MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72b7bdbd1362f833ed7a2e32f679a0fac64839aa98c515cbc5e97f6fcb6c32d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 20


Intelligence 20 IOCs 1 YARA 29 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72b7bdbd1362f833ed7a2e32f679a0fac64839aa98c515cbc5e97f6fcb6c32d8
SHA3-384 hash: 84b57ac7149c688c31e8134d781d1e84f4294b8a4f6dfd235daacdacd16d2bc0af9c8484ff2e0024083d1413239ed237
SHA1 hash: 0cf251eae875f785128f0a6ffca146ad6517e213
MD5 hash: c2a7e4e426fdc945b7e15d5c3253523d
humanhash: magazine-hot-north-kilo
File name:72b7bdbd1362f833ed7a2e32f679a0fac64839aa98c51.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:12'532'736 bytes
First seen:2025-09-04 06:00:29 UTC
Last seen:2025-09-04 06:50:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b0533a6f74dc7b1724800db8e26477cb (1 x Amadey)
ssdeep 196608:tx8tR3FKMFH3fQ9Q44MsM/XsCx3+pG26E+BYnnu6oKeLGMS:TIDXfAZ8BCF+pG26ECcuIL
Threatray 10 similar samples on MalwareBazaar
TLSH T1CEC61212B8A424AADAB99D350B76A120F6727C5603207787368C767F7736BD43E3B314
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:Amadey exe


Avatar
abuse_ch
Amadey C2:
http://178.16.53.7/cvdfnaFJBmC1/index.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://178.16.53.7/cvdfnaFJBmC1/index.php https://threatfox.abuse.ch/ioc/1578836/

Intelligence

File Origin
# of uploads :
2
# of downloads :
156
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
72b7bdbd1362f833ed7a2e32f679a0fac64839aa98c515cbc5e97f6fcb6c32d8.exe
Verdict:
Malicious activity
Analysis date:
2025-09-04 04:40:27 UTC
Tags:
auto-reg auto amadey botnet stealc stealer lumma loader python rdp golang
Link:
https://app.any.run/tasks/135fac82-0958-4210-81cc-3e045ddcdd1a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Stealc
Create hunting rule
Link:
https://www.capesandbox.com/analysis/24999/
Detection(s):
Win.Packed.Lazy-10057794-0
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b92b203e988eb6ab83ab8b
Tags:
ransomware emotet extens trojan
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Searching for synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Sending an HTTP GET request to an infection source
DNS request
Connection attempt
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Sending an HTTP POST request to an infection source
Launching a process
Launching cmd.exe command interpreter
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
explorer golang lolbin microsoft_visual_cc obfuscated packed packed packer_detected threat
Link:
https://www.filescan.io/uploads/68b92b1439a6221faa7dfdf2/reports/98b65aea-f49c-462b-ab6a-2ad9dd8b21aa/overview
Verdict:
Malicious
Labled as:
Malob.Generic
Link:
https://www.hybrid-analysis.com/sample/72b7bdbd1362f833ed7a2e32f679a0fac64839aa98c515cbc5e97f6fcb6c32d8
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-31T17:41:00Z UTC
Last seen:
2025-08-31T17:41:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/72b7bdbd1362f833ed7a2e32f679a0fac64839aa98c515cbc5e97f6fcb6c32d8/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/159b026f-5ad7-41c4-aa5b-6d78225f051c
Result
Threat name:
Diamotrix Clipper, LummaC Stealer, Steal
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1770904
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Changes memory attributes in foreign processes to executable or writable
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Drops PE files to the document folder of the user
Early bird code injection technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Writes to foreign memory regions
Yara detected Diamotrix Clipper
Yara detected LummaC Stealer
Yara detected Stealc v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1770904 Sample: 72b7bdbd1362f833ed7a2e32f67... Startdate: 04/09/2025 Architecture: WINDOWS Score: 100 119 starexs.bet 2->119 121 www.google.com 2->121 123 t.me 2->123 139 Suricata IDS alerts for network traffic 2->139 141 Found malware configuration 2->141 143 Malicious sample detected (through community Yara rule) 2->143 145 11 other signatures 2->145 11 72b7bdbd1362f833ed7a2e32f679a0fac64839aa98c51.exe 6 2->11         started        signatures3 process4 file5 97 C:\Users\user\AppData\...\tmp77154BC4.exe, PE32+ 11->97 dropped 99 C:\Users\user\AppData\...\tmp6E2E2E9E.exe, PE32+ 11->99 dropped 101 C:\Users\user\AppData\...\tmp6DF871C3.exe, PE32 11->101 dropped 103 2 other malicious files 11->103 dropped 14 tmp6E2E2E9E.exe 1 11->14         started        18 tmp6BDCE3FE.exe 11->18         started        20 tmp77154BC4.exe 1 14 11->20         started        23 2 other processes 11->23 process6 dnsIp7 111 C:\Users\user\Documents\tmp6E2E2E9E.exe, PE32+ 14->111 dropped 193 Multi AV Scanner detection for dropped file 14->193 195 Drops PE files to the document folder of the user 14->195 197 Contains functionality to start a terminal service 14->197 215 3 other signatures 14->215 25 CredentialUIBroker.exe 40 14->25         started        30 cmd.exe 14->30         started        199 Hijacks the control flow in another process 18->199 201 Creates HTML files with .exe extension (expired dropper behavior) 18->201 203 Sets debug register (to hijack the execution of another thread) 18->203 205 Modifies the context of a thread in another process (thread injection) 18->205 32 tmp6BDCE3FE.exe 1 23 18->32         started        125 178.16.53.7, 49681, 49697, 49702 DUSNET-ASDE Germany 20->125 113 C:\Users\user\AppData\Roaming\...\System.exe, PE32+ 20->113 dropped 207 Creates multiple autostart registry keys 20->207 209 Contains functionality to inject threads in other processes 20->209 34 WerFault.exe 19 16 20->34         started        115 C:\Users\user\AppData\Local\...\System.dll, PE32 23->115 dropped 117 C:\Users\user\AppData\...\InstallOptions.dll, PE32 23->117 dropped 211 Found many strings related to Crypto-Wallets (likely being stolen) 23->211 213 Contains functionality to inject code into remote processes 23->213 36 tmp6DF871C3.exe 23->36         started        file8 signatures9 process10 dnsIp11 127 77.90.153.62, 49699, 49701, 49712 RAPIDNET-DEHaunstetterStr19DE Germany 25->127 129 85.208.84.41, 49724, 49733, 80 PINDC-ASRU Russian Federation 25->129 131 176.46.152.47, 49698, 49700, 49703 ESTPAKEE Iran (ISLAMIC Republic Of) 25->131 85 C:\Users\user\AppData\Local\Temp\...