MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7298b43de9d8dc586ce35f452e67b98d234c2b005648ffb7e6a21bea06a8dcb9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7298b43de9d8dc586ce35f452e67b98d234c2b005648ffb7e6a21bea06a8dcb9
SHA3-384 hash: 65dd833e5f7233b44f7c588df8dc1ba6f134c2947be7f304e65cf30fc674315cd71d9c77d2b35a2b708e59f93fd06e77
SHA1 hash: 64f71233a4e12a1eab40fc9501c4f8c4c9eacba4
MD5 hash: 362697c95a1c9964af1ab23ddfc29b04
humanhash: summer-uranus-batman-low
File name:362697c95a1c9964af1ab23ddfc29b04
Download: download sample
Signature LummaStealer
Create hunting rule
File size:4'398'328 bytes
First seen:2024-05-14 17:21:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ba19d25372b3cb9b6f9bdd416ebf12c (4 x PrivateLoader, 1 x LummaStealer)
ssdeep 98304:o8wDn6ZtqG8Qf1VbnrTVi6bXD4ItYZpKFpzDtnROkTgZKL1UJ:ojL6Zt0QPDDbzHOKFpTOkM4LyJ
TLSH T1F116338D3FAE8D06CA6399F64730C62425A86E845539D282367B9FCC8F3DF9E3E51054
TrID 50.0% (.EXE) Generic Win/DOS Executable (2002/3)
49.9% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 64e0b898a8e6e4f4 (1 x LummaStealer)
Reporter zbetcheckin
Tags:64 exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
362
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7298b43de9d8dc586ce35f452e67b98d234c2b005648ffb7e6a21bea06a8dcb9.exe
Verdict:
Malicious activity
Analysis date:
2024-05-14 17:23:22 UTC
Tags:
evasion privateloader
Link:
https://app.any.run/tasks/57019d4e-085e-40a1-bda2-94a1472effd8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Risepro-10029117-0
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Modifying a system file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Replacing files
Sending a custom TCP request
Launching a service
Launching a process
Sending an HTTP GET request
Sending a UDP request
Reading critical registry keys
Forced system process termination
Blocking the Windows Defender launch
Connection attempt to an infection source
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin mpress overlay packed packed packed shell32 themidawinlicense
Link:
https://www.filescan.io/uploads/66439dbf11114a9ab5f10074/reports/f5f85b07-68bc-459b-a451-a781250ded48/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/7298b43de9d8dc586ce35f452e67b98d234c2b005648ffb7e6a21bea06a8dcb9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/552cd7ca-0459-4479-a7bc-2aacdaa545c6
Result
Threat name:
LummaC, CryptOne, GCleaner, Glupteba, Ma
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1441523
Signature
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Exclude list of file types from scheduled, custom, and real-time scanning
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
LummaC encrypted strings found
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies power options to not sleep / hibernate
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens network shares
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Disable power options
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected CryptOne packer
Yara detected GCleaner
Yara detected Glupteba
Yara detected Mars stealer
Yara detected Powershell download and execute
Yara detected PrivateLoader
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1441523 Sample: 40UAEu1Kpt.exe Startdate: 14/05/2024 Architecture: WINDOWS Score: 100 135 Found malware configuration 2->135 137 Malicious sample detected (through community Yara rule) 2->137 139 Antivirus detection for URL or domain 2->139 141 27 other signatures 2->141 8 40UAEu1Kpt.exe 11 66 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 svchost.exe 2->17         started        process3 dnsIp4 119 94.232.45.38 WELLWEBNL Russian Federation 8->119 121 87.240.137.164 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 8->121 123 24 other IPs or domains 8->123 81 C:\Users\...\sUkahbhZafiC6odO3Arn7bLP.exe, PE32+ 8->81 dropped 83 C:\Users\...\oXqoAkKlFdzns41BGCp1scQR.exe, PE32 8->83 dropped 85 C:\Users\...\gAQ0YCnLZcQvM7fDAq3gUleZ.exe, PE32 8->85 dropped 87 35 other malicious files 8->87 dropped 177 Query firmware table information (likely to detect VMs) 8->177 179 Drops PE files to the document folder of the user 8->179 181 Tries to detect sandboxes and other dynamic analysis tools (window names) 8->181 183 11 other signatures 8->183 19 bXePPhSELrXevijcP9j4KbFq.exe 8->19         started        22 018GzYsNibnWRhkedWQtCMb1.exe 8->22         started        25 fEVkrvcULairBJNebD0rnQnD.exe 8->25         started        28 18 other processes 8->28 file5 signatures6 process7 dnsIp8 63 C:\Users\...\bXePPhSELrXevijcP9j4KbFq.tmp, PE32 19->63 dropped 30 bXePPhSELrXevijcP9j4KbFq.tmp 19->30         started        159 Writes to foreign memory regions 22->159 161 Allocates memory in foreign processes 22->161 163 Injects a PE file into a foreign processes 22->163 33 RegAsm.exe 22->33         started        37 RegAsm.exe 22->37         started        39 conhost.exe 22->39         started        125 5.42.96.54 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 25->125 127 104.26.4.15 CLOUDFLARENETUS United States 25->127 65 C:\Users\user\...\PYeb0cPgRf088zRcMHqi.exe, PE32 25->65 dropped 67 C:\Users\user\...\0nUudn3iiM5sIonv3hgI.exe, PE32 25->67 dropped 69 C:\Users\user\...\Retailer_prog[1].exe, PE32 25->69 dropped 77 6 other malicious files 25->77 dropped 165 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 25->165 167 Tries to detect virtualization through RDTSC time measurements 25->167 129 185.172.128.151 NADYMSS-ASRU Russian Federation 28->129 131 185.172.128.90 NADYMSS-ASRU Russian Federation 28->131 133 7 other IPs or domains 28->133 71 C:\Users\user\AppData\Roaming\d3d9.dll, PE32 28->71 dropped 73 C:\Users\user\AppData\Local\...\INetC.dll, PE32 28->73 dropped 75 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 28->75 dropped 79 16 other files (14 malicious) 28->79 dropped 169 Detected unpacking (changes PE section rights) 28->169 171 Detected unpacking (overwrites its own PE header) 28->171 173 Found Tor onion address 28->173 175 13 other signatures 28->175 41 RegAsm.exe 28->41         started        43 Install.exe 28->43         started        45 cmd.exe 28->45         started        47 6 other processes 28->47 file9 signatures10 process11 dnsIp12 89 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 30->89 dropped 91 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 30->91 dropped 93 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 30->93 dropped 103 34 other files (23 malicious) 30->103 dropped 49 radiobuster32.exe 30->49         started        52 radiobuster32.exe 30->52         started        107 95.217.28.63 HETZNER-ASDE Germany 33->107 109 23.65.44.84 AKAMAI-ASUS United States 33->109 95 C:\Users\user\AppData\...\softokn3[1].dll, PE32 33->95 dropped 97 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 33->97 dropped 99 C:\Users\user\AppData\...\mozglue[1].dll, PE32 33->99 dropped 105 10 other files (6 malicious) 33->105 dropped 143 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->143 145 Installs new ROOT certificates 33->145 147 Tries to harvest and steal ftp login credentials 33->147 157 2 other signatures 33->157 149 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->149 151 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 37->151 111 5.42.65.85 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 41->111 153 Tries to harvest and steal browser information (history, passwords, etc) 41->153 155 Tries to steal Crypto Currency Wallets 41->155 101 C:\Users\user\AppData\Local\...\Install.exe, PE32 43->101 dropped 55 Install.exe 43->55         started        57 conhost.exe 45->57         started        59 conhost.exe 47->59         started        file13 signatures14 process15 dnsIp16 61 C:\ProgramData\...\FLACWidget 3.33.66.exe, PE32 49->61 dropped 113 79.110.49.184 OTAVANET-ASCZ Germany 52->113 115 89.105.201.183 NOVOSERVE-ASNL Netherlands 52->115 117 152.89.198.214 NEXTVISIONGB United Kingdom 52->117 file17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7298b43de9d8dc586ce35f452e67b98d234c2b005648ffb7e6a21bea06a8dcb9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7298b43de9d8dc586ce35f452e67b98d234c2b005648ffb7e6a21bea06a8dcb9/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-05-14 12:05:57 UTC
File Type:
PE+ (Exe)
Extracted files:
18
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=okmlippj3dofq3hdl5cs4z5zruruykyakzep7n7guin6ubvi3s4q._file
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader evasion loader themida trojan
Link:
https://tria.ge/reports/240514-vxj38agc66/
Behaviour
Modifies system certificate store
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies firewall policy service
PrivateLoader
Unpacked files
SH256 hash:
7298b43de9d8dc586ce35f452e67b98d234c2b005648ffb7e6a21bea06a8dcb9
MD5 hash:
362697c95a1c9964af1ab23ddfc29b04
SHA1 hash:
64f71233a4e12a1eab40fc9501c4f8c4c9eacba4
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
INDICATOR_EXE_Packed_MPress
Create hunting rule
Link:
https://www.unpac.me/results/5f133790-d7bd-4088-99bb-5b358a522916/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7298b43de9d8dc586ce35f452e67b98d234c2b005648ffb7e6a21bea06a8dcb9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:TeslaCryptPackedMalware
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 7298b43de9d8dc586ce35f452e67b98d234c2b005648ffb7e6a21bea06a8dcb9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2850114/

Comments


Avatar
zbet commented on 2024-05-14 17:21:22 UTC

url : hxxp://5.42.96.64/server/ww12/AppGate2103v01.exe