MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3b872908454b2d5649fedd5848e02f414837ccd3efb182ebb57df9a715766f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3b872908454b2d5649fedd5848e02f414837ccd3efb182ebb57df9a715766f4
SHA3-384 hash: a228cf4f76861d0f704fe95f58726fcca543f53630007282533efb49beca7aa766a0aac8927044518e7aebe02d56f2a8
SHA1 hash: 81f2c2081b2efdd5a9d904eab1742ab192510dbc
MD5 hash: d9f82472ab07963b01b18ad38581cba7
humanhash: emma-enemy-stream-butter
File name:d3b872908454b2d5649fedd5848e02f414837ccd3efb1.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'934'272 bytes
First seen:2023-12-06 01:50:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:Qxhd17aaRcDMpZNzRWV0pSnnAGBLEk5qu4Olah+y0o22wQacUmkmWM4n5eBBU:Mhd17ze4LQnhAR5f22zacUI
TLSH T146D533A9E8D84033DFF433F066FA46872F35B8A28475476F1B06AA560C737C49972729
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
20.195.170.6:1533

Intelligence

File Origin
# of uploads :
1
# of downloads :
409
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/462730/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Packed.Disabler-10009785-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Creating a file
Launching a process
Replacing files
Launching a service
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Sending a UDP request
Reading critical registry keys
Forced system process termination
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Stealing user critical data
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm autoit CAB control explorer greyware installer installer keylogger lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/656fd387eba108031485b750/reports/d74c1b45-ddb9-480b-9000-f5026a0012a3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/d3b872908454b2d5649fedd5848e02f414837ccd3efb182ebb57df9a715766f4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1723c13b-0236-4f06-9cdc-0aef9e94d4a0
Result
Threat name:
LummaC Stealer, PrivateLoader, RedLine,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1354345
Signature
.NET source code contains potential unpacker
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Exclude list of file types from scheduled, custom, and real-time scanning
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected LummaC Stealer
Yara detected PrivateLoader
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1354345 Sample: d3b872908454b2d5649fedd5848... Startdate: 06/12/2023 Architecture: WINDOWS Score: 100 133 transfer.sh 2->133 135 ipinfo.io 2->135 137 10.74.0.0.in-addr.arpa 2->137 161 Snort IDS alert for network traffic 2->161 163 Multi AV Scanner detection for domain / URL 2->163 165 Found malware configuration 2->165 167 17 other signatures 2->167 13 d3b872908454b2d5649fedd5848e02f414837ccd3efb1.exe 1 4 2->13         started        17 OfficeTrackerNMP131.exe 10 501 2->17         started        19 OfficeTrackerNMP131.exe 2->19         started        21 10 other processes 2->21 signatures3 process4 file5 127 C:\Users\user\AppData\Local\...\mQ8FT62.exe, PE32 13->127 dropped 129 C:\Users\user\AppData\Local\...\6QJ3WO8.exe, PE32 13->129 dropped 213 Binary is likely a compiled AutoIt script file 13->213 23 mQ8FT62.exe 1 4 13->23         started        131 C:\...\wIXNab5Jt162rxXGQpyvM0n7p3P58tuS.zip, Zip 17->131 dropped 215 Antivirus detection for dropped file 17->215 217 Multi AV Scanner detection for dropped file 17->217 219 Tries to steal Mail credentials (via file / registry access) 17->219 227 6 other signatures 17->227 27 WerFault.exe 17->27         started        221 Disables Windows Defender (deletes autostart) 19->221 223 Tries to harvest and steal browser information (history, passwords, etc) 19->223 225 Exclude list of file types from scheduled, custom, and real-time scanning 19->225 29 WerFault.exe 21->29         started        31 WerFault.exe 21->31         started        signatures6 process7 file8 103 C:\Users\user\AppData\Local\...\ZH0MI25.exe, PE32 23->103 dropped 105 C:\Users\user\AppData\Local\...\5sL4tK1.exe, PE32 23->105 dropped 169 Multi AV Scanner detection for dropped file 23->169 33 ZH0MI25.exe 1 4 23->33         started        signatures9 process10 file11 95 C:\Users\user\AppData\Local\...\BA5Os31.exe, PE32 33->95 dropped 97 C:\Users\user\AppData\Local\...\4oz017Ag.exe, PE32 33->97 dropped 159 Multi AV Scanner detection for dropped file 33->159 37 BA5Os31.exe 1 4 33->37         started        signatures12 process13 file14 99 C:\Users\user\AppData\Local\...\3WK60hS.exe, PE32 37->99 dropped 101 C:\Users\user\AppData\Local\...\1Be96QP5.exe, PE32 37->101 dropped 40 3WK60hS.exe 37->40         started        43 1Be96QP5.exe 11 508 37->43         started        process15 dnsIp16 171 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 40->171 173 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 40->173 175 Maps a DLL or memory area into another process 40->175 183 2 other signatures 40->183 47 explorer.exe 40->47 injected 143 193.233.132.51, 49729, 49731, 49732 FREE-NET-ASFREEnetEU Russian Federation 43->143 145 ipinfo.io 34.117.59.81, 443, 49730, 49733 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 43->145 119 C:\Users\user\AppData\...\FANBooster131.exe, PE32 43->119 dropped 121 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 43->121 dropped 123 C:\ProgramData\...\OfficeTrackerNMP131.exe, PE32 43->123 dropped 125 2 other malicious files 43->125 dropped 177 Tries to steal Mail credentials (via file / registry access) 43->177 179 Found stalling execution ending in API Sleep call 43->179 181 Disables Windows Defender (deletes autostart) 43->181 185 6 other signatures 43->185 52 schtasks.exe 1 43->52         started        54 schtasks.exe 1 43->54         started        56 WerFault.exe 43->56         started        file17 signatures18 process19 dnsIp20 149 91.92.242.251 THEZONEBG Bulgaria 47->149 151 185.172.128.19, 49749, 80 NADYMSS-ASRU Russian Federation 47->151 153 2 other IPs or domains 47->153 87 C:\Users\user\AppData\Local\Temp\C9F6.exe, PE32 47->87 dropped 89 C:\Users\user\AppData\Local\Temp\AA86.exe, PE32 47->89 dropped 91 C:\Users\user\AppData\Local\Temp\A6EC.exe, PE32 47->91 dropped 93 6 other malicious files 47->93 dropped 155 System process connects to network (likely due to code injection or exploit) 47->155 157 Benign windows process drops PE files 47->157 58 61EF.exe 47->58         started        62 63D5.exe 47->62         started        65 9B23.exe 47->65         started        71 6 other processes 47->71 67 conhost.exe 52->67         started        69 conhost.exe 54->69         started        file21 signatures22 process23 dnsIp24 107 C:\Users\user\AppData\Roaming\...\File2.exe, PE32 58->107 dropped 109 C:\Users\user\AppData\Roaming\...\File1.exe, PE32 58->109 dropped 193 Multi AV Scanner detection for dropped file 58->193 195 Machine Learning detection for dropped file 58->195 73 File2.exe 58->73         started        77 File1.exe 58->77         started        79 conhost.exe 58->79         started        147 195.10.205.16 TSSCOM-ASRU Russian Federation 62->147 197 Antivirus detection for dropped file 62->197 199 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 62->199 201 Found many strings related to Crypto-Wallets (likely being stolen) 62->201 203 Tries to steal Crypto Currency Wallets 62->203 81 conhost.exe 62->81         started        111 C:\Users\user\AppData\Local\Temp\tuc3.exe, PE32 65->111 dropped 113 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 65->113 dropped 115 C:\Users\user\AppData\Local\...\latestX.exe, PE32+ 65->115 dropped 117 2 other malicious files 65->117 dropped 83 InstallSetup9.exe 65->83         started        205 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 71->205 207 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 71->207 209 Tries to harvest and steal browser information (history, passwords, etc) 71->209 211 2 other signatures 71->211 85 conhost.exe 71->85         started        file25 signatures26 process27 dnsIp28 139 176.123.7.190, 32927, 49750 ALEXHOSTMD Moldova Republic of 73->139 187 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 73->187 189 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 73->189 191 Tries to steal Crypto Currency Wallets 73->191 141 176.123.10.211, 47430, 49751 ALEXHOSTMD Moldova Republic of 77->141 signatures29
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d3b872908454b2d5649fedd5848e02f414837ccd3efb182ebb57df9a715766f4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d3b872908454b2d5649fedd5848e02f414837ccd3efb182ebb57df9a715766f4/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-06 01:51:06 UTC
File Type:
PE (Exe)
Extracted files:
175
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2o4hfeeeksznkze75xkyjdqc6qkig7gnh35rqlv3k7pzu4kxm32a._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:risepro family:smokeloader backdoor collection discovery loader persistence spyware stealer trojan
Link:
https://tria.ge/reports/231206-b9tnmsaa49/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Enumerates physical storage devices
Drops file in System32 directory
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
PrivateLoader
RisePro
SmokeLoader
Malware Config
C2 Extraction:
193.233.132.51
http://81.19.131.34/fks/index.php
Unpacked files
SH256 hash:
5213cc9a0ab7998702209f16958df4fc893572e5671de110bae9731538ea887d
MD5 hash:
0872cc83af30e80855f1a540e7849bc0
SHA1 hash:
e66e2c67725c0affd64683022f9dbfa9e17db4bb
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/43d65ed7-01cc-4c13-9835-654ad5762eb9/
Parent samples :
d3b872908454b2d5649fedd5848e02f414837ccd3efb182ebb57df9a715766f4
7de2ca4a5a35342f0344b2378ccdf91c140dc94516787248fc17bd39c12cd4a8
9edcd387decaca808d976504370b06f8afe76bf6612d294c9b537680ff482bd6
8c05f312dbdac6966c392318cb7424050cdf326160be28041ff65da5ac7504ed
SH256 hash:
4b9095b4f390371b9dd2885ae1c9d01388d993032f6abdd13d62fff9578f8b5f
MD5 hash:
2d2f649e017d3355adeca7db425279db
SHA1 hash:
581eefdefdd632003528464af2fa8de5ba4e9438
Link:
https://www.unpac.me/results/43d65ed7-01cc-4c13-9835-654ad5762eb9/
SH256 hash:
d3b872908454b2d5649fedd5848e02f414837ccd3efb182ebb57df9a715766f4
MD5 hash:
d9f82472ab07963b01b18ad38581cba7
SHA1 hash:
81f2c2081b2efdd5a9d904eab1742ab192510dbc
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/43d65ed7-01cc-4c13-9835-654ad5762eb9/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d3b872908454/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3b872908454b2d5649fedd5848e02f414837ccd3efb182ebb57df9a715766f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/462730/

Comments