MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 755e26648921c2f5a9a8cb424fef4349958456144470377990788b2f4a58f505. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 755e26648921c2f5a9a8cb424fef4349958456144470377990788b2f4a58f505
SHA3-384 hash: 7eb4c2e8c6437de6c1090bfe20d3fd5a9e78173a2da30979e983ee59878ccbedfd4478e0466ffc65a0df095cc824c8d5
SHA1 hash: 76714bc258e25fbcb099d6d2613a058a87719bfb
MD5 hash: def6f274c14351d9cf0f49798b5a833d
humanhash: winner-carpet-cold-pennsylvania
File name:SecuriteInfo.com.Trojan.Inject5.6978.26004.20291
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'162'272 bytes
First seen:2024-08-08 08:23:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 18cd531cc44c9bf7f4a78c62c15c1c41 (9 x SnakeKeylogger, 6 x AgentTesla, 3 x Formbook)
ssdeep 49152:xWiP0wV0hJ5VGx6ODJ1+DEtWX33oG1Sdfol:FVUckab9G
Threatray 2'436 similar samples on MalwareBazaar
TLSH T102A5B015E3E802A4D47BC630CA699733D7B0B8592734D68B0649D7462FF3AA18B7F712
TrID 72.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
13.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.EXE) OS/2 Executable (generic) (2029/13)
2.5% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter SecuriteInfoCom
Tags:exe LummaStealer signed

