MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0fd46aca09c54c256d22420d2ac3e947ff204a42a24158dfcb562de18a77f3f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0fd46aca09c54c256d22420d2ac3e947ff204a42a24158dfcb562de18a77f3f1
SHA3-384 hash: 690df56656a1049d48181fae00079bdabe18bc9567fa9659c9250bff21ee83fc5bde438d95fd383aefb95f9f716f876b
SHA1 hash: a1b706b3aa0aee0d3f534a2823af03afc44c975c
MD5 hash: 3167685ffbdae55b00485896310fe2f4
humanhash: thirteen-five-princess-pennsylvania
File name:VasuisUly.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:350'720 bytes
First seen:2025-05-13 12:42:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 39e417d9a23777e187a7b96e3c73aa1b (8 x LummaStealer, 1 x AgentTesla)
ssdeep 6144:wN7o39E/EXHwLtnZXHOIfPnJbSruNsLYkKtYsZENiG:wN839QKHwL9ZXHOw/Ba2tYsZwiG
Threatray 65 similar samples on MalwareBazaar
TLSH T17474D009729140F9E87B81B98E916651F573782A4734BBDF03A08372AF237D49E3E761
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter skocherhan
Tags:exe LummaStealer


Avatar
skocherhan
http://files.innovadentalkj.com/css/VasuisUly.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
530
Origin country :
GB GB
Vendor Threat Intelligence
Detection(s):
Win.Packed.Zusy-10044253-0
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68233f5ee16384d6a7040a52
Tags:
malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/68233e29322922535cb0d843/reports/bb9e6291-086a-4ffb-860b-26d95f4de3f9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0fd46aca09c54c256d22420d2ac3e947ff204a42a24158dfcb562de18a77f3f1
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c71b69f6-4f85-4b25-b28a-513277cc1346
Result
Threat name:
LummaC Stealer, Vidar, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1688909
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Locky time evasion found (measures execution of CloseHandle and GetProcessHeap)
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected LummaC Stealer
Yara detected Vidar stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1688909 Sample: VasuisUly.exe Startdate: 13/05/2025 Architecture: WINDOWS Score: 100 111 17.aa.4t.com 2->111 113 zmedtipp.live 2->113 115 9 other IPs or domains 2->115 147 Suricata IDS alerts for network traffic 2->147 149 Found malware configuration 2->149 151 Malicious sample detected (through community Yara rule) 2->151 153 15 other signatures 2->153 11 VasuisUly.exe 2->11         started        14 DUIJOI.exe 2->14         started        17 DUIJOI.exe 2->17         started        19 3 other processes 2->19 signatures3 process4 dnsIp5 209 Contains functionality to inject code into remote processes 11->209 211 Writes to foreign memory regions 11->211 213 Allocates memory in foreign processes 11->213 215 Injects a PE file into a foreign processes 11->215 22 MSBuild.exe 41 11->22         started        27 MSBuild.exe 11->27         started        101 C:\Users\user\AppData\Local\...\TKPTND.exe, PE32 14->101 dropped 217 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->217 29 TKPTND.exe 14->29         started        103 C:\Users\user\AppData\Local\...\ZZQWGW.exe, PE32 17->103 dropped 31 ZZQWGW.exe 17->31         started        125 192.168.2.4 unknown unknown 19->125 127 192.168.2.8 unknown unknown 19->127 129 239.255.255.250 unknown Reserved 19->129 105 C:\Users\user\AppData\Local\...\UWWTQD.exe, PE32 19->105 dropped 107 C:\Users\user\AppData\Local\...\WOXEQY.exe, PE32 19->107 dropped 33 UWWTQD.exe 19->33         started        35 WOXEQY.exe 19->35         started        37 msedge.exe 19->37         started        39 3 other processes 19->39 file6 signatures7 process8 dnsIp9 131 17.aa.4t.com 78.46.233.21, 443, 49693, 49694 HETZNER-ASDE Germany 22->131 133 t.me 149.154.167.99, 443, 49692, 49810 TELEGRAMRU United Kingdom 22->133 139 2 other IPs or domains 22->139 91 C:\Users\user\...\LisuasControl[1].exe, PE32+ 22->91 dropped 93 C:\Users\user\AppData\...\VasuisUly[1].exe, PE32+ 22->93 dropped 95 C:\Users\user\AppData\...\ShtrayEasy[1].exe, PE32 22->95 dropped 97 5 other malicious files 22->97 dropped 165 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->165 167 Found many strings related to Crypto-Wallets (likely being stolen) 22->167 169 Tries to harvest and steal ftp login credentials 22->169 181 3 other signatures 22->181 41 gln7qieuaa.exe 22->41         started        45 mycjw47qi5.exe 22->45         started        47 zmy5ppzukx.exe 22->47         started        49 4 other processes 22->49 171 Attempt to bypass Chrome Application-Bound Encryption 27->171 173 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->173 175 Searches for specific processes (likely to inject) 27->175 177 Multi AV Scanner detection for dropped file 29->177 179 Creates multiple autostart registry keys 29->179 135 13.107.246.51, 443, 49769, 49771 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 37->135 137 s-part-0043.t-0009.t-msedge.net 13.107.246.71, 443, 49741 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 37->137 141 32 other IPs or domains 37->141 file10 signatures11 process12 dnsIp13 99 C:\Users\user\AppData\Local\...