MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f460670cf29b4a66c7c1d8fc09368bf08f982b48c4a6843cf2517bb0060921a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f460670cf29b4a66c7c1d8fc09368bf08f982b48c4a6843cf2517bb0060921a6
SHA3-384 hash: 3119d5de905bc2a14211c807c74055e77821505779bcc54f8bed0ce427e67bdde8fe078aee35286f72d0cf54b54f9123
SHA1 hash: f93faa5356a151ff7770050cd114bb0d0a105b54
MD5 hash: c357af917d33825ceb8fce7b8bdf2b8c
humanhash: robert-iowa-pennsylvania-timing
File name:c357af917d33825ceb8fce7b8bdf2b8c.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'383'360 bytes
First seen:2023-12-15 22:15:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:6dOzsGwNJp72gr0XQZ/8VM+giH+pmGj1DrGpc85Rwxh:dfwnEg4hVvNCm6GpR5Rw
TLSH T141B52323A2D88472E8D4A3717EF50346263738E108BAC26B6775748FD872AD9E531773
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe LummaStealer


Avatar
abuse_ch
LummaStealer C2:
91.92.249.253:50500

Intelligence

File Origin
# of uploads :
1
# of downloads :
322
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/467794/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Searching for the window
Creating a file
Unauthorized injection to a recently created process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer lolbin lolbin packed replace risepro rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/657cd0266b1c246046f5b247/reports/58c4eae4-59f5-4c75-b8e0-700ba44963a0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f460670cf29b4a66c7c1d8fc09368bf08f982b48c4a6843cf2517bb0060921a6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/896ac086-5064-40ff-86e7-5e454565ea98
Result
Threat name:
LummaC Stealer, RedLine, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1363072
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
PE file has a writeable .text section
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected LummaC Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1363072 Sample: hDSt2ZWU0x.exe Startdate: 15/12/2023 Architecture: WINDOWS Score: 100 125 soupinterestoe.fun 2->125 127 reviveincapablewew.pw 2->127 129 15 other IPs or domains 2->129 161 Snort IDS alert for network traffic 2->161 163 Found malware configuration 2->163 165 Malicious sample detected (through community Yara rule) 2->165 167 18 other signatures 2->167 10 hDSt2ZWU0x.exe 1 4 2->10         started        13 svchost.exe 2->13         started        15 svchost.exe 1 1 2->15         started        18 4 other processes 2->18 signatures3 process4 dnsIp5 107 C:\Users\user\AppData\Local\...\5IN5cd5.exe, PE32 10->107 dropped 109 C:\Users\user\AppData\Local\...\2vd9512.exe, PE32 10->109 dropped 20 5IN5cd5.exe 10->20         started        23 2vd9512.exe 15 3 10->23         started        26 WerFault.exe 13->26         started        28 WerFault.exe 13->28         started        30 WerFault.exe 13->30         started        159 127.0.0.1 unknown unknown 15->159 32 conhost.exe 18->32         started        34 conhost.exe 18->34         started        file6 process7 dnsIp8 169 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->169 171 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->171 173 Maps a DLL or memory area into another process 20->173 183 2 other signatures 20->183 36 explorer.exe 20->36 injected 141 77.91.124.172, 49709, 80 ECOTEL-ASRU Russian Federation 23->141 175 Found many strings related to Crypto-Wallets (likely being stolen) 23->175 177 Writes to foreign memory regions 23->177 179 Allocates memory in foreign processes 23->179 181 Injects a PE file into a foreign processes 23->181 41 RegAsm.exe 15 69 23->41         started        43 RegAsm.exe 23->43         started        signatures9 process10 dnsIp11 131 185.215.113.68, 49722, 80 WHOLESALECONNECTIONSNL Portugal 36->131 133 5.42.65.125, 49733, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 36->133 139 2 other IPs or domains 36->139 83 C:\Users\user\AppData\Local\Temp\BFC4.exe, PE32 36->83 dropped 85 C:\Users\user\AppData\Local\Temp\A98C.exe, PE32 36->85 dropped 87 C:\Users\user\AppData\Local\Temp\877C.exe, PE32 36->87 dropped 95 4 other malicious files 36->95 dropped 185 System process connects to network (likely due to code injection or exploit) 36->185 187 Benign windows process drops PE files 36->187 45 877C.exe 36->45         started        49 726C.exe 36->49         started        51 A98C.exe 36->51         started        59 7 other processes 36->59 135 91.92.249.253, 49710, 50500 THEZONEBG Bulgaria 41->135 137 ipinfo.io 34.117.186.192, 443, 49711 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 41->137 89 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 41->89 dropped 91 C:\...\ZdqIeuOkxjPYfAkHpOZITU58BSCoo5Um.zip, Zip 41->91 dropped 93 C:\Users\user\AppData\...\FANBooster131.exe, PE32 41->93 dropped 97 2 other files (none is malicious) 41->97 dropped 189 Found many strings related to Crypto-Wallets (likely being stolen) 41->189 191 Tries to harvest and steal browser information (history, passwords, etc) 41->191 53 cmd.exe 1 41->53         started        55 cmd.exe 1 41->55         started        57 WerFault.exe 41->57         started        193 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->193 195 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 43->195 197 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 43->197 199 Queries memory information (via WMI often done to detect virtual machines) 43->199 file12 signatures13 process14 dnsIp15 111 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 45->111 dropped 201 Writes to foreign memory regions 45->201 203 Allocates memory in foreign processes 45->203 205 Sample uses process hollowing technique 45->205 207 Injects a PE file into a foreign processes 45->207 62 RegSvcs.exe 45->62         started        66 WerFault.exe 45->66         started        113 C:\Users\user\AppData\Roaming\...\File2.exe, PE32 49->113 dropped 115 C:\Users\user\AppData\Roaming\...\File1.exe, PE32 49->115 dropped 68 File2.exe 49->68         started        75 2 other processes 49->75 117 C:\Users\user\AppData\Local\Temp\tuc3.exe, PE32 51->117 dropped 119 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 51->119 dropped 121 C:\Users\user\AppData\...\InstallSetup9.exe, PE32 51->121 dropped 123 C:\...\31839b57a4f11171d6abc8bbc4451ee4.exe, PE32 51->123 dropped 70 InstallSetup9.exe 51->70         started        73 InstallSetup9.exe 51->73         started        209 Uses schtasks.exe or at.exe to add and modify task schedules 53->209 77 2 other processes 53->77 79 2 other processes 55->79 143 ratefacilityframw.fun 104.21.74.182, 49728, 80 CLOUDFLARENETUS United States 59->143 145 neighborhoodfeelsa.fun 104.21.87.137, 49726, 80 CLOUDFLARENETUS United States 59->145 147 5 other IPs or domains 59->147 211 Detected unpacking (changes PE section rights) 59->211 213 Detected unpacking (overwrites its own PE header) 59->213 215 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 59->215 217 3 other signatures 59->217 81 4 other processes 59->81 file16 signatures17 process18 dnsIp19 149 195.20.16.103 EITADAT-ASFI Finland 62->149 219 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 62->219 221 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 62->221 223 Tries to harvest and steal browser information (history, passwords, etc) 62->223 225 Found many strings related to Crypto-Wallets (likely being stolen) 68->225 151 api4.ipify.org 64.185.227.156 WEBNXUS United States 70->151 153 91.92.254.7 THEZONEBG Bulgaria 70->153 157 2 other IPs or domains 70->157 99 C:\Users\user\AppData\Local\Temp\...\Math.dll, PE32 70->99 dropped 101 C:\Users\user\AppData\Local\...\INetC.dll, PE32 70->101 dropped 103 C:\Users\user\AppData\...\nsfE23E.tmp.exe, PE32 70->103 dropped 105 2 other malicious files 70->105 dropped 155 176.123.10.211, 47430, 49734 ALEXHOSTMD Moldova Republic of 75->155 file20 signatures21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f460670cf29b4a66c7c1d8fc09368bf08f982b48c4a6843cf2517bb0060921a6
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f460670cf29b4a66c7c1d8fc09368bf08f982b48c4a6843cf2517bb0060921a6/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-15 22:16:06 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
14 of 37 (37.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6rqgodhstnfgnr6b3d6asnul6chzqk2iystiiphskf53abqjegta._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:redline family:smokeloader botnet:@oleh_ps backdoor collection discovery infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/231215-16r33shecp/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Detect Lumma Stealer payload V4
Lumma Stealer
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
http://185.215.113.68/fks/index.php
176.123.7.190:32927
Unpacked files
SH256 hash:
0aa9f8be2a6cb4862d1fd423159080d2100f7adf8ced157d463460230049c31a
MD5 hash:
492ff386974529e80c08385cfef08765
SHA1 hash:
73ac0062ec57d058fd0f1ba161eb1f94cbc1120e
Link:
https://www.unpac.me/results/1b9e8453-893e-4125-920c-dc384f20873b/
SH256 hash:
8adfe97188a4e4d83562efda2c47afa73560b57fb18cf11fbb2b5d0cf54cc416
MD5 hash:
9aea5fca204f874362ea661fd666eda7
SHA1 hash:
fd6975b5b18d07b3c38a32c0dd11958ca267965b
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/1b9e8453-893e-4125-920c-dc384f20873b/
SH256 hash:
f460670cf29b4a66c7c1d8fc09368bf08f982b48c4a6843cf2517bb0060921a6
MD5 hash:
c357af917d33825ceb8fce7b8bdf2b8c
SHA1 hash:
f93faa5356a151ff7770050cd114bb0d0a105b54
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/1b9e8453-893e-4125-920c-dc384f20873b/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f460670cf29b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f460670cf29b4a66c7c1d8fc09368bf08f982b48c4a6843cf2517bb0060921a6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe f460670cf29b4a66c7c1d8fc09368bf08f982b48c4a6843cf2517bb0060921a6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2738241/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/467794/

Comments