MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5ebf3f3762dc01bca3696993961927ec6aa376c7246b88089eba88f039d69d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5ebf3f3762dc01bca3696993961927ec6aa376c7246b88089eba88f039d69d5
SHA3-384 hash: 9e3acb0796afcae7ead6b770ef27336941bdcd9a2efd9ffde02de8becb04314022b72b0ae3b29f8db7b499b58468db4a
SHA1 hash: 372acaaacf60624d612dec2bc02786963154777d
MD5 hash: 3a66552b951bcac1100cbd7e7af6cd14
humanhash: solar-five-eight-island
File name:3a66552b951bcac1100cbd7e7af6cd14.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'840'800 bytes
First seen:2023-07-28 18:15:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:2ZfW54hpvs/dLb1ubIyzUY1waiQ4dDoMYWuxU/P3ZzbB3Mm1/vDrheqDqTGQVqF1:2ZfWSqbCKaiFdIWusvpbB3j/ZeqDcZA
Threatray 2 similar samples on MalwareBazaar
TLSH T14A856A417F989A15F46A6237C6EE400807B5B9433AC2F72B3DEA332D44127D63D49DEA
TrID 53.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
22.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.7% (.EXE) Win64 Executable (generic) (10523/12/4)
4.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.3% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f8f8d8d8d8d8d0d0 (1 x LummaStealer)
Reporter abuse_ch
Tags:exe LummaStealer signed

