MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d18cdc223e2b6248fc289f6f4aeefd0369c34539f1a9e80aabab33de725c38fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d18cdc223e2b6248fc289f6f4aeefd0369c34539f1a9e80aabab33de725c38fd
SHA3-384 hash: 8d0da9bd1c7f3f29723b51b34cbc69005421ff7e2fefdaee999991fca77cc8ec48a381494d75e218e7a8803a8d70bf9b
SHA1 hash: afac3601fe6bf1b743f26f53dfd639a85687b309
MD5 hash: c505e5c59f4cab04025587056e8c51e8
humanhash: nineteen-low-juliet-apart
File name:c505e5c59f4cab04025587056e8c51e8.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:6'496'256 bytes
First seen:2024-01-04 17:30:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:MnG/AtcocAeLt1UGbBBNCmMXoh7hoxpz7PQcqLgu79BFAuaZtZW9lrwt98fW:MIkg/5BNCNEhGzdqfBFxaZSMGW
TLSH T17366334B9A6C4E76EC5199F460FFA3D3A930BE97A93E116F5614C04909773809CB0B3B
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
185.172.128.33:38294

Intelligence

File Origin
# of uploads :
1
# of downloads :
395
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/469532/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Сreating synchronization primitives
Searching for the browser window
DNS request
Sending a custom TCP request
Searching for the window
Blocking the Windows Defender launch
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-debug anti-vm CAB control explorer installer installer lolbin monero packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/6596eb56f4b6e5e16367c366/reports/0e1eb7e7-7f4e-4550-9c9d-cb10e7ba3888/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/d18cdc223e2b6248fc289f6f4aeefd0369c34539f1a9e80aabab33de725c38fd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6baca658-af34-4ca9-81af-be3e11286c8a
Result
Threat name:
RisePro Stealer, SmokeLoader, Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1369928
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found API chain indicative of sandbox detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Phishing site detected (based on logo match)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1369928 Sample: D4E5jFL2ko.exe Startdate: 04/01/2024 Architecture: WINDOWS Score: 100 161 rr3.sn-p5qlsn7d.googlevideo.com 2->161 163 rr3---sn-p5qlsn7d.googlevideo.com 2->163 165 3 other IPs or domains 2->165 201 Snort IDS alert for network traffic 2->201 203 Found malware configuration 2->203 205 Antivirus detection for URL or domain 2->205 207 17 other signatures 2->207 13 D4E5jFL2ko.exe 1 4 2->13         started        16 FANBooster131.exe 2->16         started        19 OfficeTrackerNMP131.exe 2->19         started        21 8 other processes 2->21 signatures3 process4 file5 147 2 other malicious files 13->147 dropped 23 Ou3mD25.exe 1 4 13->23         started        133 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 16->133 dropped 135 C:\...\0YM5VjyeSn81AxrxYpVkwRx5pCY4oF3b.zip, Zip 16->135 dropped 175 Antivirus detection for dropped file 16->175 177 Multi AV Scanner detection for dropped file 16->177 179 Detected unpacking (changes PE section rights) 16->179 195 4 other signatures 16->195 137 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 19->137 dropped 139 C:\...\piuL77yElOCOy5jDmGpf6CHB0TAxkk6N.zip, Zip 19->139 dropped 181 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->181 183 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 19->183 185 Machine Learning detection for dropped file 19->185 187 Found many strings related to Crypto-Wallets (likely being stolen) 19->187 27 powershell.exe 19->27         started        29 powershell.exe 19->29         started        31 powershell.exe 19->31         started        39 10 other processes 19->39 141 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 21->141 dropped 143 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 21->143 dropped 145 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 21->145 dropped 149 3 other malicious files 21->149 dropped 189 Tries to steal Mail credentials (via file / registry access) 21->189 191 Modifies Windows Defender protection settings 21->191 193 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 21->193 33 powershell.exe 21->33         started        35 powershell.exe 21->35         started        37 powershell.exe 21->37         started        41 11 other processes 21->41 signatures6 process7 file8 117 C:\Users\user\AppData\Local\...\CP8By74.exe, PE32 23->117 dropped 119 C:\Users\user\AppData\Local\...\5RG8aN3.exe, PE32 23->119 dropped 215 Antivirus detection for dropped file 23->215 217 Machine Learning detection for dropped file 23->217 43 CP8By74.exe 1 4 23->43         started        47 conhost.exe 27->47         started        49 conhost.exe 29->49         started        51 conhost.exe 31->51         started        53 conhost.exe 33->53         started        55 conhost.exe 35->55         started        57 conhost.exe 37->57         started        59 9 other processes 39->59 61 9 other processes 41->61 signatures9 process10 file11 129 C:\Users\user\AppData\Local\...\PJ2NV35.exe, PE32 43->129 dropped 131 C:\Users\user\AppData\Local\...\4Af574nF.exe, PE32 43->131 dropped 235 Antivirus detection for dropped file 43->235 237 Machine Learning detection for dropped file 43->237 63 PJ2NV35.exe 1 4 43->63         started        signatures12 process13 file14 151 C:\Users\user\AppData\Local\...\tC9ei52.exe, PE32 63->151 dropped 153 C:\Users\user\AppData\Local\...\3TN20pQ.exe, PE32 63->153 dropped 197 Antivirus detection for dropped file 63->197 199 Machine Learning detection for dropped file 63->199 67 tC9ei52.exe 1 4 63->67         started        signatures15 process16 file17 113 C:\Users\user\AppData\Local\...\2wM0945.exe, PE32 67->113 dropped 115 C:\Users\user\AppData\Local\...\1qP08gO5.exe, PE32 67->115 dropped 209 Antivirus detection for dropped file 67->209 211 Binary is likely a compiled AutoIt script file 67->211 213 Machine Learning detection for dropped file 67->213 71 2wM0945.exe 21 70 67->71         started        76 1qP08gO5.exe 12 67->76         started        signatures18 process19 dnsIp20 171 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 71->171 173 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 71->173 121 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 71->121 dropped 123 C:\Users\user\AppData\...\FANBooster131.exe, PE32 71->123 dropped 125 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 71->125 dropped 127 2 other malicious files 71->127 dropped 219 Antivirus detection for dropped file 71->219 221 Multi AV Scanner detection for dropped file 71->221 223 Detected unpacking (changes PE section rights) 71->223 233 9 other signatures 71->233 78 cmd.exe 71->78         started        81 powershell.exe 71->81         started        83 cmd.exe 71->83         started        92 12 other processes 71->92 225 Binary is likely a compiled AutoIt script file 76->225 227 Machine Learning detection for dropped file 76->227 229 Found API chain indicative of sandbox detection 76->229 231 Contains functionality to modify clipboard data 76->231 85 chrome.exe 9 76->85         started        88 chrome.exe 76->88         started        90 chrome.exe 76->90         started        file21 signatures22 process23 dnsIp24 239 Uses schtasks.exe or at.exe to add and modify task schedules 78->239 107 2 other processes 78->107 241 Found many strings related to Crypto-Wallets (likely being stolen) 81->241 94 conhost.exe 81->94         started        109 2 other processes 83->109 167 192.168.2.5 unknown unknown 85->167 169 239.255.255.250 unknown Reserved 85->169 96 chrome.exe 85->96         started        99 chrome.exe 85->99         started        101 chrome.exe 85->101         started        103 chrome.exe 88->103         started        105 chrome.exe 90->105         started        111 11 other processes 92->111 signatures25 process26 dnsIp27 155 accounts.google.com 142.250.31.84 GOOGLEUS United States 96->155 157 142.251.111.93 GOOGLEUS United States 96->157 159 56 other IPs or domains 96->159
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d18cdc223e2b6248fc289f6f4aeefd0369c34539f1a9e80aabab33de725c38fd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d18cdc223e2b6248fc289f6f4aeefd0369c34539f1a9e80aabab33de725c38fd/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2024-01-04 17:31:07 UTC
File Type:
PE (Exe)
Extracted files:
224
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ggnyir6fnrer7bit5xuv3x5anu4grjz6gu6qcvlvmz544s4hd6q._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:zgrat botnet:777 backdoor brand:google collection discovery evasion infostealer persistence phishing rat spyware stealer themida trojan
Link:
https://tria.ge/reports/240104-v3n95afgem/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Windows security modification
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Detect ZGRat V1
Detected google phishing page
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
SmokeLoader
ZGRat
Malware Config
C2 Extraction:
http://185.215.113.68/fks/index.php
195.20.16.103:20440
Unpacked files
SH256 hash:
a79c21bf239c475d9d666468f5771106f27f33431ff6c80f9c5904c1dc59aa1d
MD5 hash:
a99ea8af69aa691c251b1619762fa253
SHA1 hash:
dd113abdef305b9a70f904e48ec79947a8d0f7cd
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/e1cb9a47-b581-49c9-b46f-8e488d610911/
Parent samples :
b74b718bc7d748634e8522ee94e83bf48ca66942c9f8bf88252d908910982fdd
87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3
d18cdc223e2b6248fc289f6f4aeefd0369c34539f1a9e80aabab33de725c38fd
9c7844e137bd630f22e7d487c43be450d9c185ea7339230bef46d2decb817d4d
e3cdb09481565d89e6123cf4145a1291d7abeac808d2f19364f9a3e04c3e1ccc
SH256 hash:
3dc0c9ef180e143db5ab9038e27b1c066917d85dc4b203d4bd140061426dc295
MD5 hash:
aceb86bca7da1c21d07cbafb93357895
SHA1 hash:
501d071cd79115c52550b0c29bd98f5a648379d1
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/e1cb9a47-b581-49c9-b46f-8e488d610911/
SH256 hash:
d18cdc223e2b6248fc289f6f4aeefd0369c34539f1a9e80aabab33de725c38fd
MD5 hash:
c505e5c59f4cab04025587056e8c51e8
SHA1 hash:
afac3601fe6bf1b743f26f53dfd639a85687b309
Link:
https://www.unpac.me/results/e1cb9a47-b581-49c9-b46f-8e488d610911/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d18cdc223e2b6248fc289f6f4aeefd0369c34539f1a9e80aabab33de725c38fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe d18cdc223e2b6248fc289f6f4aeefd0369c34539f1a9e80aabab33de725c38fd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2744391/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/469532/

Comments