MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d7498868db177729da82ff4652d944ab6d4700c7467e8b8a6a2a65b423042a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d7498868db177729da82ff4652d944ab6d4700c7467e8b8a6a2a65b423042a2
SHA3-384 hash: 5ea2e2bb1d63a37234b2d6a8ff0a946b8c8e10453bd52fba1469b2fb4f4ba68683e4a825fb639b4539df88c39584c1dd
SHA1 hash: 0dfa00854efb6d3c9b6821ed799b7dc27bf3085e
MD5 hash: 0f1a6be1755ac1fb84643aa38698d8a0
humanhash: hot-leopard-high-johnny
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'919'488 bytes
First seen:2025-04-17 06:14:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:Pj/yDKPPIPA/HMKd1Pb8YQnP1CbpUJ+mZeqA:7q2PIPA/TD8r1CbpUYUA
TLSH T1DF9533127D9F6570CE54247D80A7ABC2BE2AC0D905EFB416A37742B5EC136A23AD8473
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
427
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-04-17 06:19:17 UTC
Tags:
lumma stealer themida loader amadey botnet rdp
Link:
https://app.any.run/tasks/3d7d06a3-e422-4ddd-802c-1e664539b056

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/2636/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68009d64280f5f89a0d02fb3
Tags:
vmdetect phishing autorun spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm crypt packed packed packer_detected xpack
Link:
https://www.filescan.io/uploads/68009c8be9c1e257979ba5ff/reports/85a3221e-e923-4412-8b60-9fd8cdd531e1/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/0d7498868db177729da82ff4652d944ab6d4700c7467e8b8a6a2a65b423042a2
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2e0cf362-1500-4600-9192-595b5e520ce1
Result
Threat name:
Amadey, CryptOne, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1667187
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates a Image File Execution Options (IFEO) Debugger entry
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Disables the Smart Screen filter
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected CryptOne packer
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1667187 Sample: random.exe Startdate: 17/04/2025 Architecture: WINDOWS Score: 100 123 pastebin.com 2->123 125 revitmodh.run 2->125 127 4 other IPs or domains 2->127 147 Suricata IDS alerts for network traffic 2->147 149 Found malware configuration 2->149 151 Antivirus detection for URL or domain 2->151 155 13 other signatures 2->155 12 namez.exe 19 2->12         started        17 random.exe 1 2->17         started        19 AutoPico.exe 2->19         started        21 sppsvc.exe 2->21         started        signatures3 153 Connects to a pastebin service (likely for C&C) 123->153 process4 dnsIp5 137 185.215.113.59, 49703, 49704, 49706 WHOLESALECONNECTIONSNL Portugal 12->137 97 C:\Users\user\AppData\...\650ff3945e.exe, PE32 12->97 dropped 99 C:\Users\user\AppData\...\b5f25f4bc3.exe, PE32 12->99 dropped 101 C:\Users\user\AppData\Local\...\random[1].exe, PE32 12->101 dropped 103 C:\Users\user\AppData\Local\...\random[1].exe, PE32 12->103 dropped 189 Contains functionality to start a terminal service 12->189 23 650ff3945e.exe 2 12->23         started        27 b5f25f4bc3.exe 1 12->27         started        139 185.39.17.162, 49699, 49705, 49707 RU-TAGNET-ASRU Russian Federation 17->139 141 clarmodq.top 104.21.85.126, 443, 49692, 49693 CLOUDFLARENETUS United States 17->141 105 C:\Users\user\...\HL0PED2KJ0WY6HR9C.exe, PE32 17->105 dropped 191 Detected unpacking (changes PE section rights) 17->191 193 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->193 195 Query firmware table information (likely to detect VMs) 17->195 197 7 other signatures 17->197 29 HL0PED2KJ0WY6HR9C.exe 4 17->29         started        143 8.8.8.8 GOOGLEUS United States 19->143 file6 signatures7 process8 file9 85 C:\Users\user\AppData\...\650ff3945e.tmp, PE32 23->85 dropped 161 Multi AV Scanner detection for dropped file 23->161 31 650ff3945e.tmp 24 11 23->31         started        87 C:\Users\user\AppData\...\svchost015.exe, PE32 27->87 dropped 163 Detected unpacking (changes PE section rights) 27->163 165 Tries to detect sandboxes and other dynamic analysis tools (window names) 27->165 167 Writes to foreign memory regions 27->167 173 9 other signatures 27->173 34 svchost015.exe 33 27->34         started        89 C:\Users\user\AppData\Local\...