Code Signing Certificate

Organisation:Cooler ID-Cooling SE-225-XT Black
Issuer:Cooler ID-Cooling SE-225-XT Black
Algorithm:sha1WithRSAEncryption
Valid from:2023-07-22T10:32:51Z
Valid to:2033-07-23T10:32:51Z
Serial number: 548f8566689475a74b7b101d26c8392e
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: af16e80a895d2f6d6c9f24e0abdc8815884f503eb70b951c2934e3a99531288a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
LummaStealer C2:
http://45.9.74.141/b7djSDcPcZ/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
315
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
3a66552b951bcac1100cbd7e7af6cd14.exe
Verdict:
Malicious activity
Analysis date:
2023-07-28 18:18:20 UTC
Tags:
lumma stealer amadey trojan
Link:
https://app.any.run/tasks/454eb29e-de37-4779-b39a-c2a9edba2fa3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/436436/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.68314916.12319.10459.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
DNS request
Reading critical registry keys
Creating a file
Sending a custom TCP request
Sending an HTTP GET request
Query of malicious DNS domain
Stealing user critical data
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin obfuscated overlay packed packed regsvcs
Link:
https://www.filescan.io/uploads/64c405e45154a489a45964b8/reports/b4f2290e-b2a1-4608-b674-4bc776c44f85/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/a5ebf3f3762dc01bca3696993961927ec6aa376c7246b88089eba88f039d69d5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c4d179f4-9ff9-4629-87f9-2052ba785ec9
Result
Threat name:
Amadey, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1281966
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Detected VMProtect packer
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Performs DNS queries to domains with low reputation
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Generic Downloader
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1281966 Sample: oCCFAL5B1C.exe Startdate: 28/07/2023 Architecture: WINDOWS Score: 100 65 Snort IDS alert for network traffic 2->65 67 Multi AV Scanner detection for domain / URL 2->67 69 Found malware configuration 2->69 71 12 other signatures 2->71 10 oCCFAL5B1C.exe 1 2->10         started        14 bstyoops.exe 2->14         started        16 bstyoops.exe 2->16         started        18 bstyoops.exe 2->18         started        process3 file4 51 C:\Users\user\AppData\...\oCCFAL5B1C.exe.log, ASCII 10->51 dropped 87 Writes to foreign memory regions 10->87 89 Allocates memory in foreign processes 10->89 91 Injects a PE file into a foreign processes 10->91 20 RegSvcs.exe 13 10->20         started        93 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->93 signatures5 process6 dnsIp7 53 gstatic-node.io 188.114.96.7, 49699, 49700, 49702 CLOUDFLARENETUS European Union 20->53 55 188.114.97.7, 49701, 49704, 49705 CLOUDFLARENETUS European Union 20->55 57 2 other IPs or domains 20->57 47 C:\Users\user\AppData\...\qdpoqavuuv.exe, PE32 20->47 dropped 73 Performs DNS queries to domains with low reputation 20->73 75 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 20->75 77 Found evasive API chain (may stop execution after checking computer name) 20->77 79 Tries to harvest and steal browser information (history, passwords, etc) 20->79 25 qdpoqavuuv.exe 3 20->25         started        file8 signatures9 process10 file11 49 C:\Users\user\AppData\Local\...\bstyoops.exe, PE32 25->49 dropped 81 Multi AV Scanner detection for dropped file 25->81 83 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 25->83 85 Tries to detect virtualization through RDTSC time measurements 25->85 29 bstyoops.exe 13 25->29         started        signatures12 process13 dnsIp14 59 45.9.74.141, 49749, 49751, 49753 FIRST-SERVER-EU-ASRU Russian Federation 29->59 61 45.9.74.166, 49750, 49752, 49754 FIRST-SERVER-EU-ASRU Russian Federation 29->61 63 192.168.2.1 unknown unknown 29->63 95 Multi AV Scanner detection for dropped file 29->95 97 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 29->97 99 Creates an undocumented autostart registry key 29->99 101 2 other signatures 29->101 33 cmd.exe 1 29->33         started        35 schtasks.exe 1 29->35         started        signatures15 process16 process17 37 conhost.exe 33->37         started        39 cmd.exe 1 33->39         started        41 cmd.exe 1 33->41         started        45 4 other processes 33->45 43 conhost.exe 35->43         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5ebf3f3762dc01bca3696993961927ec6aa376c7246b88089eba88f039d69d5/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2023-07-23 15:24:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
20 of 38 (52.63%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uxv7h43wfxabxsrws2mtsymsp3dkun3mojdlraej5oui6a45nhkq._file
Verdict:
malicious
Similar samples:
9dd91a17703dba0d4582e24431c17eac4fdca602ea8d14f4f43afcc2657b3bbc
LummaStealer
9fbdcf044aba61ae6c0678b5f83fc4bd8b589ba3a4fd12a5bef53e2ead494eed
LummaStealer
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:sectoprat family:systembc discovery evasion persistence rat spyware stealer themida trojan vmprotect
Link:
https://tria.ge/reports/230728-wwfvvagd45/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
VMProtect packed file
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Lumma Stealer
SectopRAT
SectopRAT payload
SystemBC
Malware Config
C2 Extraction:
45.9.74.166/b7djSDcPcZ/index.php
45.9.74.141/b7djSDcPcZ/index.php
5.42.65.67:4298
localhost.exchange:4298
Unpacked files
SH256 hash:
fd56a07f2da75c84337cbf94e0acafc09fb909cfb187a0ae214827ce2c4708bb
MD5 hash:
d93c5f59ddc41313bf36f106a2f1fe17
SHA1 hash:
97c5cd9d0689c1cd74685bc979122a13eba3fcc9
Link:
https://www.unpac.me/results/764cfdaf-f9d0-41de-aa6c-826c77dfc19a/
SH256 hash:
fcd0aee1719342f224b048c50f52be7a478d6ff145cc721fb2698c4fa7bd050e
MD5 hash:
3f0cffb5cecc27ee48529d92361cb1fa
SHA1 hash:
497be6dc65faf807274ef5182d6e6665bbbdd6d7
Link:
https://www.unpac.me/results/764cfdaf-f9d0-41de-aa6c-826c77dfc19a/
SH256 hash:
a5ebf3f3762dc01bca3696993961927ec6aa376c7246b88089eba88f039d69d5
MD5 hash:
3a66552b951bcac1100cbd7e7af6cd14
SHA1 hash:
372acaaacf60624d612dec2bc02786963154777d
Link:
https://www.unpac.me/results/764cfdaf-f9d0-41de-aa6c-826c77dfc19a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a5ebf3f3762d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5ebf3f3762dc01bca3696993961927ec6aa376c7246b88089eba88f039d69d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_SUSPICIOUS_USNDeleteJournal
Create hunting rule
Author:ditekSHen
Description:Detects executables containing anti-forensic artifcats of deletiing USN change journal. Observed in ransomware
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/436436/

Comments