\HIRWMI.exe, PE32 41->99 dropped 187 Multi AV Scanner detection for dropped file 41->187 189 Locky time evasion found (measures execution of CloseHandle and GetProcessHeap) 41->189 191 Contains functionality to detect virtual machines (IN, VMware) 41->191 207 4 other signatures 41->207 52 HIRWMI.exe 41->52         started        193 Antivirus detection for dropped file 45->193 195 Bypasses PowerShell execution policy 45->195 197 Adds a directory exclusion to Windows Defender 45->197 56 powershell.exe 45->56         started        58 powershell.exe 45->58         started        60 powershell.exe 45->60         started        199 Writes to foreign memory regions 47->199 201 Allocates memory in foreign processes 47->201 203 Injects a PE file into a foreign processes 47->203 62 MSBuild.exe 47->62         started        64 MSBuild.exe 47->64         started        109 192.168.2.5, 138, 443, 49356 unknown unknown 49->109 205 Monitors registry run keys for changes 49->205 66 MSBuild.exe 49->66         started        69 chrome.exe 49->69         started        71 4 other processes 49->71 file14 signatures15 process16 dnsIp17 89 C:\Users\user\AppData\Local\...\DUIJOI.exe, PE32 52->89 dropped 155 Multi AV Scanner detection for dropped file 52->155 157 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 52->157 73 DUIJOI.exe 52->73         started        159 Loading BitLocker PowerShell Module 56->159 76 conhost.exe 56->76         started        78 conhost.exe 58->78         started        80 conhost.exe 60->80         started        161 Tries to harvest and steal browser information (history, passwords, etc) 62->161 82 chrome.exe 62->82         started        84 chrome.exe 62->84         started        117 flowerexju.bet 104.21.54.253, 443, 49801, 49802 CLOUDFLARENETUS United States 66->117 163 Query firmware table information (likely to detect VMs) 66->163 119 ogads-pa.clients6.google.com 142.250.69.10, 443, 49722, 49724 GOOGLEUS United States 69->119 121 plus.l.google.com 142.250.69.14, 443, 49723 GOOGLEUS United States 69->121 123 3 other IPs or domains 69->123 file18 signatures19 process20 signatures21 183 Multi AV Scanner detection for dropped file 73->183 185 Creates multiple autostart registry keys 73->185 86 chrome.exe 82->86         started        process22 dnsIp23 143 142.250.68.228, 443, 49837, 49838 GOOGLEUS United States 86->143 145 www.google.com 86->145
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0fd46aca09c54c256d22420d2ac3e947ff204a42a24158dfcb562de18a77f3f1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0fd46aca09c54c256d22420d2ac3e947ff204a42a24158dfcb562de18a77f3f1/
Threat name:
Win64.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-05-12 23:12:41 UTC
File Type:
PE+ (Exe)
AV detection:
30 of 36 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b7kgvsqjyvgck3jciigsvq7ji77sasscujavrx6lkyw6dctx6pyq._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
0fd46aca09c54c256d22420d2ac3e947ff204a42a24158dfcb562de18a77f3f1
LummaStealer
2111de47272104d983f75b78a77ca4c627f625b0b49dd1ae85ff5b150a18e04c
LummaStealer
26790a672c3c832a6b0365fd01cc81b2f91d6112891a7d30077ada26f1625173
LummaStealer
b7e2f5fcb13eb799e8958dc1fed9f1338a9997f59c48ccb66d9c0e6c0211aee8
LummaStealer
ef544f7901ed91aac0bcdaee79efe2b1ce0b4ccac2480d299ffb6ff73d219dfd
LummaStealer
error
LummaStealer
fee3618c436ea51300cabd2a974af85e308fad4e5eced044349a434a47142f7b
LummaStealer
+ 55 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:vidar family:xworm botnet:158fdd2a4f5abb978509580715e5353f credential_access cryptone discovery execution packer persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/250513-pxgp7svyb1/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Drops startup file
Executes dropped EXE
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Uses browser remote debugging
CryptOne packer
Detect Vidar Stealer
Detect Xworm Payload
Lumma Stealer, LummaC
Lumma family
Vidar
Vidar family
Xworm
Xworm family
Malware Config
C2 Extraction:
https://t.me/m00f3r
https://steamcommunity.com/profiles/76561199851454339
94.26.90.81:2404
https://zmedtipp.live/mnvzx
https://flowerexju.bet/lanz
https://beasterxeen.run/zavc
https://baraucahkbm.live/baneb
https://overcovtcg.top/juhd
https://blackswmxc.top/bgry
https://posseswsnc.top/akds
https://featurlyin.top/pdal
Verdict:
Suspicious
Tags:
stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/c7f1fce9-834a-4ef4-a52e-08e595687181
Unpacked files
SH256 hash:
0fd46aca09c54c256d22420d2ac3e947ff204a42a24158dfcb562de18a77f3f1
MD5 hash:
3167685ffbdae55b00485896310fe2f4
SHA1 hash:
a1b706b3aa0aee0d3f534a2823af03afc44c975c
Link:
https://www.unpac.me/results/061643f6-3f3a-419b-8ee6-9f24f3e9e1fa/
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0fd46aca09c5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0fd46aca09c54c256d22420d2ac3e947ff204a42a24158dfcb562de18a77f3f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Vidar

Executable exe 19eae2f123de215358ddd7dc698c52de2a905a5f09e7336df35c8d276a96df6a

LummaStealer

Executable exe 0fd46aca09c54c256d22420d2ac3e947ff204a42a24158dfcb562de18a77f3f1

(this sample)

  
Dropped by
MD5 f6191f83d4d774186de75dcaa6664475
  
Dropped by
SHA256 19eae2f123de215358ddd7dc698c52de2a905a5f09e7336df35c8d276a96df6a
  
URLhaus
https://urlhaus.abuse.ch/url/3542559/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW

Comments