MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e041b3eaaed1c0ad37e7f91717ee5b0e12e922b67bbe1e69a4c68c80baf22b4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e041b3eaaed1c0ad37e7f91717ee5b0e12e922b67bbe1e69a4c68c80baf22b4f
SHA3-384 hash: 66efb0afa1c370e820c01b68e3d4a7619ed17580de3318651f36b84a61e9bcd1975ad6aae28cfe70094fe93f1f45a250
SHA1 hash: 6c92b9730ed0d7b43e0fb6f9bf5bf47aa0fd7cff
MD5 hash: 3a198a130c1d6eef33fc52d39d83347b
humanhash: vegan-montana-texas-fanta
File name:СhrоmеSеtup.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:27'759'992 bytes
First seen:2023-09-14 13:09:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 608505ff1e7e27ff4a42ea9c4e9f4192 (5 x LummaStealer, 3 x NetSupport, 2 x ConnectWise)
ssdeep 393216:tZBosOBrX0KMw4DHrIkpMmOVB0txBAVxxCfpO85HtIT8yA8FS7QPPuvNGYFlPx:3OOKzyr3ynjNxx0pdNTyJSwPMNGYHp
Threatray 38 similar samples on MalwareBazaar
TLSH T1C6571231724AC52FD96211B0192C9A9F512CBF760BB254CBB3DC2E6E1BB55C21336E27
TrID 88.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter monitorsg
Tags:ClearFake exe LummaStealer


Avatar
monitorsg
hXXps://bsc-dataseed1.binance[.]org (Binance 0x7f36D9292e7c70A204faCC2d255475A861487c60) --> hXXps://ziucsugcbfyfbyccbasy[.]com/vvmd54/ --> hXXps://ziucsugcbfyfbyccbasy[.]com/ZgbN19Mx (Keitaro) --> hXXps://ziucsugcbfyfbyccbasy[.]com/lander/chrome/_index.php (landing) --> hXXps://stats-best[.]site/fp.php (fingerprint) --> hXXps://dl.dropboxusercontent[.]com (download)