\namez.exe, PE32 29->89 dropped 169 Contains functionality to start a terminal service 29->169 171 Contains functionality to inject code into remote processes 29->171 37 namez.exe 29->37         started        signatures10 process11 dnsIp12 107 C:\Users\user\AppData\...\unins000.exe (copy), PE32 31->107 dropped 109 C:\Users\user\AppData\...\is-ATVAR.tmp, PE32+ 31->109 dropped 111 C:\Users\user\AppData\...\is-6VJ72.tmp, PE32 31->111 dropped 121 6 other malicious files 31->121 dropped 40 KMSpico.exe 31->40         started        43 core.exe 31->43         started        47 info.exe 31->47         started        129 185.156.73.98 RELDAS-NETRU Russian Federation 34->129 113 C:\Users\user\AppData\Local\Temp\...\YCL.exe, PE32 34->113 dropped 115 C:\Users\user\...\Bunifu_UI_v1.5.3.dll, PE32 34->115 dropped 117 C:\Users\user\AppData\Local\...\dll[1], PE32 34->117 dropped 119 C:\Users\user\AppData\Local\...\soft[1], PE32 34->119 dropped 157 Multi AV Scanner detection for dropped file 37->157 159 Contains functionality to start a terminal service 37->159 file13 signatures14 process15 dnsIp16 91 C:\Users\user\AppData\Local\...\KMSpico.tmp, PE32 40->91 dropped 49 KMSpico.tmp 40->49         started        131 changeaie.top 104.21.42.7 CLOUDFLARENETUS United States 43->131 133 pastebin.com 104.22.68.199 CLOUDFLARENETUS United States 43->133 181 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->181 183 Query firmware table information (likely to detect VMs) 43->183 185 Tries to harvest and steal browser information (history, passwords, etc) 43->185 187 Tries to steal Crypto Currency Wallets 43->187 53 powershell.exe 43->53         started        135 stats-1.crabdance.com 82.115.223.212 MIDNET-ASTK-TelecomRU Russian Federation 47->135 55 conhost.exe 47->55         started        file17 signatures18 process19 file20 77 C:\Windows\...\Vestris.ResourceLib.dll (copy), PE32 49->77 dropped 79 C:\Windows\System32\is-5H7UI.tmp, PE32 49->79 dropped 81 C:\Windows\System32\is-01EBP.tmp, PE32 49->81 dropped 83 18 other malicious files 49->83 dropped 145 Disables the Smart Screen filter 49->145 57 KMSELDI.exe 49->57         started        61 cmd.exe 49->61         started        63 cmd.exe 49->63         started        65 UninsHs.exe 49->65         started        67 conhost.exe 53->67         started        signatures21 process22 file23 93 C:\Windows\SECOH-QAD.exe, PE32+ 57->93 dropped 95 C:\Windows\SECOH-QAD.dll, PE32+ 57->95 dropped 175 Creates an undocumented autostart registry key 57->175 177 Creates a Image File Execution Options (IFEO) Debugger entry 57->177 179 Uses schtasks.exe or at.exe to add and modify task schedules 61->179 69 conhost.exe 61->69         started        71 sc.exe 61->71         started        73 conhost.exe 63->73         started        75 schtasks.exe 63->75         started        signatures24 process25
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0d7498868db177729da82ff4652d944ab6d4700c7467e8b8a6a2a65b423042a2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d7498868db177729da82ff4652d944ab6d4700c7467e8b8a6a2a65b423042a2/
Threat name:
Win32.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-04-17 04:57:32 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bv2jrbunwf3xfhnif72gklmujk3ni4amort6rofguktfwqrqikra._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250417-gz64wayzes/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://-clarmodq.top/qoxo
https://piratetwrath.run/ytus
https://2changeaie.top/geps
https://quilltayle.live/gksi
https://liftally.top/xasj
https://snighetwhisper.top/lekd
https://salaccgfa.top/gsooz
https://zestmodp.top/zeda
https://starofliught.top/wozd
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d4669fcc-6945-44bd-9d05-0438ac4223c4
Unpacked files
SH256 hash:
0d7498868db177729da82ff4652d944ab6d4700c7467e8b8a6a2a65b423042a2
MD5 hash:
0f1a6be1755ac1fb84643aa38698d8a0
SHA1 hash:
0dfa00854efb6d3c9b6821ed799b7dc27bf3085e
Link:
https://www.unpac.me/results/5ba252d9-3a9b-4bc7-acd7-95b0d4a7b552/
SH256 hash:
0f00b2027da1286f494edd6afe5e2a6bb9a7550736d698e34e17de504ab7dedd
MD5 hash:
8d9aca4bdd69537a621f6f166a2330f0
SHA1 hash:
edd95a7515cf7b13c4a6ffedd882a75906f0978a
Link:
https://www.unpac.me/results/5ba252d9-3a9b-4bc7-acd7-95b0d4a7b552/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 0d7498868db177729da82ff4652d944ab6d4700c7467e8b8a6a2a65b423042a2

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/2636/
  
URLhaus
https://urlhaus.abuse.ch/url/3511779/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments