MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2e5e2051fda36150b9c28d797df1ba2917c0c5f4279419efa8902890748b347. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LuminosityLink


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2e5e2051fda36150b9c28d797df1ba2917c0c5f4279419efa8902890748b347
SHA3-384 hash: fd083d0ea56d9ae7100f8151d32229c8286d6ad8e57e9aa0585374da229e2c852c6e3f51eee263a9da8fd2c5476ad85f
SHA1 hash: 1668cfd05ca70d5acc1174c18d673c529fce402f
MD5 hash: 298b03aacf618a8010c3db5b420627ae
humanhash: fish-network-harry-fifteen
File name:a2e5e2051fda36150b9c28d797df1ba2917c0c5f4279419efa8902890748b347
Download: download sample
Signature LuminosityLink
Create hunting rule
File size:321'024 bytes
First seen:2021-02-28 07:05:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5b97b699960a77468209fbdfcbcba9ec (1 x LuminosityLink, 1 x RedLineStealer)
ssdeep 6144:Bfap0yN90QEud4LXOeNgWpN5LNhSS/QHw6hydmvfT:1y90dLXOmgWD5LNktha8fT
Threatray 212 similar samples on MalwareBazaar
TLSH 3364F142A3E401EAE8F6677499F30643AA727C929B7882DF1359D55E0F336C0E536713
Reporter JAMESWT_WT
Tags:LuminosityLink

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a2e5e2051fda36150b9c28d797df1ba2917c0c5f4279419efa8902890748b347
Verdict:
No threats detected
Analysis date:
2021-02-28 09:30:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/58bdf098-2d3d-466c-801f-c2bf66bff54d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LuminosityLink
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119763/
Detection(s):
Win.Malware.Powershell-6986743-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Creating a file
Enabling the 'hidden' option for recently created files
Using the Windows Management Instrumentation requests
Deleting a recently created file
Setting a keyboard event handler
DNS request
Adding an access-denied ACE
Creating a file in the Windows subdirectories
Sending a UDP request
Moving a recently created file
Unauthorized injection to a recently created process
Setting a single autorun event
Enabling autorun
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
LuminosityLink
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621217
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suspicious powershell command line found
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected LuminosityLink RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359600 Sample: AGNvB9Ra3i Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for dropped file 2->63 65 Multi AV Scanner detection for dropped file 2->65 67 8 other signatures 2->67 9 AGNvB9Ra3i.exe 1 5 2->9         started        12 614167718.exe 1 8 2->12         started        16 614167718.exe 2->16         started        18 rundll32.exe 2->18         started        process3 dnsIp4 85 Creates multiple autostart registry keys 9->85 20 cmd.exe 1 9->20         started        23 cmd.exe 1 9->23         started        59 crypticuser.no-ip.biz 12->59 53 C:\ProgramData\967033\sysmon.exe, PE32 12->53 dropped 87 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->87 89 Installs a global keyboard hook 12->89 25 sysmon.exe 12->25         started        file5 signatures6 process7 signatures8 69 Suspicious powershell command line found 20->69 27 powershell.exe 19 20->27         started        31 conhost.exe 20->31         started        33 conhost.exe 23->33         started        process9 file10 51 C:\Users\user\AppData\Local\...\614167718.exe, PE32 27->51 dropped 91 Powershell drops PE file 27->91 35 614167718.exe 8 14 27->35         started        signatures11 process12 dnsIp13 55 crypticuser.no-ip.biz 35->55 57 192.168.2.1 unknown unknown 35->57 49 C:\Windows\SysWOW64\clientsvr.exe, PE32 35->49 dropped 71 Antivirus detection for dropped file 35->71 73 Multi AV Scanner detection for dropped file 35->73 75 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 35->75 77 10 other signatures 35->77 40 sysmon.exe 3 35->40         started        43 zOAyiAKvGZqPIpxwImifjRlGunqbs.exe 35->43 injected 45 zOAyiAKvGZqPIpxwImifjRlGunqbs.exe 35->45 injected 47 3 other processes 35->47 file14 signatures15 process16 signatures17 79 Antivirus detection for dropped file 40->79 81 Multi AV Scanner detection for dropped file 40->81 83 Machine Learning detection for dropped file 40->83
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a2e5e2051fda36150b9c28d797df1ba2917c0c5f4279419efa8902890748b347/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2015-08-04 01:54:00 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uls6ebi73i3bkc44fdlzpxy3ukixydc7ij4udhx2rebisb2iwndq._file
Verdict:
malicious
Similar samples:
137b5dc137f3f0c5bc3d4e1cd1f2396b33bd5b87291f72013a98b319c130b451
LuminosityLink
2db7aa7291c73bde092cd4cc8af0aff7eac7245ae5b034d8bb8810c76d85cd91
LuminosityLink
36e5646b2622d4c47947fa54a8f35c1c9d91db60ce3116e352f9f93b8a9f3ada
LuminosityLink
4249d6f93c374bf9199c33bbc49f57c1d1dd983e8c6356b5ed8739d326683c77
LuminosityLink
5f829ed079ce3010fb99eca5ee356e2ffc5ab62cedfb2683ac5ac76a66fb3ed1
LuminosityLink
908959fae28ad03836fb12b94a9a2f80981ec15f6481c230b9108f097edeb176
LuminosityLink
9dc8d8533e87fe22f98fb67f8705e14e93a8eeb5da355dc15251e03837334162
LuminosityLink
d8c07fc0cc1addc3f25623ac872703d2c10ae5e8fadc7370e13b4162e063a376
LuminosityLink
d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e
LuminosityLink
f428cda5f99c3961bb5532cd38f6c512cffb2a6dfc30865897e52d838c7cfef2
LuminosityLink
+ 202 additional samples on MalwareBazaar
Result
Malware family:
luminosity
Create hunting rule
Score:
  10/10
Tags:
family:luminosity persistence rat
Link:
https://tria.ge/reports/210228-52gv4rvgbs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Luminosity
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
a2e5e2051fda36150b9c28d797df1ba2917c0c5f4279419efa8902890748b347
MD5 hash:
298b03aacf618a8010c3db5b420627ae
SHA1 hash:
1668cfd05ca70d5acc1174c18d673c529fce402f
Link:
https://www.unpac.me/results/c52b322a-cafd-4586-a086-dcbc523380d6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Muldrop
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/a2e5e2051fda36150b9c28d797df1ba2917c0c5f4279419efa8902890748b347

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119763/

Comments