Intelligence

File Origin
# of uploads :
1
# of downloads :
306
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
СhrоmеSеtup.exe
Verdict:
Malicious activity
Analysis date:
2023-09-14 13:12:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d02a3ca9-1be4-478b-838c-3a230a3feacd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control fingerprint greyware lolbin msiexec overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/6503062d69c1cf3b6ab5cb85/reports/3f298ed1-9b1f-4dba-a49a-8cd1074d59a5/overview
Verdict:
Malicious
Labled as:
Trojan.Genus
Link:
https://www.hybrid-analysis.com/sample/e041b3eaaed1c0ad37e7f91717ee5b0e12e922b67bbe1e69a4c68c80baf22b4f
Result
Verdict:
MALICIOUS
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
evad.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1307868
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Installs a MSI (Microsoft Installer) remotely
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1307868 Sample: #U0421hr#U043em#U0435S#U043... Startdate: 14/09/2023 Architecture: WINDOWS Score: 100 72 www.jdrsoftwaredesign.fyi 2->72 74 blockbeerman.fun 2->74 76 x1.c.lencr.org 2->76 82 Found malware configuration 2->82 84 Antivirus detection for dropped file 2->84 86 Multi AV Scanner detection for dropped file 2->86 88 4 other signatures 2->88 10 msiexec.exe 18 38 2->10         started        13 #U0421hr#U043em#U0435S#U0435tup.exe 23 2->13         started        signatures3 process4 dnsIp5 56 C:\Windows\Installer\MSIC2C.tmp, PE32 10->56 dropped 58 C:\Windows\Installer\MSIBEC.tmp, PE32 10->58 dropped 60 C:\Windows\Installer\MSIBBD.tmp, PE32 10->60 dropped 68 5 other malicious files 10->68 dropped 17 SenseCE.exe 4 10->17         started        20 msiexec.exe 10->20         started        22 msiexec.exe 10->22         started        80 www.jdrsoftwaredesign.fyi 104.21.42.194, 443, 49712, 49713 CLOUDFLARENETUS United States 13->80 62 C:\Users\user\AppData\Local\...\shiFD43.tmp, PE32+ 13->62 dropped 64 C:\Users\user\AppData\Local\...\MSIFF1C.tmp, PE32 13->64 dropped 66 C:\Users\user\AppData\Local\...\MSIFEEC.tmp, PE32 13->66 dropped 70 2 other malicious files 13->70 dropped 110 Installs a MSI (Microsoft Installer) remotely 13->110 24 cmd.exe 1 13->24         started        27 msiexec.exe 13->27         started        file6 signatures7 process8 file9 50 C:\Users\user\AppData\Roaming\...\SenseCE.exe, PE32+ 17->50 dropped 52 C:\Users\user\AppData\Roaming\...\MpGear.dll, PE32+ 17->52 dropped 29 SenseCE.exe 1 17->29         started        90 Uses cmd line tools excessively to alter registry or file data 24->90 32 conhost.exe 24->32         started        34 cmd.exe 1 24->34         started        36 cmd.exe 1 24->36         started        38 2 other processes 24->38 signatures10 process11 signatures12 98 Writes to foreign memory regions 29->98 100 Maps a DLL or memory area into another process 29->100 102 Contains functionality to detect sleep reduction / modifications 29->102 40 more.com 2 29->40         started        process13 file14 54 C:\Users\user\AppData\Local\...\cbjlimhmbkdrh, PE32 40->54 dropped 92 Writes to foreign memory regions 40->92 94 Found hidden mapped module (file has been removed from disk) 40->94 96 Maps a DLL or memory area into another process 40->96 44 ttdinject.exe 13 40->44         started        48 conhost.exe 40->48         started        signatures15 process16 dnsIp17 78 blockbeerman.fun 172.67.219.218, 49726, 49727, 49728 CLOUDFLARENETUS United States 44->78 104 Query firmware table information (likely to detect VMs) 44->104 106 Found many strings related to Crypto-Wallets (likely being stolen) 44->106 108 Tries to harvest and steal browser information (history, passwords, etc) 44->108 signatures18
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ba3h2vo2hak2n7h7elrp3s3byjosivwpo7b42ney2giboxsfnhq._file
Verdict:
unknown
Similar samples:
20b2c3c49b34d0363b69e5c442f67dfb8cfce20783995aacfbf40e24e3f56487
LummaStealer
32579835a3ab3be52dc80ea4a37701c4294ddfb121f84d4ace8bcf3299c1d29c
LummaStealer
510b19e6574cac935d07ee0daaeec1dcef77f75008ff5271ce1b29a0ba723407
LummaStealer
5bcc5718b11d0e933930934805ea3f1dcb888dd19eb9dd75574ef425e704d799
LummaStealer
734871091f713f83cb86b81489ffa8b8820cce9a613b6fba7e5057accabf7753
LummaStealer
76e4962b8ccd2e6fd6972d9c3264ccb6738ddb16066588dfcb223222aaa88f3c
LummaStealer
b408b7181ab5d530e5da80967be73f858ed93a2cfd172131bcea8f073164a5a0
LummaStealer
bbce6e4e32e181468d77eaf31f1d6929194ea3631977367fb6aa678d8f66344f
LummaStealer
bd043af859a796897462ed7a5aadb1c4a145f67f01a00c49b45a4b80564da6bb
LummaStealer
e8c944b9a94b79f2d5a2783d1c20a555d66e6912c077a8a47617da5f0c5caa78
LummaStealer
+ 28 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/230914-qectzaeg25/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Use of msiexec (install) with remote resource
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e041b3eaaed1c0ad37e7f91717ee5b0e12e922b67bbe1e69a4c68c80baf22b4f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe e041b3eaaed1c0ad37e7f91717ee5b0e12e922b67bbe1e69a4c68c80baf22b4f

(this sample)

  
Delivery method
Distributed via web download

Comments