MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78dd9812c391c45f55ae45735371b6ac7d9f84aba107da824895be3b1d3250e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78dd9812c391c45f55ae45735371b6ac7d9f84aba107da824895be3b1d3250e1
SHA3-384 hash: 3b3a94190e8dc0117a6d94b80e14cd7c3c4d7cbb305eeda3aefe833588053e5a2e84eb58cc5963547a114b6c6ad0ca5c
SHA1 hash: fe2b02b3d63339ca976759c0e450f82c288b8f3b
MD5 hash: ad49dd256adedfa2be9188ec3f68cb75
humanhash: undress-william-diet-single
File name:ad49dd256adedfa2be9188ec3f68cb75.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'689'600 bytes
First seen:2023-12-11 03:45:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:BTouQ/MlgHcg1OeuDBLWoaOlJgbJrypAgLWnl:xouQ/olWglwrDJl
TLSH T134752397B2DF9432D8762B701EF512871F36FDA16934C2B98B15688D0C706A4E93633B
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
http://neighborhoodfeelsa.fun/api

Intelligence

File Origin
# of uploads :
1
# of downloads :
310
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/464911/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Creating a file
Replacing files
Launching a service
DNS request
Changing a file
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Sending a UDP request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a window
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
advpack anti-vm CAB control crypto explorer fingerprint greyware installer lolbin lolbin monero packed rundll32 setupapi sfx shell32 zusy
Link:
https://www.filescan.io/uploads/657685fb47603edff334a2f9/reports/d0eb9092-9505-4a1b-a28e-8ea9935ffdf9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/78dd9812c391c45f55ae45735371b6ac7d9f84aba107da824895be3b1d3250e1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6df98614-5f32-4a8b-97e2-5336ed9ef6e3
Result
Threat name:
Glupteba, LummaC Stealer, PrivateLoader,
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1358088
Signature
.NET source code contains very large array initializations
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Exclude list of file types from scheduled, custom, and real-time scanning
Found malware configuration
Found stalling execution ending in API Sleep call
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
UAC bypass detected (Fodhelper)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Glupteba
Yara detected LummaC Stealer
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1358088 Sample: KQiRKJl9Ci.exe Startdate: 11/12/2023 Architecture: WINDOWS Score: 100 132 Multi AV Scanner detection for domain / URL 2->132 134 Found malware configuration 2->134 136 Malicious sample detected (through community Yara rule) 2->136 138 16 other signatures 2->138 11 KQiRKJl9Ci.exe 1 4 2->11         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        18 5 other processes 2->18 process3 file4 106 C:\Users\user\AppData\Local\...\yo6PH81.exe, PE32 11->106 dropped 108 C:\Users\user\AppData\Local\...\4XL763tv.exe, PE32 11->108 dropped 20 yo6PH81.exe 1 4 11->20         started        24 WerFault.exe 14->24         started        process5 file6 92 C:\Users\user\AppData\Local\...\3Eo80hP.exe, PE32 20->92 dropped 94 C:\Users\user\AppData\Local\...\1Ma25Tt3.exe, PE32 20->94 dropped 152 Antivirus detection for dropped file 20->152 154 Multi AV Scanner detection for dropped file 20->154 156 Machine Learning detection for dropped file 20->156 26 3Eo80hP.exe 20->26         started        29 1Ma25Tt3.exe 20->29         started        31 tuc3.tmp 20->31         started        signatures7 process8 signatures9 192 Antivirus detection for dropped file 26->192 194 Multi AV Scanner detection for dropped file 26->194 196 Machine Learning detection for dropped file 26->196 206 5 other signatures 26->206 33 explorer.exe 26 12 26->33 injected 198 Contains functionality to inject code into remote processes 29->198 200 Writes to foreign memory regions 29->200 202 Allocates memory in foreign processes 29->202 204 Injects a PE file into a foreign processes 29->204 38 AppLaunch.exe 11 508 29->38         started        process10 dnsIp11 118 185.172.128.19 NADYMSS-ASRU Russian Federation 33->118 120 81.19.131.34 IVC-ASRU Russian Federation 33->120 76 C:\Users\user\AppData\Local\Temp\9486.exe, PE32 33->76 dropped 78 C:\Users\user\AppData\Local\Temp\8C0A.exe, PE32 33->78 dropped 80 C:\Users\user\AppData\Local\Temp\81A8.exe, PE32 33->80 dropped 88 2 other malicious files 33->88 dropped 140 System process connects to network (likely due to code injection or exploit) 33->140 142 Benign windows process drops PE files 33->142 40 765D.exe 33->40         started        44 81A8.exe 33->44         started        47 47AB.exe 33->47         started        55 7 other processes 33->55 122 34.117.59.81 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 38->122 124 193.233.132.51 FREE-NET-ASFREEnetEU Russian Federation 38->124 82 C:\Windows\System32behaviorgraphroupPolicybehaviorgraphPT.INI, ASCII 38->82 dropped 84 C:\...\hUA6QSgRLwV0sQHLfbH0iHUCRdU8IH2J.zip, Zip 38->84 dropped 86 C:\Users\user\AppData\...\FANBooster131.exe, PE32 38->86 dropped 90 2 other files (none is malicious) 38->90 dropped 144 Tries to steal Mail credentials (via file / registry access) 38->144 146 Found stalling execution ending in API Sleep call 38->146 148 Disables Windows Defender (deletes autostart) 38->148 150 7 other signatures 38->150 49 schtasks.exe 1 38->49         started        51 schtasks.exe 1 38->51         started        53 WerFault.exe 38->53         started        file12 signatures13 process14 dnsIp15 96 C:\Users\user\AppData\Local\Temp\tuc3.exe, PE32 40->96 dropped 98 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 40->98 dropped 100 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 40->100 dropped 104 2 other malicious files 40->104 dropped 158 Antivirus detection for dropped file 40->158 160 Multi AV Scanner detection for dropped file 40->160 162 Machine Learning detection for dropped file 40->162 57 31839b57a4f11171d6abc8bbc4451ee4.exe 40->57         started        60 toolspub2.exe 40->60         started        62 latestX.exe 40->62         started        71 4 other processes 40->71 126 176.123.7.190 ALEXHOSTMD Moldova Republic of 44->126 164 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 44->164 166 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 44->166 168 Tries to harvest and steal browser information (history, passwords, etc) 44->168 128 77.105.132.87 PLUSTELECOM-ASRU Russian Federation 47->128 170 Tries to steal Crypto Currency Wallets 47->170 65 conhost.exe 49->65         started        67 conhost.exe 51->67         started        130 52.182.143.212 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 53->130 102 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 55->102 dropped 172 Sample uses process hollowing technique 55->172 69 conhost.exe 55->69         started        file16 signatures17 process18 file19 174 Antivirus detection for dropped file 57->174 176 Multi AV Scanner detection for dropped file 57->176 178 Detected unpacking (changes PE section rights) 57->178 188 4 other signatures 57->188 180 Sample uses process hollowing technique 60->180 182 Injects a PE file into a foreign processes 60->182 110 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 62->110 dropped 112 C:\Windows\System32\drivers\etc\hosts, ASCII 62->112 dropped 184 Modifies the hosts file 62->184 114 C:\Users\user\AppData\Local\Temp\...\tuc3.tmp, PE32 71->114 dropped 116 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 71->116 dropped 186 Machine Learning detection for dropped file 71->186 73 Broom.exe 71->73         started        signatures20 process21 signatures22 190 Multi AV Scanner detection for dropped file 73->190
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/78dd9812c391c45f55ae45735371b6ac7d9f84aba107da824895be3b1d3250e1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/78dd9812c391c45f55ae45735371b6ac7d9f84aba107da824895be3b1d3250e1/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-08 20:14:29 UTC
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pdozqewdshcf6vnoivzvg4nwvr6z7bflued5vasisw7dwhjskdqq._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:privateloader family:redline family:risepro family:smokeloader botnet:@oleh_ps botnet:livetraffic botnet:up3 backdoor collection discovery dropper evasion infostealer loader persistence spyware stealer trojan
Link:
https://tria.ge/reports/231211-ebmdfsddd7/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Modifies Windows Firewall
Glupteba
Glupteba payload
PrivateLoader
RedLine
RedLine payload
RisePro
SmokeLoader
Malware Config
C2 Extraction:
193.233.132.51
http://81.19.131.34/fks/index.php
77.105.132.87:6731
176.123.7.190:32927
http://host-file-host6.com/
http://host-host-file8.com/
Unpacked files
SH256 hash:
94513f36ef94d07e4f4eb4fc1f16f720c517aae322ce9153cf716f08010e2a96
MD5 hash:
d09d113833f72b4cb1e4d32664b2c0c6
SHA1 hash:
a84d58464acb78d7a6bbe4ce97dec3224f643b70
Link:
https://www.unpac.me/results/651b9fbb-7793-4116-9927-6e3a67d01fda/
SH256 hash:
78ae23df3b06702cba044f947252c918006f7db9e6ac365d7db641f03dbc21f2
MD5 hash:
4fc42d657c43796cab2c924204da84a9
SHA1 hash:
e457098ed4bffdd5ff449c8fa5d302626dc94a22
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/651b9fbb-7793-4116-9927-6e3a67d01fda/
Parent samples :
b107afc55476c58af62b82d8f181f4ab90b725e95ccb524851f540b621bdebbb
63a2ca4d70cc4601a03ca16d80b6f965fb9aebb62a0a9915f66b3e32ad625e85
732c972b120ed0c3d375eb811225e133945c56a0744ebd78e137af2446756fd8
3c40f114a892a7e4877e787b88479492da2cc6a9c1ff44f5743fc20694d19fb0
78dd9812c391c45f55ae45735371b6ac7d9f84aba107da824895be3b1d3250e1
d038617c050409f6595fa78e697880e4d3acbdd761ad08ad95f3e58955d0bc0e
SH256 hash:
78dd9812c391c45f55ae45735371b6ac7d9f84aba107da824895be3b1d3250e1
MD5 hash:
ad49dd256adedfa2be9188ec3f68cb75
SHA1 hash:
fe2b02b3d63339ca976759c0e450f82c288b8f3b
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/651b9fbb-7793-4116-9927-6e3a67d01fda/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/78dd9812c391/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78dd9812c391c45f55ae45735371b6ac7d9f84aba107da824895be3b1d3250e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/464911/

Comments