MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d038617c050409f6595fa78e697880e4d3acbdd761ad08ad95f3e58955d0bc0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d038617c050409f6595fa78e697880e4d3acbdd761ad08ad95f3e58955d0bc0e
SHA3-384 hash: fdb50354d4771b20c25ee51e3f84ac3adf5b3af7591f2c8ba6a4a91935de67ce6ca443a618084251acf8c81753417039
SHA1 hash: 2e6b87f54c507a16f0fb2db2d8f5caaace31da4f
MD5 hash: aed26b16d0bf4517eca0a4b1ecee11dc
humanhash: asparagus-harry-london-eleven
File name:aed26b16d0bf4517eca0a4b1ecee11dc.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'419'712 bytes
First seen:2023-12-12 07:55:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:KQfrOIrEipI3cGObDEKBIYxyOAIPznVuqxcp53/WTmTW:lS0EiC3jObNTxyOJzRY5J
Threatray 915 similar samples on MalwareBazaar
TLSH T1C9B5330263E6C960E8F91B3064F603C31537FC959D7852AB2CA9EC8D0C739AA55B537B
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
http://scanintegrutybatowss.pw/api

Intelligence

File Origin
# of uploads :
1
# of downloads :
410
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/466344/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Forced shutdown of a system process
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
91%
Tags:
advpack anti-vm autoit CAB control explorer greyware installer keylogger lolbin packed rundll32 setupapi sfx shell32 smokeloader
Link:
https://www.filescan.io/uploads/657812153636548f374c2671/reports/a65e3680-fd88-4296-bca4-9f17e8866e7e/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/d038617c050409f6595fa78e697880e4d3acbdd761ad08ad95f3e58955d0bc0e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0df6ea4b-9139-45f7-b079-6430841a4cda
Result
Threat name:
PrivateLoader, RedLine, RisePro Stealer,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1359807
Signature
.NET source code contains very large array initializations
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Exclude list of file types from scheduled, custom, and real-time scanning
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1359807 Sample: gW8p9Yul7A.exe Startdate: 12/12/2023 Architecture: WINDOWS Score: 100 119 time.windows.com 2->119 121 s3-w.us-east-1.amazonaws.com 2->121 123 4 other IPs or domains 2->123 149 Snort IDS alert for network traffic 2->149 151 Found malware configuration 2->151 153 Malicious sample detected (through community Yara rule) 2->153 155 14 other signatures 2->155 13 gW8p9Yul7A.exe 1 4 2->13         started        17 svchost.exe 2->17         started        19 svchost.exe 1 2->19         started        21 14 other processes 2->21 signatures3 process4 file5 101 C:\Users\user\AppData\Local\...\lY7DE11.exe, PE32 13->101 dropped 103 C:\Users\user\AppData\Local\...\6Hu2Xs4.exe, PE32 13->103 dropped 189 Binary is likely a compiled AutoIt script file 13->189 23 lY7DE11.exe 1 4 13->23         started        191 Changes security center settings (notifications, updates, antivirus, firewall) 17->191 27 MpCmdRun.exe 17->27         started        193 Query firmware table information (likely to detect VMs) 19->193 29 WerFault.exe 21->29         started        signatures6 process7 file8 97 C:\Users\user\AppData\Local\...\gt5QG06.exe, PE32 23->97 dropped 99 C:\Users\user\AppData\Local\...\5OX8Am4.exe, PE32 23->99 dropped 169 Antivirus detection for dropped file 23->169 171 Machine Learning detection for dropped file 23->171 31 gt5QG06.exe 1 4 23->31         started        35 conhost.exe 27->35         started        signatures9 process10 file11 105 C:\Users\user\AppData\Local\...\tA4UK71.exe, PE32 31->105 dropped 107 C:\Users\user\AppData\Local\...\4le707vz.exe, PE32 31->107 dropped 127 Antivirus detection for dropped file 31->127 129 Machine Learning detection for dropped file 31->129 37 tA4UK71.exe 1 4 31->37         started        41 4le707vz.exe 31->41         started        signatures12 process13 file14 91 C:\Users\user\AppData\Local\...\3lb79TN.exe, PE32 37->91 dropped 93 C:\Users\user\AppData\Local\...\1Lt64bj6.exe, PE32 37->93 dropped 157 Antivirus detection for dropped file 37->157 159 Machine Learning detection for dropped file 37->159 43 1Lt64bj6.exe 37->43         started        46 3lb79TN.exe 37->46         started        95 C:\...\kje83jB95t7pd4iLrHF9uPZn781aKfqp.zip, Zip 41->95 dropped 161 Tries to steal Mail credentials (via file / registry access) 41->161 163 Disables Windows Defender (deletes autostart) 41->163 165 Tries to harvest and steal browser information (history, passwords, etc) 41->165 167 3 other signatures 41->167 signatures15 process16 signatures17 173 Machine Learning detection for dropped file 43->173 175 Contains functionality to inject code into remote processes 43->175 177 Writes to foreign memory regions 43->177 185 2 other signatures 43->185 48 AppLaunch.exe 11 508 43->48         started        53 AppLaunch.exe 43->53         started        179 Antivirus detection for dropped file 46->179 181 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 46->181 183 Maps a DLL or memory area into another process 46->183 187 2 other signatures 46->187 55 explorer.exe 46->55 injected process18 dnsIp19 109 193.233.132.51, 49699, 49701, 50500 FREE-NET-ASFREEnetEU Russian Federation 48->109 111 ipinfo.io 34.117.59.81, 443, 49700, 49703 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 48->111 75 C:\Windows\System32behaviorgraphroupPolicybehaviorgraphPT.INI, ASCII 48->75 dropped 77 C:\...\qnvCM_RG6gFwiAEJ0oDEI9iDoA5YwTdJ.zip, Zip 48->77 dropped 79 C:\Users\user\AppData\...\FANBooster131.exe, PE32 48->79 dropped 87 2 other files (none is malicious) 48->87 dropped 131 Tries to steal Mail credentials (via file / registry access) 48->131 133 Found many strings related to Crypto-Wallets (likely being stolen) 48->133 135 Disables Windows Defender (deletes autostart) 48->135 147 5 other signatures 48->147 57 schtasks.exe 48->57         started        59 schtasks.exe 48->59         started        137 Found stalling execution ending in API Sleep call 53->137 139 Contains functionality to inject threads in other processes 53->139 141 Uses schtasks.exe or at.exe to add and modify task schedules 53->141 113 185.172.128.19, 49711, 80 NADYMSS-ASRU Russian Federation 55->113 115 185.221.198.96 M247GB Russian Federation 55->115 117 3 other IPs or domains 55->117 81 C:\Users\user\AppData\Local\Temp\C5E8.exe, PE32 55->81 dropped 83 C:\Users\user\AppData\Local\Temp\777A.exe, PE32 55->83 dropped 85 C:\Users\user\AppData\Local\Temp\4A20.exe, PE32 55->85 dropped 89 3 other malicious files 55->89 dropped 143 System process connects to network (likely due to code injection or exploit) 55->143 145 Benign windows process drops PE files 55->145 61 C5E8.exe 55->61         started        65 rundll32.exe 55->65         started        67 rundll32.exe 55->67         started        69 2 other processes 55->69 file20 signatures21 process22 dnsIp23 71 conhost.exe 57->71         started        73 conhost.exe 59->73         started        125 77.105.132.87 PLUSTELECOM-ASRU Russian Federation 61->125 195 Machine Learning detection for dropped file 61->195 signatures24 process25
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d038617c050409f6595fa78e697880e4d3acbdd761ad08ad95f3e58955d0bc0e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d038617c050409f6595fa78e697880e4d3acbdd761ad08ad95f3e58955d0bc0e/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-08 17:15:01 UTC
File Type:
PE (Exe)
Extracted files:
175
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2a4gc7afaqe7mwk7u6hgs6ea4tj2zpoxmgwqrlmv6psysvoqxqha._file
Verdict:
malicious
Similar samples:
3c40f114a892a7e4877e787b88479492da2cc6a9c1ff44f5743fc20694d19fb0
LummaStealer
56cde7070b3641baf9706c9d7440b169e2f4308494d5db776638de76e484c550
LummaStealer
78dd9812c391c45f55ae45735371b6ac7d9f84aba107da824895be3b1d3250e1
LummaStealer
d0251c80d56efbae32322e7697dcc73d18d9d8b094036d12b9664a87f4f4be54
LummaStealer
d038617c050409f6595fa78e697880e4d3acbdd761ad08ad95f3e58955d0bc0e
LummaStealer
f3915f40ab2ca33b94333b669ab4f77ca8c2c4be1563b08276b983c595674c25
LummaStealer
+ 905 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:risepro family:smokeloader backdoor loader persistence stealer trojan
Link:
https://tria.ge/reports/231212-jsn1tshcer/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Executes dropped EXE
Loads dropped DLL
PrivateLoader
RisePro
SmokeLoader
Malware Config
C2 Extraction:
193.233.132.51
http://81.19.131.34/fks/index.php
Unpacked files
SH256 hash:
94513f36ef94d07e4f4eb4fc1f16f720c517aae322ce9153cf716f08010e2a96
MD5 hash:
d09d113833f72b4cb1e4d32664b2c0c6
SHA1 hash:
a84d58464acb78d7a6bbe4ce97dec3224f643b70
Link:
https://www.unpac.me/results/8e143474-1e31-44e7-9216-b39094496110/
SH256 hash:
78ae23df3b06702cba044f947252c918006f7db9e6ac365d7db641f03dbc21f2
MD5 hash:
4fc42d657c43796cab2c924204da84a9
SHA1 hash:
e457098ed4bffdd5ff449c8fa5d302626dc94a22
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/8e143474-1e31-44e7-9216-b39094496110/
Parent samples :
b107afc55476c58af62b82d8f181f4ab90b725e95ccb524851f540b621bdebbb
63a2ca4d70cc4601a03ca16d80b6f965fb9aebb62a0a9915f66b3e32ad625e85
732c972b120ed0c3d375eb811225e133945c56a0744ebd78e137af2446756fd8
3c40f114a892a7e4877e787b88479492da2cc6a9c1ff44f5743fc20694d19fb0
78dd9812c391c45f55ae45735371b6ac7d9f84aba107da824895be3b1d3250e1
d038617c050409f6595fa78e697880e4d3acbdd761ad08ad95f3e58955d0bc0e
SH256 hash:
d038617c050409f6595fa78e697880e4d3acbdd761ad08ad95f3e58955d0bc0e
MD5 hash:
aed26b16d0bf4517eca0a4b1ecee11dc
SHA1 hash:
2e6b87f54c507a16f0fb2db2d8f5caaace31da4f
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/8e143474-1e31-44e7-9216-b39094496110/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d038617c0504/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d038617c050409f6595fa78e697880e4d3acbdd761ad08ad95f3e58955d0bc0e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/466344/

Comments