MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be51f7f25e5e0491812b9b00cc25fa60685e6a353e62b0058f4656fd5b3dff3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be51f7f25e5e0491812b9b00cc25fa60685e6a353e62b0058f4656fd5b3dff3b
SHA3-384 hash: 16acfcc8d006930cf6659adb2f5de58a4c31506fea111bebc429b065d49f6da1be4b11a0e338f7b0da9c5351749c92e2
SHA1 hash: 1f7692d45186243618956b87b4ec0510e8658f1e
MD5 hash: 873ccf3802ea1eed137897c0c54ac940
humanhash: magazine-fanta-magnesium-saturn
File name:be51f7f25e5e0491812b9b00cc25fa60685e6a353e62b.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'932'736 bytes
First seen:2023-12-06 05:50:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:LBgOoO2/l7fjwz4rYSUFIEUjSeC3CO/vSA3Y9JfrXusBsQJfwcj:lt2Fbsax1OXfI9JfrX5Dj
Threatray 12 similar samples on MalwareBazaar
TLSH T1D8D53346DAE0051FEA742B3435FB05572731BDB214F9A62B7BDA2BD20C73784A932316
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
20.195.170.6:1533

Intelligence

File Origin
# of uploads :
1
# of downloads :
341
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462761/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Downloader.Crifi-10009289-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Creating a file
Launching a process
Replacing files
Launching a service
DNS request
Sending a UDP request
Sending an HTTP GET request
Reading critical registry keys
Forced system process termination
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Stealing user critical data
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
91%
Tags:
advpack anti-vm autoit CAB control explorer greyware installer keylogger lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/65700bc6855eb2633d611a47/reports/6c24a74e-9023-4b98-a9b0-6d7bc9a678a7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/be51f7f25e5e0491812b9b00cc25fa60685e6a353e62b0058f4656fd5b3dff3b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/48204d9c-cf59-41a1-96ba-8a116d6f5594
Result
Threat name:
LummaC Stealer, PrivateLoader, RedLine,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1354410
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Exclude list of file types from scheduled, custom, and real-time scanning
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected LummaC Stealer
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1354410 Sample: be51f7f25e5e0491812b9b00cc2... Startdate: 06/12/2023 Architecture: WINDOWS Score: 100 137 236.76.10.0.in-addr.arpa 2->137 139 yeahweliftbro.cz 2->139 141 3 other IPs or domains 2->141 153 Snort IDS alert for network traffic 2->153 155 Multi AV Scanner detection for domain / URL 2->155 157 Found malware configuration 2->157 159 18 other signatures 2->159 13 be51f7f25e5e0491812b9b00cc25fa60685e6a353e62b.exe 1 4 2->13         started        17 OfficeTrackerNMP131.exe 10 501 2->17         started        19 OfficeTrackerNMP131.exe 2->19         started        21 10 other processes 2->21 signatures3 process4 file5 117 C:\Users\user\AppData\Local\...\Qs6uR39.exe, PE32 13->117 dropped 119 C:\Users\user\AppData\Local\...\6mB1nv2.exe, PE32 13->119 dropped 209 Binary is likely a compiled AutoIt script file 13->209 23 Qs6uR39.exe 1 4 13->23         started        121 C:\...\xmCidoLOelgTB2VGWvIeMAW47LiX2F92.zip, Zip 17->121 dropped 211 Antivirus detection for dropped file 17->211 213 Multi AV Scanner detection for dropped file 17->213 215 Tries to steal Mail credentials (via file / registry access) 17->215 223 6 other signatures 17->223 26 WerFault.exe 17->26         started        217 Disables Windows Defender (deletes autostart) 19->217 219 Tries to harvest and steal browser information (history, passwords, etc) 19->219 221 Exclude list of file types from scheduled, custom, and real-time scanning 19->221 28 WerFault.exe 19->28         started        30 WerFault.exe 21->30         started        32 WerFault.exe 21->32         started        34 WerFault.exe 21->34         started        signatures6 process7 file8 97 C:\Users\user\AppData\Local\...\Ze8ML30.exe, PE32 23->97 dropped 99 C:\Users\user\AppData\Local\...\5lq4PQ4.exe, PE32 23->99 dropped 36 Ze8ML30.exe 1 4 23->36         started        process9 file10 93 C:\Users\user\AppData\Local\...\jX2LU72.exe, PE32 36->93 dropped 95 C:\Users\user\AppData\Local\...\4lx437sM.exe, PE32 36->95 dropped 39 jX2LU72.exe 1 4 36->39         started        process11 file12 101 C:\Users\user\AppData\Local\...\3Sf92Vd.exe, PE32 39->101 dropped 103 C:\Users\user\AppData\Local\...\1pZ19vJ8.exe, PE32 39->103 dropped 42 3Sf92Vd.exe 39->42         started        45 1pZ19vJ8.exe 11 508 39->45         started        process13 dnsIp14 165 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 42->165 167 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 42->167 169 Maps a DLL or memory area into another process 42->169 177 2 other signatures 42->177 49 explorer.exe 42->49 injected 149 193.233.132.51, 49729, 49730, 49731 FREE-NET-ASFREEnetEU Russian Federation 45->149 151 ipinfo.io 34.117.59.81, 443, 49732, 49733 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 45->151 123 C:\Users\user\AppData\...