40 RegAsm.exe 21->40         started        43 conhost.exe 21->43         started        45 rundll32.exe 23 24->45         started        141 Writes to foreign memory regions 26->141 143 Allocates memory in foreign processes 26->143 145 Injects a PE file into a foreign processes 26->145 48 RegAsm.exe 26->48         started        50 RegAsm.exe 26->50         started        123 pool.hashvault.pro 142.202.242.43, 49742, 49767, 80 1GSERVERSUS Reserved 28->123 147 System process connects to network (likely due to code injection or exploit) 28->147 149 Query firmware table information (likely to detect VMs) 28->149 83 C:\ProgramData\...\uyzpsnbeowaz.exe, PE32+ 37->83 dropped 85 C:\ProgramData\...\uwgxswmtctao.exe, PE32+ 37->85 dropped 151 Uses powercfg.exe to modify the power settings 37->151 153 Modifies power options to not sleep / hibernate 37->153 52 sc.exe 37->52         started        54 sc.exe 37->54         started        56 sc.exe 37->56         started        58 9 other processes 37->58 file10 signatures11 process12 dnsIp13 109 claimconcessionrebe.shop 104.21.58.31, 443, 49716, 49728 CLOUDFLARENETUS United States 40->109 111 triangleseasonbenchwj.shop 104.21.77.52, 443, 49713 CLOUDFLARENETUS United States 40->111 115 3 other IPs or domains 40->115 60 WerFault.exe 40->60         started        181 Tries to steal Instant Messenger accounts or passwords 45->181 183 Uses netsh to modify the Windows network and firewall settings 45->183 185 Tries to harvest and steal ftp login credentials 45->185 187 2 other signatures 45->187 62 powershell.exe 25 45->62         started        65 netsh.exe 2 45->65         started        113 mealroomrallpassiveer.shop 172.67.149.126, 443, 49722 CLOUDFLARENETUS United States 48->113 67 WerFault.exe 48->67         started        69 WerFault.exe 48->69         started        71 conhost.exe 52->71         started        73 conhost.exe 54->73         started        75 conhost.exe 56->75         started        77 9 other processes 58->77 signatures14 process15 file16 101 C:\Users\user\...\246122658369_Desktop.zip, Zip 62->101 dropped 79 conhost.exe 62->79         started        81 conhost.exe 65->81         started        process17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/67eb16719c749c5a811674744972d27eb660d809f09660a1fc4afac2ddd161e7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/67eb16719c749c5a811674744972d27eb660d809f09660a1fc4afac2ddd161e7/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-02-06 12:30:07 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m7vrm4m4osofvaiwor2es4wsp23gbwaj6clgbip4jl5mfxormhtq._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline family:risepro family:zgrat evasion infostealer rat stealer trojan
Link:
https://tria.ge/reports/240206-ppgegafcb2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Launches sc.exe
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
.NET Reactor proctector
Checks BIOS information in registry
Executes dropped EXE
Identifies Wine through registry keys
Downloads MZ/PE file
Modifies Windows Firewall
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Detect ZGRat V1
RedLine
RedLine payload
RisePro
ZGRat
Malware Config
C2 Extraction:
http://185.215.113.32
http://193.233.132.167
193.233.132.62:50500
Unpacked files
SH256 hash:
de77cc0389f61bf23ddec73902e1271fdcca37ba3a89251242f3f62bf84227ed
MD5 hash:
adb477c10ae63d396e68182e6ce214a3
SHA1 hash:
c9db333fcd8c5f7bafbe1b3fc1a3cefb82d2160a
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/72473d4a-af7a-4669-a5d2-d4bb42d790a7/
SH256 hash:
67eb16719c749c5a811674744972d27eb660d809f09660a1fc4afac2ddd161e7
MD5 hash:
7e15954d88b5efda2b1b01481a8463ee
SHA1 hash:
a609630d7e57af38c1be91c929f7f113712c207a
Link:
https://www.unpac.me/results/72473d4a-af7a-4669-a5d2-d4bb42d790a7/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/67eb16719c74/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/67eb16719c749c5a811674744972d27eb660d809f09660a1fc4afac2ddd161e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 67eb16719c749c5a811674744972d27eb660d809f09660a1fc4afac2ddd161e7

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/474853/
  
URLhaus
https://urlhaus.abuse.ch/url/2756639/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2757406/

Comments