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2024-08-01T14:18:43Z
Valid to:2025-08-01T14:18:43Z
Serial number: 0cd118156bbc74277ed610d857bb94a8
Thumbprint Algorithm:SHA256
Thumbprint: 0aa52f74a1198e2ff559384406077e91a7c396d3f7ee8d29cb46132195d26d4f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
358
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
7d8c09ed1ba53f667e97ebd38c91811665c03205348db0b81420873c193fb875
Verdict:
Malicious activity
Analysis date:
2024-08-02 02:39:44 UTC
Tags:
amadey botnet stealer loader zharkbot github pastebin themida lumma smokeloader
Link:
https://app.any.run/tasks/4259b46f-2783-42bd-87e0-c377ce2ebe8f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Inject5.6978.26004.20291.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b480acaa5b40be0a9fdaf4
Tags:
Encryption Static Stealth Crypt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Running batch commands
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint hacktool lolbin microsoft_visual_cc overlay packed regedit remote shell32
Link:
https://www.filescan.io/uploads/66b480ac9d37dfa04d25ec0a/reports/0008859f-9010-4831-a8d4-e2af2da0b7f5/overview
Verdict:
Malicious
Labled as:
Win64/GenKryptik.GZZF trojan
Link:
https://www.hybrid-analysis.com/sample/755e26648921c2f5a9a8cb424fef4349958456144470377990788b2f4a58f505
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/90002e21-391e-4c44-abdb-6f03a9f96c7d
Result
Threat name:
LummaC, Neoreklami
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1489902
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Drops script or batch files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected LummaC Stealer
Yara detected Neoreklami
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1489902 Sample: SecuriteInfo.com.Trojan.Inj... Startdate: 08/08/2024 Architecture: WINDOWS Score: 100 177 Found malware configuration 2->177 179 Malicious sample detected (through community Yara rule) 2->179 181 Antivirus detection for URL or domain 2->181 183 12 other signatures 2->183 14 SecuriteInfo.com.Trojan.Inject5.6978.26004.20291.exe 1 2->14         started        17 Install.exe 2->17         started        20 cmd.exe 2->20         started        process3 file4 215 Writes to foreign memory regions 14->215 217 Allocates memory in foreign processes 14->217 219 Sample uses process hollowing technique 14->219 221 Injects a PE file into a foreign processes 14->221 22 CasPol.exe 15 143 14->22         started        27 conhost.exe 14->27         started        29 AddInProcess32.exe 14->29         started        141 C:\Windows\Temp\...\tFtBsWH.exe, PE32 17->141 dropped 143 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 17->143 dropped 223 Modifies Windows Defender protection settings 17->223 225 Modifies Group Policy settings 17->225 31 cmd.exe 17->31         started        33 Conhost.exe 17->33         started        35 conhost.exe 20->35         started        signatures5 process6 dnsIp7 165 140.82.121.4 GITHUBUS United States 22->165 167 147.45.60.44 FREE-NET-ASFREEnetEU Russian Federation 22->167 169 8 other IPs or domains 22->169 153 C:\Users\...\yoX5GbrzSnlWicNCBVRPjlFI.exe, PE32 22->153 dropped 155 C:\Users\...\xCR9E67TLeb07uZjIhk9Lz0A.exe, PE32 22->155 dropped 157 C:\Users\...\wLxX73E3VnVweFGNnVnc2QD0.exe, PE32 22->157 dropped 159 99 other malicious files 22->159 dropped 195 Drops script or batch files to the startup folder 22->195 197 Creates HTML files with .exe extension (expired dropper behavior) 22->197 199 Writes many files with high entropy 22->199 37 icUrRK4lYMsYwqA5Zvbux9XK.exe 7 22->37         started        41 tKPwmq8rsPj4qNUzuorimBOO.exe 22->41         started        43 N1a31pXijx43sBNlAGf3r6H4.exe 22->43         started        46 7tA4QQq1STdjVTUlSyqmcOv0.exe 22->46         started        201 Modifies Windows Defender protection settings 31->201 48 forfiles.exe 31->48         started        50 forfiles.exe 31->50         started        52 forfiles.exe 31->52         started        54 conhost.exe 31->54         started        file8 signatures9 process10 dnsIp11 145 C:\Users\user\AppData\Local\...\Install.exe, PE32 37->145 dropped 147 C:\Users\user\AppData\Local\...\config.txt, data 37->147 dropped 189 Writes many files with high entropy 37->189 56 Install.exe 4 37->56         started        149 C:\Users\user\AppData\Local\...\Install.exe, PE32 41->149 dropped 151 C:\Users\user\AppData\Local\...\config.txt, data 41->151 dropped 59 Install.exe 41->59         started        171 188.114.96.3 CLOUDFLARENETUS European Union 43->171 173 23.199.218.33 AKAMAI-ASUS United States 43->173 191 Multi AV Scanner detection for dropped file 43->191 175 23.197.127.21 AKAMAI-ASN1EU United States 46->175 193 Modifies Windows Defender protection settings 48->193 61 cmd.exe 48->61         started        64 cmd.exe 50->64         started        66 cmd.exe 52->66         started        file12 signatures13 process14 file15 161 C:\Users\user\AppData\Local\...\Install.exe, PE32 56->161 dropped 68 Install.exe 1 56->68         started        163 C:\Users\user\AppData\Local\...\Install.exe, PE32 59->163 dropped 71 Install.exe 59->71         started        213 Uses cmd line tools excessively to alter registry or file data 61->213 73 reg.exe 61->73         started        75 reg.exe 64->75         started        77 reg.exe 66->77         started        signatures16 process17 signatures18 185 Uses schtasks.exe or at.exe to add and modify task schedules 68->185 187 Modifies Windows Defender protection settings 68->187 79 cmd.exe 68->79         started        82 forfiles.exe 68->82         started        84 schtasks.exe 68->84         started        86 cmd.exe 71->86         started        process19 signatures20 227 Suspicious powershell command line found 79->227 229 Uses cmd line tools excessively to alter registry or file data 79->229 231 Modifies Windows Defender protection settings 79->231 88 forfiles.exe 79->88         started        90 forfiles.exe 79->90         started        93 forfiles.exe 79->93         started        103 3 other processes 79->103 95 cmd.exe 82->95         started        97 conhost.exe 82->97         started        99 conhost.exe 84->99         started        101 forfiles.exe 86->101         started        105 2 other processes 86->105 process21 signatures22 107 cmd.exe 88->107         started        203 Modifies Windows Defender protection settings 90->203 110 cmd.exe 90->110         started        112 cmd.exe 93->112         started        205 Suspicious powershell command line found 95->205 114 powershell.exe 95->114         started        116 cmd.exe 101->116         started        118 cmd.exe 103->118         started        120 cmd.exe 103->120         started        122 cmd.exe 105->122         started        process23 signatures24 209 Suspicious powershell command line found 107->209 124 powershell.exe 107->124         started        211 Uses cmd line tools excessively to alter registry or file data 110->211 126 reg.exe 110->126         started        128 reg.exe 112->128         started        130 WMIC.exe 114->130         started        132 reg.exe 116->132         started        134 reg.exe 118->134         started        136 reg.exe 120->136         started        process25 process26 138 gpupdate.exe 124->138         started        signatures27 207 Modifies Windows Defender protection settings 138->207
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/755e26648921c2f5a9a8cb424fef4349958456144470377990788b2f4a58f505
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/755e26648921c2f5a9a8cb424fef4349958456144470377990788b2f4a58f505/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ovpcmzejehbplkniznbe732djgkyivquirydo6mqpcfs6ssy6ucq._file
Verdict:
malicious
Similar samples:
56648493bbf536a061ddd33d23af7a6ab95c9536cae1cb78de2797f87a24b02f
LummaStealer
604df38c9f4f6b12065f2028376c9d0b2393a948caaaee8aab309dc5862fa868
LummaStealer
631cfb1be396997dfcfd2c399867bfb44b1193c5d8a1b74dd85dcc4b6b238137
LummaStealer
aae3fa7e1a2c161fce6b1b9b3dcf48cc3f797cc2754bd12b2810ccca21ccfdd9
LummaStealer
b9944dc05df7b7a10e4326dfb17a10e7c174238cbebf8bea02091a839cc0f0f0
LummaStealer
e7fe3ed16609a8676cb027f580458de1650a623751805982634e17626c941435
LummaStealer
+ 2'426 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery evasion execution spyware stealer trojan
Link:
https://tria.ge/reports/240809-k4xb1ssfke/
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Drops Chrome extension
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Indirect Command Execution
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2f1eb40d-e379-4f75-9b17-a957e2169ca8
Unpacked files
SH256 hash:
755e26648921c2f5a9a8cb424fef4349958456144470377990788b2f4a58f505
MD5 hash:
def6f274c14351d9cf0f49798b5a833d
SHA1 hash:
76714bc258e25fbcb099d6d2613a058a87719bfb
Link:
https://www.unpac.me/results/03f6d521-3c06-469d-ad9e-b73f1d8743e0/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/755e26648921/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.56
Link:
https://yomi.yoroi.company/submissions/755e26648921c2f5a9a8cb424fef4349958456144470377990788b2f4a58f505

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 755e26648921c2f5a9a8cb424fef4349958456144470377990788b2f4a58f505

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3095817/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::CreateWellKnownSid
ADVAPI32.dll::RevertToSelf
ADVAPI32.dll::GetSecurityDescriptorLength
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetWindowsAccountDomainSid
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
ADVAPI32.dll::SetThreadToken
KERNEL32.dll::VirtualAllocExNuma
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::FreeConsole
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleWindow
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptDestroyKey
bcrypt.dll::BCryptGenerateSymmetricKey
bcrypt.dll::BCryptGenRandom
bcrypt.dll::BCryptOpenAlgorithmProvider
bcrypt.dll::BCryptCloseAlgorithmProvider
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyExW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW

Comments