\3.exe, PE32+ 25->85 dropped 87 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32+ 25->87 dropped 89 C:\Users\user\AppData\Local\Temp\...\3.exe, PE32+ 25->89 dropped 95 12 other malicious files 25->95 dropped 161 Contains functionality to start a terminal service 25->161 163 Creates HTML files with .exe extension (expired dropper behavior) 25->163 38 zx.exe 25->38         started        42 2.exe 25->42         started        44 3.exe 25->44         started        54 4 other processes 25->54 46 reg.exe 30->46         started        48 conhost.exe 30->48         started        133 176.46.152.46, 49687, 80 ESTPAKEE Iran (ISLAMIC Republic Of) 32->133 91 C:\Users\user\AppData\...91MZet4H1OlEY.exe, PE32+ 32->91 dropped 93 C:\Users\user\AppData\Local\...\zx[1].exe, PE32+ 32->93 dropped 165 Early bird code injection technique detected 32->165 167 Found many strings related to Crypto-Wallets (likely being stolen) 32->167 169 Writes to foreign memory regions 32->169 171 4 other signatures 32->171 50 chrome.exe 32->50         started        56 2 other processes 32->56 52 WerFault.exe 2 36->52         started        file12 signatures13 process14 file15 77 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 38->77 dropped 79 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 38->79 dropped 81 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 38->81 dropped 83 47 other malicious files 38->83 dropped 147 Multi AV Scanner detection for dropped file 38->147 58 zx.exe 38->58         started        149 Writes to foreign memory regions 42->149 151 Allocates memory in foreign processes 42->151 153 Injects a PE file into a foreign processes 42->153 60 MSBuild.exe 42->60         started        65 notepad.exe 42->65         started        155 Modifies the context of a thread in another process (thread injection) 44->155 67 3.exe 44->67         started        157 Creates multiple autostart registry keys 46->157 159 Hijacks the control flow in another process 54->159 69 3.exe 54->69         started        71 3.exe 54->71         started        73 1.exe 54->73         started        signatures16 process17 dnsIp18 135 starexs.bet 193.24.123.239 UPM-KYMMENE-ASKuusankoskiFinlandFI Germany 60->135 137 t.me 149.154.167.99 TELEGRAMRU United Kingdom 60->137 105 C:\Users\...\MNULHDJOFEXRMOKMTRT4DKVIDUA.exe, PE32+ 60->105 dropped 107 C:\Users\user\...\6Q8OVPEK7DDSWCZP.exe, PE32+ 60->107 dropped 109 C:\Users\user\...\1D3TDHAA2GV4X0NN60IHM.exe, PE32+ 60->109 dropped 173 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 60->173 175 Query firmware table information (likely to detect VMs) 60->175 177 Tries to harvest and steal ftp login credentials 60->177 191 3 other signatures 60->191 179 Changes memory attributes in foreign processes to executable or writable 67->179 181 Injects code into the Windows Explorer (explorer.exe) 67->181 183 Writes to foreign memory regions 67->183 75 explorer.exe 67->75 injected 185 Allocates memory in foreign processes 69->185 187 Creates a thread in another existing process (thread injection) 69->187 189 Injects a PE file into a foreign processes 69->189 file19 signatures20 process21
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/72b7bdbd1362f833ed7a2e32f679a0fac64839aa98c515cbc5e97f6fcb6c32d8
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/c2a7e4e426fdc945b7e15d5c3253523d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72b7bdbd1362f833ed7a2e32f679a0fac64839aa98c515cbc5e97f6fcb6c32d8/
Verdict:
Malicious
Threat:
Family.AMADEY
Link:
https://tip.neiki.dev/file/72b7bdbd1362f833ed7a2e32f679a0fac64839aa98c515cbc5e97f6fcb6c32d8
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2025-09-04 04:40:29 UTC
File Type:
PE (Exe)
Extracted files:
372
AV detection:
30 of 38 (78.95%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ok333pitml4dh3l2fyzpm6na7ldeqonktdcrls6f5f7w7s3mglma._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
217618775a0efa48a069417361b979851936425ec4bff065fef0a68f2858596f
Amadey
223a785fbb3998cd54b288d5350c25da693365fab4071e6ea635370736bf49bd
Amadey
31ba8080813690f32ff5cb3ad9c09a20129f81f0f4f11ed99d6cac35cb1d7c4d
Amadey
5a1fe3a5ee208b87acd8a605b3d0426c39aa3418f7ae80eaaf3a484004f88483
Amadey
72b7bdbd1362f833ed7a2e32f679a0fac64839aa98c515cbc5e97f6fcb6c32d8
Amadey
9ac1c838a65913a20c7b266946226c724832edd82e3be8d6613ad5786b968d29
Amadey
error
Amadey
f3200f4dc3e5054ac05d3574f128b8ae5e952196f693614be92966439620beda
Amadey
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:stealc botnet:30x08x2025 botnet:e3db0b adware defense_evasion discovery persistence pyinstaller ransomware spyware stealer trojan
Link:
https://tria.ge/reports/250904-gqsvws1wft/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Opens file in notepad (likely ransom note)
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Detects Pyinstaller
Enumerates physical storage devices
Modifies trusted root certificate store through registry
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Drops file in Drivers directory
Manipulates Digital Signatures
Amadey
Amadey family
Lumma Stealer, LummaC
Lumma family
Stealc
Stealc family
Malware Config
C2 Extraction:
http://176.46.152.46
http://176.46.152.47
http://178.16.53.7
http://77.90.153.62
https://t.me/quincyplayer6
https://starexs.bet/tskx
https://mastwin.in/qsaz
https://noggs.ru/yopd
https://georgej.ru/plnb
https://oneflof.ru/tids
https://epitherd.ru/zadw
https://backab.ru/lkdo
https://eigwos.ru/wqex
https://kimmenkiz.ru/zldw
https://despofe.top/zlai
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ab7531e2-0ed6-41f7-8447-71389b52339c
Unpacked files
SH256 hash:
72b7bdbd1362f833ed7a2e32f679a0fac64839aa98c515cbc5e97f6fcb6c32d8
MD5 hash:
c2a7e4e426fdc945b7e15d5c3253523d
SHA1 hash:
0cf251eae875f785128f0a6ffca146ad6517e213
Link:
https://www.unpac.me/results/91ff24e4-dfc6-4638-aa57-8feec3beaa75/
SH256 hash:
34a4f1c598b7f48bbd9694cd5d9f80c3200ce21932ca51ba7dd6c12163259c08
MD5 hash:
9fdce17338e3f0df16e672e20c370a30
SHA1 hash:
01ba346396750c48b100e712a70d6ac604af0cdc
Link:
https://www.unpac.me/results/91ff24e4-dfc6-4638-aa57-8feec3beaa75/
SH256 hash:
ceb0227fa379844afa15828afa5bc83562b47edd64159e77c88a176d585c81ef
MD5 hash:
52055e2bc5e9ad360d884b82fd2cf581
SHA1 hash:
34e9f8d7a17d47b29053397d02a0a25f8f3a03c3
