MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aae3fa7e1a2c161fce6b1b9b3dcf48cc3f797cc2754bd12b2810ccca21ccfdd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aae3fa7e1a2c161fce6b1b9b3dcf48cc3f797cc2754bd12b2810ccca21ccfdd9
SHA3-384 hash: 27024a984f656413fd0906a0e211a3e2746b725accb8e34f742599fe8e59c5db59b859c712aab0d5641d92ce7ee02ddf
SHA1 hash: 613ad19e83e43faa8cd546b183b9d907e488ce58
MD5 hash: 098621a8fa13fdfd4ce2d9c3dc010092
humanhash: west-georgia-eighteen-winter
File name:SecuriteInfo.com.Trojan.Inject5.6732.13710.8794
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'162'272 bytes
First seen:2024-08-08 08:23:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 18cd531cc44c9bf7f4a78c62c15c1c41 (9 x SnakeKeylogger, 6 x AgentTesla, 3 x Formbook)
ssdeep 49152:kWiP0wV0hJ5VGx6ODJ1+aEtWX33oG1SdZo2:2VUcFabLh
Threatray 64 similar samples on MalwareBazaar
TLSH T1BFA5B015E3E802A4D47BC630CA699733D7B0B4592734D68B0A49D7462FF3AA18B7F712
TrID 72.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
13.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.EXE) OS/2 Executable (generic) (2029/13)
2.5% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter SecuriteInfoCom
Tags:exe LummaStealer signed

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2024-07-30T10:40:28Z
Valid to:2025-07-30T10:40:28Z
Serial number: 90cb1a6caae20b3bc97fb25ecedcff59
Thumbprint Algorithm:SHA256
Thumbprint: ee991d628ad0dd37366580bc3fbf789427104d040aad440530c5ed538efa0678
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
350
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
setup2.exe
Verdict:
Malicious activity
Analysis date:
2024-08-01 06:46:30 UTC
Tags:
pastebin github privateloader evasion berbew lumma stealer loader smokeloader metastealer redline opendir
Link:
https://app.any.run/tasks/daee70f2-0d4a-4e22-b60d-cdaf7df28e0d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Inject5.6732.13710.8794.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b480a7aa5b40be0a9fdaa7
Tags:
Encryption Network Static Stealth Pswstealer
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Running batch commands
Launching cmd.exe command interpreter
Sending an HTTP POST request
Creating a window
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint hacktool lolbin microsoft_visual_cc overlay packed regedit remote shell32
Link:
https://www.filescan.io/uploads/66b480aa20b316b86ff20b4d/reports/524b0c94-8354-490c-b5b9-6132322eb692/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/aae3fa7e1a2c161fce6b1b9b3dcf48cc3f797cc2754bd12b2810ccca21ccfdd9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a7d199a0-7302-4fd0-99e7-8398890f2dac
Result
Threat name:
Cryptbot, Neoreklami
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1489904
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Creates files in the recycle bin to hide itself
Creates HTML files with .exe extension (expired dropper behavior)
Drops script or batch files to the startup folder
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Modifies Group Policy settings
Modifies Windows Defender protection settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Cryptbot
Yara detected Generic Downloader
Yara detected Neoreklami
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1489904 Sample: SecuriteInfo.com.Trojan.Inj... Startdate: 08/08/2024 Architecture: WINDOWS Score: 100 156 pastebin.com 2->156 158 tvez20vt.top 2->158 160 6 other IPs or domains 2->160 180 Multi AV Scanner detection for domain / URL 2->180 182 Found malware configuration 2->182 184 Antivirus detection for URL or domain 2->184 188 10 other signatures 2->188 15 SecuriteInfo.com.Trojan.Inject5.6732.13710.8794.exe 1 2->15         started        18 Install.exe 2->18         started        21 cmd.exe 1 2->21         started        23 2 other processes 2->23 signatures3 186 Connects to a pastebin service (likely for C&C) 156->186 process4 file5 210 Writes to foreign memory regions 15->210 212 Allocates memory in foreign processes 15->212 214 Sample uses process hollowing technique 15->214 216 Injects a PE file into a foreign processes 15->216 25 CasPol.exe 15 56 15->25         started        30 conhost.exe 15->30         started        136 C:\Windows\Temp\...\apuENOq.exe, PE32 18->136 dropped 138 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 18->138 dropped 218 Creates files in the recycle bin to hide itself 18->218 220 Modifies Windows Defender protection settings 18->220 222 Modifies Group Policy settings 18->222 32 cmd.exe 18->32         started        34 conhost.exe 21->34         started        36 conhost.exe 23->36         started        38 conhost.exe 23->38         started        signatures6 process7 dnsIp8 162 pastebin.com 104.20.3.235 CLOUDFLARENETUS United States 25->162 164 140.82.121.3 GITHUBUS United States 25->164 166 16 other IPs or domains 25->166 148 C:\Users\...\ucBNnaSADCb0LagmriFBHVAr.exe, PE32 25->148 dropped 150 C:\Users\...\hMtjxQLjdNZ2T7HiJXU6olVz.exe, PE32 25->150 dropped 152 C:\Users\...\QHGtoIDrYm7JSXatQJIq0K2o.exe, PE32 25->152 dropped 154 22 other files (20 malicious) 25->154 dropped 190 Drops script or batch files to the startup folder 25->190 192 Creates HTML files with .exe extension (expired dropper behavior) 25->192 194 Found many strings related to Crypto-Wallets (likely being stolen) 25->194 40 hMtjxQLjdNZ2T7HiJXU6olVz.exe 7 25->40         started        43 QHGtoIDrYm7JSXatQJIq0K2o.exe 7 25->43         started        45 QFVqqhWmPScFeYXWyYRmcc20.exe 1 25->45         started        49 ucBNnaSADCb0LagmriFBHVAr.exe 25->49         started        51 conhost.exe 32->51         started        53 reg.exe 34->53         started        file9 signatures10 process11 dnsIp12 144 C:\Users\user\AppData\Local\...\Install.exe, PE32 40->144 dropped 55 Install.exe 4 40->55         started        146 C:\Users\user\AppData\Local\...\Install.exe, PE32 43->146 dropped 58 Install.exe 43->58         started        168 tvez20vt.top 31.192.244.36 ABSTATIONwwwabstationnetGB United Kingdom 45->168 202 Multi AV Scanner detection for dropped file 45->202 204 Tries to harvest and steal browser information (history, passwords, etc) 45->204 file13 signatures14 process15 file16 140 C:\Users\user\AppData\Local\...\Install.exe, PE32 55->140 dropped 60 Install.exe 55->60         started        142 C:\Users\user\AppData\Local\...\Install.exe, PE32 58->142 dropped 63 Install.exe 58->63         started        process17 signatures18 196 Uses schtasks.exe or at.exe to add and modify task schedules 60->196 198 Modifies Windows Defender protection settings 60->198 65 cmd.exe 60->65         started        68 forfiles.exe 60->68         started        70 schtasks.exe 60->70         started        200 Uses cmd line tools excessively to alter registry or file data 63->200 72 cmd.exe 63->72         started        74 forfiles.exe 63->74         started        76 schtasks.exe 63->76         started        process19 signatures20 170 Suspicious powershell command line found 65->170 172 Uses cmd line tools excessively to alter registry or file data 65->172 174 Modifies Windows Defender protection settings 65->174 78 forfiles.exe 65->78         started        81 forfiles.exe 65->81         started        83 forfiles.exe 65->83         started        89 3 other processes 65->89 91 2 other processes 68->91 85 conhost.exe 70->85         started        93 6 other processes 72->93 95 2 other processes 74->95 87 conhost.exe 76->87         started        process21 signatures22 206 Modifies Windows Defender protection settings 78->206 97 cmd.exe 78->97         started        100 cmd.exe 81->100         started        102 cmd.exe 83->102         started        104 cmd.exe 89->104         started        106 cmd.exe 89->106         started        108 powershell.exe 91->108         started        110 cmd.exe 93->110         started        114 4 other processes 93->114 208 Suspicious powershell command line found 95->208 112 powershell.exe 95->112         started        process23 signatures24 176 Uses cmd line tools excessively to alter registry or file data 97->176 116 reg.exe 97->116         started        118 reg.exe 100->118         started        120 reg.exe 102->120         started        178 Suspicious powershell command line found 104->178 122 powershell.exe 104->122         started        124 WMIC.exe 108->124         started        126 powershell.exe 110->126         started        128 WMIC.exe 112->128         started        130 reg.exe 114->130         started        132 3 other processes 114->132 process25 process26 134 gpupdate.exe 122->134         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aae3fa7e1a2c161fce6b1b9b3dcf48cc3f797cc2754bd12b2810ccca21ccfdd9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aae3fa7e1a2c161fce6b1b9b3dcf48cc3f797cc2754bd12b2810ccca21ccfdd9/
Threat name:
Win64.Trojan.Operaloader
Create hunting rule
Status:
Malicious
First seen:
2024-07-30 20:56:00 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vlr7u7q2fqlb7ttldont3t2izq7xs7gcovf5ckzicdgmuiom7xmq._file
Verdict:
malicious
Similar samples:
0997cd367dbb02952b9fd3f1f368deb48e78317efa01604cd596c7eb6c75ba08
LummaStealer
1f955e253537a0481eb14314929d44936aec49ff8fb022bdf6b5b7753b1944b0
LummaStealer
604df38c9f4f6b12065f2028376c9d0b2393a948caaaee8aab309dc5862fa868
LummaStealer
aae3fa7e1a2c161fce6b1b9b3dcf48cc3f797cc2754bd12b2810ccca21ccfdd9
LummaStealer
e8833753c577fada3bfb782a806fe4416a72ac905b6b00087bf48f3df8c3757e
LummaStealer
+ 54 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
credential_access defense_evasion discovery evasion execution spyware stealer trojan
Link:
https://tria.ge/reports/240809-k4wqgssfkd/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Drops Chrome extension
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Indirect Command Execution
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Credentials from Password Stores: Credentials from Web Browsers
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/30b08fd8-487a-4a6e-803e-04248f38c21b
Unpacked files
SH256 hash:
aae3fa7e1a2c161fce6b1b9b3dcf48cc3f797cc2754bd12b2810ccca21ccfdd9
MD5 hash:
098621a8fa13fdfd4ce2d9c3dc010092
SHA1 hash:
613ad19e83e43faa8cd546b183b9d907e488ce58
Link:
https://www.unpac.me/results/5ab1c796-0ab2-490c-bb7a-d6c1dc569925/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.56
Link:
https://yomi.yoroi.company/submissions/aae3fa7e1a2c161fce6b1b9b3dcf48cc3f797cc2754bd12b2810ccca21ccfdd9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe aae3fa7e1a2c161fce6b1b9b3dcf48cc3f797cc2754bd12b2810ccca21ccfdd9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3095811/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::CreateWellKnownSid
ADVAPI32.dll::RevertToSelf
ADVAPI32.dll::GetSecurityDescriptorLength
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetWindowsAccountDomainSid
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
ADVAPI32.dll::SetThreadToken
KERNEL32.dll::VirtualAllocExNuma
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::FreeConsole
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleWindow
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptDestroyKey
bcrypt.dll::BCryptGenerateSymmetricKey
bcrypt.dll::BCryptGenRandom
bcrypt.dll::BCryptOpenAlgorithmProvider
bcrypt.dll::BCryptCloseAlgorithmProvider
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyExW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW

Comments