\FANBooster131.exe, PE32 45->123 dropped 125 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 45->125 dropped 127 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 45->127 dropped 129 2 other malicious files 45->129 dropped 171 Tries to steal Mail credentials (via file / registry access) 45->171 173 Found many strings related to Crypto-Wallets (likely being stolen) 45->173 175 Found stalling execution ending in API Sleep call 45->175 179 7 other signatures 45->179 54 schtasks.exe 1 45->54         started        56 schtasks.exe 1 45->56         started        58 WerFault.exe 45->58         started        file15 signatures16 process17 dnsIp18 131 185.196.8.238 SIMPLECARRER2IT Switzerland 49->131 133 185.172.128.19, 49756, 80 NADYMSS-ASRU Russian Federation 49->133 135 2 other IPs or domains 49->135 85 C:\Users\user\AppData\Local\Temp\C504.exe, PE32 49->85 dropped 87 C:\Users\user\AppData\Local\Temp\C0EC.exe, PE32 49->87 dropped 89 C:\Users\user\AppData\Local\Temp\BB0F.exe, PE32 49->89 dropped 91 7 other malicious files 49->91 dropped 161 System process connects to network (likely due to code injection or exploit) 49->161 163 Benign windows process drops PE files 49->163 60 4C8F.exe 49->60         started        64 8B22.exe 49->64         started        66 50F5.exe 49->66         started        73 5 other processes 49->73 69 conhost.exe 54->69         started        71 conhost.exe 56->71         started        file19 signatures20 process21 dnsIp22 105 C:\Users\user\AppData\Roaming\...\File2.exe, PE32 60->105 dropped 107 C:\Users\user\AppData\Roaming\...\File1.exe, PE32 60->107 dropped 191 Multi AV Scanner detection for dropped file 60->191 193 Machine Learning detection for dropped file 60->193 75 File2.exe 60->75         started        79 File1.exe 60->79         started        81 conhost.exe 60->81         started        109 C:\Users\user\AppData\Local\Temp\tuc3.exe, PE32 64->109 dropped 111 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 64->111 dropped 113 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 64->113 dropped 115 2 other malicious files 64->115 dropped 195 Antivirus detection for dropped file 64->195 143 195.10.205.16, 2245, 49755 TSSCOM-ASRU Russian Federation 66->143 197 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 66->197 199 Found many strings related to Crypto-Wallets (likely being stolen) 66->199 201 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 66->201 203 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 73->203 205 Modifies the context of a thread in another process (thread injection) 73->205 207 Injects a PE file into a foreign processes 73->207 83 conhost.exe 73->83         started        file23 signatures24 process25 dnsIp26 145 176.123.7.190, 32927, 49758 ALEXHOSTMD Moldova Republic of 75->145 181 Multi AV Scanner detection for dropped file 75->181 183 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 75->183 185 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 75->185 187 Tries to harvest and steal browser information (history, passwords, etc) 75->187 147 176.123.10.211, 47430, 49757 ALEXHOSTMD Moldova Republic of 79->147 189 Tries to steal Crypto Currency Wallets 79->189 signatures27
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/be51f7f25e5e0491812b9b00cc25fa60685e6a353e62b0058f4656fd5b3dff3b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be51f7f25e5e0491812b9b00cc25fa60685e6a353e62b0058f4656fd5b3dff3b/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-06 05:51:05 UTC
File Type:
PE (Exe)
Extracted files:
175
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xzi7p4s6lycjdajltmamyjp2mbuf42rvhzrlabmpizlp2wz5745q._file
Verdict:
malicious
Similar samples:
7de2ca4a5a35342f0344b2378ccdf91c140dc94516787248fc17bd39c12cd4a8
LummaStealer
8c05f312dbdac6966c392318cb7424050cdf326160be28041ff65da5ac7504ed
LummaStealer
9edcd387decaca808d976504370b06f8afe76bf6612d294c9b537680ff482bd6
LummaStealer
c76625ff441ba1a68172aa25ee4c9941c2d00435fed8f966efedfda7c163d03d
LummaStealer
d3b872908454b2d5649fedd5848e02f414837ccd3efb182ebb57df9a715766f4
LummaStealer
+ 2 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:risepro family:smokeloader backdoor loader persistence stealer trojan
Link:
https://tria.ge/reports/231206-gj57msbg59/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
AutoIT Executable
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
PrivateLoader
RisePro
SmokeLoader
Malware Config
C2 Extraction:
193.233.132.51
http://81.19.131.34/fks/index.php
Unpacked files
SH256 hash:
4b9095b4f390371b9dd2885ae1c9d01388d993032f6abdd13d62fff9578f8b5f
MD5 hash:
2d2f649e017d3355adeca7db425279db
SHA1 hash:
581eefdefdd632003528464af2fa8de5ba4e9438
Link:
https://www.unpac.me/results/792e7521-4857-47c2-a1d3-4f7f571537e1/
SH256 hash:
69afe5c310bbe93082b1d4dbb1d68b6d173cf5d20e7221a5507a2dd9ccaa7ccc
MD5 hash:
3d2ccaeef28059e204cfbea708f2dbad
SHA1 hash:
411d0a3e0ffdca5ceff0e9653476909f3c8b863f
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/792e7521-4857-47c2-a1d3-4f7f571537e1/
SH256 hash:
be51f7f25e5e0491812b9b00cc25fa60685e6a353e62b0058f4656fd5b3dff3b
MD5 hash:
873ccf3802ea1eed137897c0c54ac940
SHA1 hash:
1f7692d45186243618956b87b4ec0510e8658f1e
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/792e7521-4857-47c2-a1d3-4f7f571537e1/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/be51f7f25e5e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be51f7f25e5e0491812b9b00cc25fa60685e6a353e62b0058f4656fd5b3dff3b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/462761/

Comments