MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d61b93dfbf3ab7dc02c0759f5c003cb6429ab5daa3a75fb6e667a937feacee2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d61b93dfbf3ab7dc02c0759f5c003cb6429ab5daa3a75fb6e667a937feacee2
SHA3-384 hash: e19f5b0f501a9923a0463e303442ed182aa9931ddc4e28abd296c86291ad0932107d278cc2f1dc870bf28585922e48fc
SHA1 hash: e18e75d4b290922ad7d1d5d46d2380b7b68cd366
MD5 hash: 86a2937e24c306d22c93e429866e9878
humanhash: green-freddie-orange-hamper
File name:86a2937e24c306d22c93e429866e9878.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'095'680 bytes
First seen:2023-10-18 05:25:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:kyVpeGtqNt8eHJCtYIDNuJCuN9w3TLhP7g7Ew7IOxS6J3nwpAc6+BFRY:zVzte8eYDU+nl7I6H6JwAJ+Bb
TLSH T10F3523227BE84532ECF62B7459FE52830A3678F1D978922E23529D2B1C735D1ED32316
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
95.217.243.178:8443

Intelligence

File Origin
# of uploads :
1
# of downloads :
315
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/455574/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
Launching a service
Creating a file
Blocking the Windows Defender launch
Disabling the operating system update service
Unauthorized injection to a system process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
89%
Tags:
advpack anti-vm CAB control explorer installer installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/652f6c6c6a91040adc4fa273/reports/83c41313-7c9e-40fd-bcc8-190f216df222/overview
Verdict:
Malicious
Labled as:
TR/Dldr.Agent_AGen
Link:
https://www.hybrid-analysis.com/sample/6d61b93dfbf3ab7dc02c0759f5c003cb6429ab5daa3a75fb6e667a937feacee2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7cb6c125-b127-40d2-a5ca-e526035b228e
Result
Threat name:
Amadey, Babadeda, RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
n/a
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1327782
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1327782 Sample: P6W3MrtrOu.exe Startdate: 18/10/2023 Architecture: WINDOWS Score: 100 139 microsoftmscompoc.tt.omtrdc.net 2->139 141 www.google.com 2->141 143 12 other IPs or domains 2->143 175 Snort IDS alert for network traffic 2->175 177 Multi AV Scanner detection for domain / URL 2->177 179 Found malware configuration 2->179 181 19 other signatures 2->181 15 P6W3MrtrOu.exe 1 4 2->15         started        18 rundll32.exe 2->18         started        20 ieshrfi 2->20         started        22 explothe.exe 2->22         started        signatures3 process4 file5 135 C:\Users\user\AppData\Local\...\cO1Bt15.exe, PE32 15->135 dropped 137 C:\Users\user\AppData\Local\...\6Ve8kG8.exe, PE32 15->137 dropped 24 cO1Bt15.exe 1 4 15->24         started        process6 file7 103 C:\Users\user\AppData\Local\...behaviorgraphm9vV49.exe, PE32 24->103 dropped 105 C:\Users\user\AppData\Local\...\5dq6Sj0.exe, PE32 24->105 dropped 199 Antivirus detection for dropped file 24->199 201 Multi AV Scanner detection for dropped file 24->201 203 Machine Learning detection for dropped file 24->203 28 Gm9vV49.exe 1 4 24->28         started        signatures8 process9 file10 131 C:\Users\user\AppData\Local\...\gR4rB33.exe, PE32 28->131 dropped 133 C:\Users\user\AppData\Local\...\4Oh039Ea.exe, PE32 28->133 dropped 233 Antivirus detection for dropped file 28->233 235 Machine Learning detection for dropped file 28->235 32 gR4rB33.exe 1 4 28->32         started        35 4Oh039Ea.exe 4 28->35         started        signatures11 process12 dnsIp13 93 C:\Users\user\AppData\Local\...\UZ2Ax27.exe, PE32 32->93 dropped 95 C:\Users\user\AppData\Local\...\3Pv04Qt.exe, PE32 32->95 dropped 39 3Pv04Qt.exe 32->39         started        42 UZ2Ax27.exe 1 4 32->42         started        145 77.91.124.55, 19071, 49713, 49718 ECOTEL-ASRU Russian Federation 35->145 183 Antivirus detection for dropped file 35->183 185 Multi AV Scanner detection for dropped file 35->185 187 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 35->187 189 3 other signatures 35->189 file14 signatures15 process16 file17 191 Multi AV Scanner detection for dropped file 39->191 193 Writes to foreign memory regions 39->193 195 Allocates memory in foreign processes 39->195 197 Injects a PE file into a foreign processes 39->197 45 AppLaunch.exe 39->45         started        48 AppLaunch.exe 39->48         started        119 C:\Users\user\AppData\Local\...\2hU0440.exe, PE32 42->119 dropped 121 C:\Users\user\AppData\Local\...