MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f74fa7be144d205d63c651b9ae1c68a9f3c2a8ef441e2707de9313b5740abf3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 18

Intelligence 18 IOCs YARA File information Comments

SHA256 hash:	f74fa7be144d205d63c651b9ae1c68a9f3c2a8ef441e2707de9313b5740abf3e
SHA3-384 hash:	ac4d9d1fe2df3601df73f5726b5c0cfde47b1971cf49b9cd852a51175ed4130582a2fca836720bee26ea47b37032676e
SHA1 hash:	fc5b8b339962a668ffcbf7743cc8d2338437996b
MD5 hash:	30ade1a428ced1976facdfbfc552b869
humanhash:	maryland-emma-aspen-berlin
File name:	30ade1a428ced1976facdfbfc552b869.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	252'928 bytes
First seen:	2023-12-20 09:15:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6aff1f4d738e9d17912a05ebd3caee8a (2 x LummaStealer, 1 x RedLineStealer)
ssdeep	3072:g5uELwhU84gyWEB0nsTC8qFQwZysXKwPXl34M9K66KqL5sSkaMxjTFu7jd:4uELsUiEB0eC8q796il3xo6xSkZPCj
TLSH	T105344D2392F07D91FA26CB729E2ECAE876DEF6508F4977EA11584A1F04B12B1C173711
TrID	32.3% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 23.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 17.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 7.3% (.SCR) Windows screen saver (13097/50/3) 5.9% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):
dhash icon	0202080918283000 (1 x LummaStealer)
Reporter	abuse_ch
Tags:	exe LummaStealer

abuse_ch

LummaStealer C2:
http://underlinefreeapearew.fun/api

Intelligence

File Origin

# of uploads :

# of downloads :

353

Origin country :

Vendor Threat Intelligence

Malware family:

smoke

ID:

File name:

30ade1a428ced1976facdfbfc552b869.exe

Verdict:

Malicious activity

Analysis date:

2023-12-20 09:16:39 UTC

Tags:

loader smoke smokeloader

Link:

https://app.any.run/tasks/b769933e-4b99-4f60-a19d-12b769c8b754

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

SmokeLoader

Link:

https://www.capesandbox.com/analysis/468608/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

DNS request

Sending an HTTP GET request

Creating a process from a recently created file

Query of malicious DNS domain

Sending a TCP request to an infection source

Unauthorized injection to a system process

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

mokes packed

Link:

https://www.filescan.io/uploads/6582b0d4a6bc59352f2c9bd8/reports/cf101104-152f-4d26-99b2-48f228575b24/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/f74fa7be144d205d63c651b9ae1c68a9f3c2a8ef441e2707de9313b5740abf3e

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/10e77c46-8a65-498f-b7cb-1b03e32fd383

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1364976

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f74fa7be144d205d63c651b9ae1c68a9f3c2a8ef441e2707de9313b5740abf3e

Detection:

smokeloader

Link:

https://mwdb.cert.pl/sample/f74fa7be144d205d63c651b9ae1c68a9f3c2a8ef441e2707de9313b5740abf3e/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2023-12-20 09:16:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 23 (82.61%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=65h2ppqujuqf2y6gkg424hdivhz4fkhpiqpcob66smj3k5akx47a._file

Verdict:

malicious

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader botnet:pub1 backdoor trojan

Link:

https://tria.ge/reports/231220-k8fvtshha7/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Deletes itself

SmokeLoader

Malware Config

C2 Extraction:

http://humydrole.com/tmp/index.php
http://trunk-co.ru/tmp/index.php
http://weareelight.com/tmp/index.php
http://pirateking.online/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php