MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8640e6333193359bb71c47135ffdd3011eaf882c3987a7c6d54490d15b537486. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 27 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8640e6333193359bb71c47135ffdd3011eaf882c3987a7c6d54490d15b537486
SHA3-384 hash: e6e21bbb6fbe93331a819560c7a7baf626b3bcc8afa8ffb93cda82d447ca1b229898957ad24c40c22118ec7ea660fbfa
SHA1 hash: f569d725f16d033dbd6479cbde513ee4003492c0
MD5 hash: 331286ccfef0f9d93edce15d5ab89f23
humanhash: carbon-mobile-skylark-colorado
File name:8640e6333193359bb71c47135ffdd3011eaf882c3987a7c6d54490d15b537486.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'476'544 bytes
First seen:2024-01-02 18:57:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:SLzYog2T2VZh0g/WKxprHwn9+I/9ut7M8hwJ5FPmynogyRwf:qVgxPh0g/WkpMFjqOP3ogyRs
Threatray 646 similar samples on MalwareBazaar
TLSH T1B1B5338267E24471CAA51B71A8F707C71A307DA3BB24571F3A81EB8508F35D1B536B3A
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter adm1n_usa32
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
301
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8647351f3a2882d4d6c37d3d41e4c42b1bdc80d61f9f7572e262f7e7381b9144.exe
Verdict:
Malicious activity
Analysis date:
2024-01-02 19:31:05 UTC
Tags:
risepro stealer evasion
Link:
https://app.any.run/tasks/56ede54c-53cb-4624-952c-22b6f44889b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Packed.Stealerc-10017072-0
Create hunting rule

Win.Packed.Risepro-10017970-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Сreating synchronization primitives
Searching for the browser window
DNS request
Sending a custom TCP request
Creating a file
Blocking the Windows Defender launch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
advpack anti-vm azorult CAB control explorer installer lolbin packed risepro rundll32 setupapi sfx shell32 smokeloader
Link:
https://www.filescan.io/uploads/65945cdb7d4bdb7f8b037df6/reports/ae447325-d6ce-424c-abe5-9cda7079533d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8640e6333193359bb71c47135ffdd3011eaf882c3987a7c6d54490d15b537486
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1368936
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Contains functionality to modify clipboard data
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Suspicious execution chain found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RisePro Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1368936 Sample: xYU9LV6f1m.exe Startdate: 02/01/2024 Architecture: WINDOWS Score: 100 127 rr3.sn-q4fl6ns6.googlevideo.com 2->127 129 rr3---sn-q4fl6ns6.googlevideo.com 2->129 131 3 other IPs or domains 2->131 143 Snort IDS alert for network traffic 2->143 145 Antivirus detection for URL or domain 2->145 147 Antivirus detection for dropped file 2->147 149 8 other signatures 2->149 10 xYU9LV6f1m.exe 1 4 2->10         started        13 MaxLoonaFest131.exe 2->13         started        16 OfficeTrackerNMP131.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 file5 109 C:\Users\user\AppData\Local\...\aA5bh82.exe, PE32 10->109 dropped 111 C:\Users\user\AppData\Local\...\6UW9Pr8.exe, PE32 10->111 dropped 20 aA5bh82.exe 1 4 10->20         started        113 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 13->113 dropped 115 C:\...\kXkyBIWkUJERnLj9SlYD74aM5qJXaCo6.zip, Zip 13->115 dropped 175 Antivirus detection for dropped file 13->175 177 Multi AV Scanner detection for dropped file 13->177 179 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->179 195 3 other signatures 13->195 34 2 other processes 13->34 181 Machine Learning detection for dropped file 16->181 183 Modifies Windows Defender protection settings 16->183 185 Hides threads from debuggers 16->185 24 powershell.exe 16->24         started        26 powershell.exe 16->26         started        28 powershell.exe 16->28         started        36 9 other processes 16->36 117 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 18->117 dropped 119 C:\...\8DIVrq2EyMCBFSH0bthkf0sLiJQV2ieF.zip, Zip 18->119 dropped 187 Detected unpacking (changes PE section rights) 18->187 189 Tries to steal Mail credentials (via file / registry access) 18->189 191 Found many strings related to Crypto-Wallets (likely being stolen) 18->191 193 Tries to harvest and steal browser information (history, passwords, etc) 18->193 30 powershell.exe 18->30         started        32 powershell.exe 18->32         started        38 11 other processes 18->38 signatures6 process7 file8 97 C:\Users\user\AppData\Local\...\5tJ3Xx4.exe, PE32 20->97 dropped 99 C:\Users\user\AppData\Local\...\2mL9740.exe, PE32 20->99 dropped 151 Antivirus detection for dropped file 20->151 153 Multi AV Scanner detection for dropped file 20->153 155 Binary is likely a compiled AutoIt script file 20->155 157 Machine Learning detection for dropped file 20->157 40 5tJ3Xx4.exe 21 41 20->40         started        45 2mL9740.exe 12 20->45         started        47 conhost.exe 24->47         started        49 conhost.exe 26->49         started        51 conhost.exe 28->51         started        53 conhost.exe 30->53         started        55 conhost.exe 32->55         started        57 9 other processes 36->57 59 10 other processes 38->59 signatures9 process10 dnsIp11 139 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 40->139 141 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 40->141 101 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 40->101 dropped 103 C:\Users\user\AppData\...\FANBooster131.exe, PE32 40->103 dropped 105 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 40->105 dropped 107 2 other malicious files 40->107 dropped 159 Antivirus detection for dropped file 40->159 161 Multi AV Scanner detection for dropped file 40->161 163 Detected unpacking (changes PE section rights) 40->163 173 8 other signatures 40->173 61 powershell.exe 40->61         started        64 cmd.exe 40->64         started        66 cmd.exe 40->66         started        75 13 other processes 40->75 165 Binary is likely a compiled AutoIt script file 45->165 167 Machine Learning detection for dropped file 45->167 169 Found API chain indicative of sandbox detection 45->169 171 Contains functionality to modify clipboard data 45->171 68 chrome.exe 9 45->68         started        71 chrome.exe 45->71         started        73 chrome.exe 45->73         started        file12 signatures13 process14 dnsIp15 197 Found many strings related to Crypto-Wallets (likely being stolen) 61->197 77 conhost.exe 61->77         started        199 Uses schtasks.exe or at.exe to add and modify task schedules 64->199 91 2 other processes 64->91 93 2 other processes 66->93 133 192.168.2.10 unknown unknown 68->133 135 192.168.2.16 unknown unknown 68->135 137 239.255.255.250 unknown Reserved 68->137 201 Suspicious execution chain found 68->201 80 chrome.exe 68->80         started        83 chrome.exe 68->83         started        85 chrome.exe 68->85         started        87 chrome.exe 71->87         started        89 chrome.exe 73->89         started        95 11 other processes 75->95 signatures16 process17 dnsIp18 203 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 77->203 205 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 77->205 207 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 77->207 209 Queries memory information (via WMI often done to detect virtual machines) 77->209 121 142.250.113.100 GOOGLEUS United States 80->121 123 photos-ugc.l.googleusercontent.com 142.250.113.132 GOOGLEUS United States 80->123 125 39 other IPs or domains 80->125 signatures19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8640e6333193359bb71c47135ffdd3011eaf882c3987a7c6d54490d15b537486
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8640e6333193359bb71c47135ffdd3011eaf882c3987a7c6d54490d15b537486/
Threat name:
Win32.Trojan.GenSHCode
Create hunting rule
Status:
Malicious
First seen:
2024-01-01 14:34:57 UTC
File Type:
PE (Exe)
Extracted files:
165
AV detection:
17 of 22 (77.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qzaommzrsm2zxny4i4jv77otaepk7cbmhgd2prwvisincw2tosda._file
Verdict:
malicious
Similar samples:
44d85e7e0e05ce06956da634a3f19633f1393bf7f82f1faef84e2c4e9d57af5a
LummaStealer
46ac37f4635f315ac0e174392855fa549410746e8826b2d3b066d2352b1d6ca4
LummaStealer
4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1
LummaStealer
66694f7dcb467cd242471f76c58bc236c458761d22bcb4682a07605e0d7bd384
LummaStealer
94627d8117da7cccd8c34a1d8ad88d988a26ec6337d0d66559ee6943f2c2a233
LummaStealer
b1fb72a02b7436b470e38efe26e869bf133c9d5fbea1b8f346847fea69cbfafd
LummaStealer
b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a
LummaStealer
bd09222e00af329436f92ffddb3d0b35bc2ba06142c28731a7701b1f02d035ab
LummaStealer
cf8fc15de0b79ca65fcf8682ed6d088ee5b8b994ed71454f84fabade050d2b44
LummaStealer
e676efee6430e704781265aaa9f98be910d8a0897ad2b4dc2cc93d8461c2851b
LummaStealer
+ 636 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
brand:google collection discovery evasion persistence phishing spyware stealer trojan
Link:
https://tria.ge/reports/240102-23zt7aecf9/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Detected google phishing page
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
bbcc6f50a40fab6656550fbec3ee510510a84a5ab30a1a4612d15d93ca867296
MD5 hash:
e530656de844d187d0a8b250301ff58e
SHA1 hash:
157e313347ace4f3ba0674141bad47def2fb1865
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/4930fe3b-6998-46db-8492-5675bac56645/
SH256 hash:
8640e6333193359bb71c47135ffdd3011eaf882c3987a7c6d54490d15b537486
MD5 hash:
331286ccfef0f9d93edce15d5ab89f23
SHA1 hash:
f569d725f16d033dbd6479cbde513ee4003492c0
Link:
https://www.unpac.me/results/4930fe3b-6998-46db-8492-5675bac56645/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8640e6333193359bb71c47135ffdd3011eaf882c3987a7c6d54490d15b537486

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments