MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 732c972b120ed0c3d375eb811225e133945c56a0744ebd78e137af2446756fd8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 732c972b120ed0c3d375eb811225e133945c56a0744ebd78e137af2446756fd8
SHA3-384 hash: d97a9f8dd5caa47794aae194a1d46cdd9ee171b9ca4bc9946ad96eea914f39c0d5b2ff923fa1d513ce3501aa2c27b767
SHA1 hash: eeaf622cc64ae02e1a628c145b3033660ba01564
MD5 hash: 4cfe5852a1362c02aaf9908665f4f0c0
humanhash: vermont-cold-september-tango
File name:4cfe5852a1362c02aaf9908665f4f0c0.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'422'272 bytes
First seen:2023-12-08 19:00:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'853 x Amadey, 290 x Smoke Loader)
ssdeep 49152:8Pi8aGgWer7Am412ATOLLnNSqaBn5cE+Al09NnDWUVQ1VPLY/cni4R:XGgV/64nUb5cal09pWUVcP0Eb
TLSH T12DB53313EBDA417AC8B46B7048F805630F34B992897A233713346F47DB23D9B69653E6
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
77.105.132.87:14418

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/463753/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Creating a file
Replacing files
Launching a service
Changing a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Sending a UDP request
Reading critical registry keys
Creating a window
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
advpack anti-vm autoit CAB control explorer greyware installer installer keylogger lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/657367eeeba1080314878526/reports/5bf9e881-dda9-4dcd-b71f-df00b5520977/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/732c972b120ed0c3d375eb811225e133945c56a0744ebd78e137af2446756fd8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/04b282ed-f1cc-488e-ae3a-8ea6faafa868
Result
Threat name:
LummaC Stealer, PrivateLoader, PureLog S
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1356525
Signature
.NET source code contains potential unpacker
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Exclude list of file types from scheduled, custom, and real-time scanning
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected LummaC Stealer
Yara detected PrivateLoader
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1356525 Sample: hwGsGCJlhU.exe Startdate: 08/12/2023 Architecture: WINDOWS Score: 100 112 time.windows.com 2->112 114 ipinfo.io 2->114 142 Found malware configuration 2->142 144 Malicious sample detected (through community Yara rule) 2->144 146 Antivirus detection for URL or domain 2->146 148 16 other signatures 2->148 13 hwGsGCJlhU.exe 1 4 2->13         started        17 svchost.exe 2->17         started        19 svchost.exe 1 2->19         started        21 14 other processes 2->21 signatures3 process4 file5 88 C:\Users\user\AppData\Local\...\Oe9XV72.exe, PE32 13->88 dropped 90 C:\Users\user\AppData\Local\...\6bp7KH2.exe, PE32 13->90 dropped 180 Binary is likely a compiled AutoIt script file 13->180 23 Oe9XV72.exe 1 4 13->23         started        182 Changes security center settings (notifications, updates, antivirus, firewall) 17->182 184 Query firmware table information (likely to detect VMs) 19->184 27 WerFault.exe 21->27         started        signatures6 process7 file8 84 C:\Users\user\AppData\Local\...\ta4xZ73.exe, PE32 23->84 dropped 86 C:\Users\user\AppData\Local\...\5fR5jy8.exe, PE32 23->86 dropped 174 Antivirus detection for dropped file 23->174 176 Multi AV Scanner detection for dropped file 23->176 178 Machine Learning detection for dropped file 23->178 29 ta4xZ73.exe 1 4 23->29         started        signatures9 process10 file11 92 C:\Users\user\AppData\Local\...\Re9Xk52.exe, PE32 29->92 dropped 94 C:\Users\user\AppData\Local\...\4pZ252VG.exe, PE32 29->94 dropped 186 Antivirus detection for dropped file 29->186 188 Multi AV Scanner detection for dropped file 29->188 190 Machine Learning detection for dropped file 29->190 33 Re9Xk52.exe 1 4 29->33         started        37 4pZ252VG.exe 29->37         started        signatures12 process13 file14 74 C:\Users\user\AppData\Local\...\3vT82iQ.exe, PE32 33->74 dropped 76 C:\Users\user\AppData\Local\...\1qC43uE0.exe, PE32 33->76 dropped 128 Antivirus detection for dropped file 33->128 130 Multi AV Scanner detection for dropped file 33->130 132 Machine Learning detection for dropped file 33->132 39 3vT82iQ.exe 33->39         started        42 1qC43uE0.exe 33->42         started        78 C:\...\sfvzmm25Tr6RYYkCCpzi_ocWjl255SKX.zip, Zip 37->78 dropped 134 Tries to steal Mail credentials (via file / registry access) 37->134 136 Disables Windows Defender (deletes autostart) 37->136 138 Tries to harvest and steal browser information (history, passwords, etc) 37->138 140 3 other signatures 37->140 signatures15 process16 signatures17 158 Antivirus detection for dropped file 39->158 160 Multi AV Scanner detection for dropped file 39->160 162 Machine Learning detection for dropped file 39->162 172 4 other signatures 39->172 44 explorer.exe 39->44 injected 164 Contains functionality to inject code into remote processes 42->164 166 Writes to foreign memory regions 42->166 168 Allocates memory in foreign processes 42->168 170 Injects a PE file into a foreign processes 42->170 49 AppLaunch.exe 11 508 42->49         started        process18 dnsIp19 118 185.196.8.238 SIMPLECARRER2IT Switzerland 44->118 120 185.172.128.19, 49710, 80 NADYMSS-ASRU Russian Federation 44->120 122 81.19.131.34, 49709, 80 IVC-ASRU Russian Federation 44->122 96 C:\Users\user\AppData\Local\Temp\F6A7.exe, PE32+ 44->96 dropped 98 C:\Users\user\AppData\Local\Temp05F.exe, PE32 44->98 dropped 100 C:\Users\user\AppData\Local\Temp\CA84.exe, PE32 44->100 dropped 108 5 other malicious files 44->108 dropped 192 System process connects to network (likely due to code injection or exploit) 44->192 194 Benign windows process drops PE files 44->194 51 9337.exe 44->51         started        54 7230.exe 44->54         started        57 84DE.exe 44->57         started        66 3 other processes 44->66 124 ipinfo.io 34.117.59.81, 443, 49701, 49704 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 49->124 126 193.233.132.51, 49700, 49702, 50500 FREE-NET-ASFREEnetEU Russian Federation 49->126 102 C:\Windows\System32behaviorgraphroupPolicybehaviorgraphPT.INI, ASCII 49->102 dropped 104 C:\...\bsOcRFQO6rZLAunmnzKxXqjZZNFsKLZ2.zip, Zip 49->104 dropped 106 C:\Users\user\AppData\...\FANBooster131.exe, PE32 49->106 dropped 110 2 other files (none is malicious) 49->110 dropped 196 Tries to steal Mail credentials (via file / registry access) 49->196 198 Found many strings related to Crypto-Wallets (likely being stolen) 49->198 200 Found stalling execution ending in API Sleep call 49->200 202 7 other signatures 49->202 60 schtasks.exe 49->60         started        62 schtasks.exe 49->62         started        64 WerFault.exe 49->64         started        file20 signatures21 process22 dnsIp23 150 Multi AV Scanner detection for dropped file 51->150 152 Machine Learning detection for dropped file 51->152 154 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 51->154 156 2 other signatures 51->156 80 C:\Users\user\AppData\Roaming\...\File2.exe, PE32 54->80 dropped 82 C:\Users\user\AppData\Roaming\...\File1.exe, PE32 54->82 dropped 68 conhost.exe 54->68         started        116 77.105.132.87 PLUSTELECOM-ASRU Russian Federation 57->116 70 conhost.exe 60->70         started        72 conhost.exe 62->72         started        file24 signatures25 process26
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/732c972b120ed0c3d375eb811225e133945c56a0744ebd78e137af2446756fd8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/732c972b120ed0c3d375eb811225e133945c56a0744ebd78e137af2446756fd8/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-08 19:01:05 UTC
File Type:
PE (Exe)
Extracted files:
175
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=omwjokysb3imhu3v5oarejpbgokfyvvaorhl26hbg6xsirtvn7ma._file
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:risepro family:smokeloader backdoor loader persistence stealer trojan
Link:
https://tria.ge/reports/231208-xn75ssdfb5/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
PrivateLoader
RisePro
SmokeLoader
Malware Config
C2 Extraction:
193.233.132.51
http://81.19.131.34/fks/index.php
Unpacked files
SH256 hash:
94513f36ef94d07e4f4eb4fc1f16f720c517aae322ce9153cf716f08010e2a96
MD5 hash:
d09d113833f72b4cb1e4d32664b2c0c6
SHA1 hash:
a84d58464acb78d7a6bbe4ce97dec3224f643b70
Link:
https://www.unpac.me/results/fc7fdc77-a096-4a6f-80dd-cb583a3e9d7b/
SH256 hash:
78ae23df3b06702cba044f947252c918006f7db9e6ac365d7db641f03dbc21f2
MD5 hash:
4fc42d657c43796cab2c924204da84a9
SHA1 hash:
e457098ed4bffdd5ff449c8fa5d302626dc94a22
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/fc7fdc77-a096-4a6f-80dd-cb583a3e9d7b/
Parent samples :
b107afc55476c58af62b82d8f181f4ab90b725e95ccb524851f540b621bdebbb
63a2ca4d70cc4601a03ca16d80b6f965fb9aebb62a0a9915f66b3e32ad625e85
732c972b120ed0c3d375eb811225e133945c56a0744ebd78e137af2446756fd8
3c40f114a892a7e4877e787b88479492da2cc6a9c1ff44f5743fc20694d19fb0
78dd9812c391c45f55ae45735371b6ac7d9f84aba107da824895be3b1d3250e1
d038617c050409f6595fa78e697880e4d3acbdd761ad08ad95f3e58955d0bc0e
SH256 hash:
732c972b120ed0c3d375eb811225e133945c56a0744ebd78e137af2446756fd8
MD5 hash:
4cfe5852a1362c02aaf9908665f4f0c0
SHA1 hash:
eeaf622cc64ae02e1a628c145b3033660ba01564
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/fc7fdc77-a096-4a6f-80dd-cb583a3e9d7b/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/732c972b120e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/732c972b120ed0c3d375eb811225e133945c56a0744ebd78e137af2446756fd8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 732c972b120ed0c3d375eb811225e133945c56a0744ebd78e137af2446756fd8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2738241/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/463753/

Comments