\1Wm50nw2.exe, PE32 42->121 dropped 50 1Wm50nw2.exe 42->50         started        52 2hU0440.exe 12 42->52         started        signatures18 process19 dnsIp20 237 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 45->237 239 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 45->239 241 Maps a DLL or memory area into another process 45->241 249 2 other signatures 45->249 55 explorer.exe 45->55 injected 243 Multi AV Scanner detection for dropped file 50->243 245 Contains functionality to inject code into remote processes 50->245 247 Writes to foreign memory regions 50->247 251 2 other signatures 50->251 60 AppLaunch.exe 9 1 50->60         started        62 AppLaunch.exe 50->62         started        147 5.42.92.88, 49712, 49716, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 52->147 signatures21 process22 dnsIp23 149 5.42.65.80, 49798, 49828, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 55->149 151 77.91.68.29, 49715, 49761, 49822 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 55->151 153 3 other IPs or domains 55->153 107 C:\Users\user\AppData\Local\Temp14.exe, PE32 55->107 dropped 109 C:\Users\user\AppData\Local\Temp\A79.exe, PE32 55->109 dropped 111 C:\Users\user\AppData\Local\Temp\9002.exe, PE32 55->111 dropped 113 11 other files (10 malicious) 55->113 dropped 205 System process connects to network (likely due to code injection or exploit) 55->205 207 Benign windows process drops PE files 55->207 209 Hides that the sample has been downloaded from the Internet (zone.identifier) 55->209 64 A79.exe 55->64         started        68 23A4.exe 55->68         started        70 1896.exe 55->70         started        72 6 other processes 55->72 211 Modifies windows update settings 60->211 213 Disable Windows Defender notifications (registry) 60->213 215 Disable Windows Defender real time protection (registry) 60->215 file24 signatures25 process26 file27 97 C:\Users\user\AppData\Local\...\Sz7Go2OS.exe, PE32 64->97 dropped 99 C:\Users\user\AppData\Local\...\6jJ65ip.exe, PE32 64->99 dropped 161 Antivirus detection for dropped file 64->161 163 Multi AV Scanner detection for dropped file 64->163 165 Machine Learning detection for dropped file 64->165 74 Sz7Go2OS.exe 64->74         started        101 C:\Users\user\AppData\Local\...\explothe.exe, PE32 68->101 dropped 78 explothe.exe 68->78         started        167 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 70->167 169 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 70->169 171 Tries to harvest and steal browser information (history, passwords, etc) 70->171 173 Found many strings related to Crypto-Wallets (likely being stolen) 72->173 81 chrome.exe 72->81         started        83 chrome.exe 72->83         started        85 conhost.exe 72->85         started        87 conhost.exe 72->87         started        signatures28 process29 dnsIp30 123 C:\Users\user\AppData\Local\...\eF9px6pd.exe, PE32 74->123 dropped 125 C:\Users\user\AppData\Local\...\5vZ23Vc.exe, PE32 74->125 dropped 223 Antivirus detection for dropped file 74->223 225 Multi AV Scanner detection for dropped file 74->225 227 Machine Learning detection for dropped file 74->227 89 eF9px6pd.exe 74->89         started        155 77.91.124.1, 49752, 49753, 49760 ECOTEL-ASRU Russian Federation 78->155 127 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 78->127 dropped 129 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 78->129 dropped 229 Creates an undocumented autostart registry key 78->229 231 Uses schtasks.exe or at.exe to add and modify task schedules 78->231 157 192.168.2.5, 19071, 37515, 443 unknown unknown 81->157 159 239.255.255.250 unknown Reserved 81->159 file31 signatures32 process33 file34 115 C:\Users\user\AppData\Local\...\nR2JT0sq.exe, PE32 89->115 dropped 117 C:\Users\user\AppData\Local\...\4rF927ie.exe, PE32 89->117 dropped 217 Antivirus detection for dropped file 89->217 219 Multi AV Scanner detection for dropped file 89->219 221 Machine Learning detection for dropped file 89->221 signatures35
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6d61b93dfbf3ab7dc02c0759f5c003cb6429ab5daa3a75fb6e667a937feacee2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d61b93dfbf3ab7dc02c0759f5c003cb6429ab5daa3a75fb6e667a937feacee2/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-10-18 05:26:06 UTC
File Type:
PE (Exe)
Extracted files:
193
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nvq3spp36ovx3qbma5m7lqadznsctk25vi5hl63omz5jg77kz3ra._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:dcrat family:glupteba family:redline family:sectoprat family:smokeloader botnet:5141679758_99 botnet:@ytlogsbot botnet:breha botnet:kukish botnet:pixelscloud2.0 backdoor brand:microsoft discovery dropper evasion infostealer loader persistence phishing rat rootkit spyware stealer trojan
Link:
https://tria.ge/reports/231018-f4ve7sbf7s/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Detected potential entity reuse from brand microsoft.
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Manipulates WinMonFS driver.
.NET Reactor proctector
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Downloads MZ/PE file
Modifies Windows Firewall
Amadey
DcRat
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
SectopRAT
SectopRAT payload
SmokeLoader
Malware Config
C2 Extraction:
77.91.124.55:19071
http://77.91.68.29/fks/
85.209.176.128:80
185.216.70.238:37515
https://pastebin.com/raw/8baCJyMF
http://77.91.124.1/theme/index.php
http://5.42.65.80/8bmeVwqx/index.php
Unpacked files
SH256 hash:
160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
MD5 hash:
22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 hash:
db8326c4fad0064ce3020226e8556e7cce8ce04e
Link:
https://www.unpac.me/results/2bc0f0ad-d04b-4bcc-a63e-7be5606bab10/
Parent samples :
24b66c0d6f26f5de09b4cb7a2496bf87ad0ed9d45e846870dee70941b565bc3c
d6069cb7acd4675b324603f2adc3e83fa7fa1829e73052a8d62a10f3d99a8200
SH256 hash:
f78203ebf40c0daaf16a8a6688741035b7111dc6b96ba3d2c734eddb1227ecd9
MD5 hash:
536909dccc196cb255f72d39784d78e4
SHA1 hash:
be8e4cc4d7fc09242707ad62bb48e699dd40d25c
Link:
https://www.unpac.me/results/2bc0f0ad-d04b-4bcc-a63e-7be5606bab10/
SH256 hash:
ca0e5dd3f36b0615531a43620cec59acb081364d4a0d4f6f1ca7004fbe9a0b61
MD5 hash:
b2436115a88f904ad94819bcabdbe2a5
SHA1 hash:
d908d20c60aab730dd525c48f160e64328f8897a
Link:
https://www.unpac.me/results/2bc0f0ad-d04b-4bcc-a63e-7be5606bab10/
SH256 hash:
cecabcab041e0a6d909f9f88377d2a41106a0b7cc2985a662837ece4a26f7df0
MD5 hash:
1d4a1e643f2fe203f2c67e793cd0600b
SHA1 hash:
c0c539bf4f36738f8a1a3261e9a77cb9091f32ed
Detections:
redline
Create hunting rule
Link:
https://www.unpac.me/results/2bc0f0ad-d04b-4bcc-a63e-7be5606bab10/
Parent samples :
73642e746bae07eedd99cce9f5d772be78cafc40dffc02c93c95c88bc229f594
639038888a79a4c54d0ae58c5d3d8f2374d7e10dc280b4c1a893fd16848505c4
72ee076ef07e179548a5d6973694b29a367ce7a76c7b66006ffc7202730e159c
6d61b93dfbf3ab7dc02c0759f5c003cb6429ab5daa3a75fb6e667a937feacee2
e22bfd5f9f7790e34c6e3efa9262e549d6fef09678f4020fa82d4738edc1630d
8c7d1374cd62c56fe2cd315709d2878ac61611514d7fdc5bd631b6692070c9ce
SH256 hash:
a798935534b40a88ce4f91cef22cb6f6623150520b1cbc2550b1d95e39ddb550
MD5 hash:
d375b0f5ac70fa71780f703691adebe1
SHA1 hash:
ca9d592d4496092b8202e352a67ab177d9e4bcc9
Detections:
Amadey
Create hunting rule
win_amadey_auto
Create hunting rule
Link:
https://www.unpac.me/results/2bc0f0ad-d04b-4bcc-a63e-7be5606bab10/
Parent samples :
878a1acd32d9c0f80c125fd8347a814e44e0f05ba4e311417a06d8991389f49c
3beba0fcd974f5165e5f7a9bd489dd5e5df8a79279d988b2831628b562369bac
6d61b93dfbf3ab7dc02c0759f5c003cb6429ab5daa3a75fb6e667a937feacee2
SH256 hash:
d38a8fa2fb7b2114750745648f5e17778b478373203515dfa63d76e3285672e5
MD5 hash:
523286d49886768ee168b7974c0ba162
SHA1 hash:
3c5541c44185e21a4fdc2742e46050cf2b14adee
Link:
https://www.unpac.me/results/2bc0f0ad-d04b-4bcc-a63e-7be5606bab10/
SH256 hash:
6d61b93dfbf3ab7dc02c0759f5c003cb6429ab5daa3a75fb6e667a937feacee2
MD5 hash:
86a2937e24c306d22c93e429866e9878
SHA1 hash:
e18e75d4b290922ad7d1d5d46d2380b7b68cd366
Link:
https://www.unpac.me/results/2bc0f0ad-d04b-4bcc-a63e-7be5606bab10/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6d61b93dfbf3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d61b93dfbf3ab7dc02c0759f5c003cb6429ab5daa3a75fb6e667a937feacee2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 6d61b93dfbf3ab7dc02c0759f5c003cb6429ab5daa3a75fb6e667a937feacee2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2715539/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/455574/

Comments