Link:
https://www.unpac.me/results/91ff24e4-dfc6-4638-aa57-8feec3beaa75/
SH256 hash:
fb447508e4469bfe46a25b31c6536d843aeb30c8b6e997b934c001994a6988a2
MD5 hash:
f3e1b25ef2f5fd0ad1273a81272dc6ff
SHA1 hash:
4c6bdd8b862e193bc106bad3254da2ad3aec1996
Link:
https://www.unpac.me/results/91ff24e4-dfc6-4638-aa57-8feec3beaa75/
SH256 hash:
33fdac20e663b225ead9bbe74dc0a3a521ea644a361316079f949a8c70213000
MD5 hash:
079b21e42e5a8fa8102dd5ebf003025c
SHA1 hash:
75838ae3dc6ddf5720721e17f63c68fe951b37d2
Link:
https://www.unpac.me/results/91ff24e4-dfc6-4638-aa57-8feec3beaa75/
SH256 hash:
8671052f8da2ae02acc7fb7866e635fa798348eb05f93ed85d8bdce86f56af25
MD5 hash:
c0dc05e569d4f7153b0f543b7c6c32f0
SHA1 hash:
dbc7f4b5187348fbb83071d4cf9c0b3777a47a14
Link:
https://www.unpac.me/results/91ff24e4-dfc6-4638-aa57-8feec3beaa75/
SH256 hash:
074a066f62ff15a1d2f59593a25d9ba1d1d26358a3e40cc7b38034c737a1903e
MD5 hash:
01b57cda0954ea2756977e85e4244397
SHA1 hash:
03caa9aadbd2790a42a11dd111ac41b40cbc3aae
Link:
https://www.unpac.me/results/91ff24e4-dfc6-4638-aa57-8feec3beaa75/
SH256 hash:
1f92155fe20af79395e444d96023f62ac67cf9ae4a5d23a684266cb18f273290
MD5 hash:
12beef8596fb6e47ccfdb584f4d0cd19
SHA1 hash:
309eda554d7c5be513a676b431c639d287b1a454
Link:
https://www.unpac.me/results/91ff24e4-dfc6-4638-aa57-8feec3beaa75/
SH256 hash:
dd21024ebffa0c08750b973eda0574bc166344ae2fe07b6d229293decd5358bb
MD5 hash:
6fc818df0399dcff38d1038aced14ab4
SHA1 hash:
398fb3e64a5594b6738e76f27cf08b8e35e014f5
Link:
https://www.unpac.me/results/91ff24e4-dfc6-4638-aa57-8feec3beaa75/
SH256 hash:
a68377851b65874571dbd81ff4b4daacadb56fea3e14979e0ce4f5c087b0a029
MD5 hash:
7d870560bff76e2c80c8a3219477cca1
SHA1 hash:
39a23e0ed1c03ee4578715e080bc14da846f8155
Detections:
INDICATOR_EXE_Packed_Fody
Create hunting rule
Link:
https://www.unpac.me/results/91ff24e4-dfc6-4638-aa57-8feec3beaa75/
SH256 hash:
d95b1278bf8d69070220208d5d8964880a9248cc537fa993f909ca1c28b5ec61
MD5 hash:
dfef3fd26512365f3e96bf954f01d45a
SHA1 hash:
49aa1133cff952c145426a5f73e51b2056449bc3
Link:
https://www.unpac.me/results/91ff24e4-dfc6-4638-aa57-8feec3beaa75/
SH256 hash:
1e260523bd3d96eabe26e542de3844786244be25b7a46e325826cc2d7bdbcbcd
MD5 hash:
36c5dacce1b4c19854421a99a8f2284f
SHA1 hash:
4eb6e6d9b75552a6b64f116d4a56ebeaa8f1ecb0
Link:
https://www.unpac.me/results/91ff24e4-dfc6-4638-aa57-8feec3beaa75/
SH256 hash:
60633bd6e658b259965b84576e3f485078165746b7345e81c2e91f9d6e3f3e6a
MD5 hash:
8ece1e7ffdbaad06689a62a99ddf0320
SHA1 hash:
5532c2a537c4bcd5d0aaf2845b233cb060459b99
Link:
https://www.unpac.me/results/91ff24e4-dfc6-4638-aa57-8feec3beaa75/
SH256 hash:
b1aceae0d3b6ab90d8a47b2b73b8e5fa60aa75900e04d1011bd89ac8b4bcf349
MD5 hash:
be4acc8ca0ad4627f4ba25ef78ab9e38
SHA1 hash:
57d9d01a1c4f83a5ef5e776116e081e0e58bd8fd
Link:
https://www.unpac.me/results/91ff24e4-dfc6-4638-aa57-8feec3beaa75/
SH256 hash:
64e42f95a4ffa65b22f4604833aef8d2b3862e70c3803691c3dfbc7b122c67d1
MD5 hash:
fea9cd7319e0b838af66f1d47e299367
SHA1 hash:
5cbe779f78e4134d68fbf507329af14fd26bd0e1
Link:
https://www.unpac.me/results/91ff24e4-dfc6-4638-aa57-8feec3beaa75/
SH256 hash:
77ed0896fc260795e37eb4a14a5391cfdf72fcb55c45ff849a444424b1b4fb2e
MD5 hash:
5b6856d051fc8ece109047a4be816372
SHA1 hash:
915020f207f6c3e6280017d68b91ee82e945cb4b
Link:
https://www.unpac.me/results/91ff24e4-dfc6-4638-aa57-8feec3beaa75/
SH256 hash:
af5610c515d2244db98c662636264c8177e89b1afe407f88fd18a41d66f6e7e2
MD5 hash:
f64b733eae44c8c66217386d5a0f2bf0
SHA1 hash:
92683e4fb8d3c7a544dce21e12f24dcc8b600e9c
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/91ff24e4-dfc6-4638-aa57-8feec3beaa75/
SH256 hash:
89225cc6b8deb1097bfeb6309225de8c1a07f4219e1bc9c00657927c64965759
MD5 hash:
36cf01ce1c207f4eb1c13944aa13c626
SHA1 hash:
a3d64c322e3d4b86e5764b9deb896f82d6eb53fe
Link:
https://www.unpac.me/results/91ff24e4-dfc6-4638-aa57-8feec3beaa75/
SH256 hash:
d20df0126b851edab2155859926ffe037bf67c642d6f1ae87855181c7cb34cf7
MD5 hash:
16dcc3e84cdb4a6209cd7eba6074f6dd
SHA1 hash:
a6b439532bd63dc2a56c459c0ec4fcf18dafcbd0
Link:
https://www.unpac.me/results/91ff24e4-dfc6-4638-aa57-8feec3beaa75/
SH256 hash:
ebf056c630334e659598a2ca4999edadddcc408b0fc43e9740ac8cb0d6105d16
MD5 hash:
d2d47b4d476f0c10ffe6c504eebec1b7
SHA1 hash:
b11418737f9d7de94d975031b65f4bad18e371e0
Link:
https://www.unpac.me/results/91ff24e4-dfc6-4638-aa57-8feec3beaa75/
SH256 hash:
5a8286c03c781f96f200ae2e5002ffc2e8ab33ab3edcb013b5fb47a37ba9954f
MD5 hash:
805fb3dab111abfc522a764a093b1011
SHA1 hash:
bdc9c66a1e497ba2e2b505d4b686aeeeaaa26e20
Link:
https://www.unpac.me/results/91ff24e4-dfc6-4638-aa57-8feec3beaa75/
SH256 hash:
2be50c222b577715efcb0dd2c5b25ab819790e0907f8126282afaa61d11419a2
MD5 hash:
c9bdd12d43f3eae056166218d516b583
SHA1 hash:
cf1f5221806a01693553042934385f5a617b2689
Link:
https://www.unpac.me/results/91ff24e4-dfc6-4638-aa57-8feec3beaa75/
SH256 hash:
6f14c8f01f50a30743dac68c5ac813451463dfb427eb4e35fcdfe2410e1a913b
MD5 hash:
ab1db56369412fe8476fefffd11e4cc0
SHA1 hash:
daad036a83b2ee2fa86d840a34a341100552e723
Link:
https://www.unpac.me/results/91ff24e4-dfc6-4638-aa57-8feec3beaa75/
SH256 hash:
3029e3f11247d65c8aac7b0f0bef9aa9ec0e12d795e91a163a3ac84635d4ae49
MD5 hash:
8a2fd11d4e44f76a6e0335293e3cdf52
SHA1 hash:
aad121b207a5443190e3a8ed239dd88b38d063cb
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/91ff24e4-dfc6-4638-aa57-8feec3beaa75/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/72b7bdbd1362/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/72b7bdbd1362f833ed7a2e32f679a0fac64839aa98c515cbc5e97f6fcb6c32d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:aachum_Stealcv2
Create hunting rule
Author:aachum
Description:Detects new version of Stealc.
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Golang_Binary
Create hunting rule
Author:Andrew Morrow
Description:Detects binaries compiled with Go
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:Heuristics_ChromeABE
Create hunting rule
Author:Still
Description:attempts to match instructions related to Chrome App-bound Encryption elevation service; possibly spotted amongst infostealers
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:StealcV2
Create hunting rule
Author:Still
Description:attempts to match the instructions found in StealcV2
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/24999/

Comments