MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7b3f82ede7c4912eea7acea9aa344ee28b10cebe5b7a45a690651e9e40a8a4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	f7b3f82ede7c4912eea7acea9aa344ee28b10cebe5b7a45a690651e9e40a8a4d
SHA3-384 hash:	468222d6e17484f835a4c7fe3b688d29dce4da8b7d92f2582cdb6db001f8a3dd9a2b238f360b5f17739ebafb8980f74f
SHA1 hash:	928dd172b75047658e11990e1a37a757ac6f2158
MD5 hash:	4ab39696b39b6fa6a7ffd4af31ff0411
humanhash:	johnny-nineteen-spring-zebra
File name:	file
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	1'833'472 bytes
First seen:	2023-10-10 06:39:44 UTC
Last seen:	2023-10-10 12:05:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 77 x LummaStealer, 62 x Rhadamanthys)
ssdeep	49152:jhq/g5Caib3QQL/A7o5mm3FrGFNGR9R8a4hIx2xdy:jhegUl1/Ak5mmVrGFNeKhjxdy
Threatray	7 similar samples on MalwareBazaar
TLSH	T17185330A95D474FFD9B8D7B8A0D2C5ABC172B9321A8DAAEF00D5C4F91F027C6513684E
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10523/12/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	00a28ece8eaecec0 (1 x LummaStealer)
Reporter	andretavare5
Tags:	exe LummaStealer

andretavare5

Sample downloaded from http://171.22.28.212/12/carryspend.exe

Intelligence

File Origin

# of uploads :

# of downloads :

339

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

https://karyaindahperkasa.com/879876/download/zip.7z

Verdict:

Malicious activity

Analysis date:

2023-10-10 07:21:59 UTC

Tags:

privateloader evasion opendir loader risepro stealer redline tofsee botnet stealc ransomware stop miner smoke lumma amadey trojan arkei vidar dcrat rat backdoor remote teamspy g0njxa

Link:

https://app.any.run/tasks/4821ed30-d49b-4bfa-b491-28816e545461

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/452797/

Detection(s):

SecuriteInfo.com.W32.MSIL_Kryptik.FJL.gen.Eldorado.30342.18486.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Сreating synchronization primitives

Sending an HTTP GET request

Sending a custom TCP request

Unauthorized injection to a recently created process

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

89%

Tags:

advpack CAB control explorer installer lolbin packed rundll32 setupapi shell32

Link:

https://www.filescan.io/uploads/6524f1c31e07d7e1e9bc748f/reports/e93699f8-5561-4371-aab8-b79622bd2827/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/f7b3f82ede7c4912eea7acea9aa344ee28b10cebe5b7a45a690651e9e40a8a4d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/7b01a577-e7e8-413b-8a05-9588426ff649

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f7b3f82ede7c4912eea7acea9aa344ee28b10cebe5b7a45a690651e9e40a8a4d/

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2023-10-10 06:40:06 UTC

File Type:

PE+ (Exe)

Extracted files:

114

AV detection:

10 of 21 (47.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=66z7qlw6prerf3vhvtvjvi2e5yulcdhl4w32iwtjazi6tzakrjgq._file

Verdict:

malicious

LummaStealer

2f06ccf1497fddb1e349f0a3b35126cf2af0ffb5753558cae54cb3cc1368bc0f

LummaStealer

36a859a1fcd2f731adf2bcae4c59be9292f442313a22bdcc4b6275ea08086bd0

LummaStealer

40c2c1cf61b7715fbe781c831fafadca72382dec967320a3b866c3415ace320d

LummaStealer

92f94ba0c124a7a8158ce117d838c026035116e2ab2565ebc437575ddf87eeea

LummaStealer

9554e7ef83f9c1aabed52be7a308d7e25c99e7d71e006146aee045d29784f92d

LummaStealer

b3d56a631e43676eda5b849e86b422b690faea632161e5dee989b4836ab4574a

LummaStealer

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery persistence spyware stealer

Link:

https://tria.ge/reports/231010-he7eksdf82/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

f7b3f82ede7c4912eea7acea9aa344ee28b10cebe5b7a45a690651e9e40a8a4d

MD5 hash:

4ab39696b39b6fa6a7ffd4af31ff0411

SHA1 hash:

928dd172b75047658e11990e1a37a757ac6f2158

Link:

https://www.unpac.me/results/d761aa14-55cd-4d0a-9cb7-9972ba365572/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f7b3f82ede7c4912eea7acea9aa344ee28b10cebe5b7a45a690651e9e40a8a4d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_Redline_Stealer Create hunting rule
Author:	Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2718506/

Cape

https://www.capesandbox.com/analysis/452797/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample