MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 140ff4d6826a5530b55ff856206bd484b2849d48e45724f669b0732dece2cc19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 140ff4d6826a5530b55ff856206bd484b2849d48e45724f669b0732dece2cc19
SHA3-384 hash: a88e59cfb119dc4bcf711e4221b3805e2448bf17c7c8c0aa32ca0adbf1eff35e5891db744a8d53b182acd6bf1f28fcfc
SHA1 hash: 9a5c2c147db82bfa65ee4576ebe3ac5c07ea7949
MD5 hash: bb08492793d3f9792b0f13f0bf1edeb4
humanhash: purple-hotel-mango-helium
File name:bb08492793d3f9792b0f13f0bf1edeb4.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'910'272 bytes
First seen:2025-06-02 07:08:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:uqgO6HMltM/ek92vZ48AtXhCHkqKTq3lZAjyZwUa/sB1aB:wHq+WkQZYXwHkPUlWuZIOEB
Threatray 1 similar samples on MalwareBazaar
TLSH T15A95331B7B2DF728C5832BBB56F993C63B64541A3A56F9E41A079F2382179F60430326
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
411
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
bb08492793d3f9792b0f13f0bf1edeb4.exe
Verdict:
Malicious activity
Analysis date:
2025-06-02 07:31:10 UTC
Tags:
lumma stealer loader themida amadey botnet auto-reg asyncrat rat rdp github gcleaner evasion pentagon cybergate vidar telegram golang auto generic crypto-regex ip-check
Link:
https://app.any.run/tasks/21b2411f-c878-4ea5-a7fb-5e447469a9e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6815/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683d4f65acf88f5815eb198e
Tags:
asyncrat autorun emotet cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Connection attempt to an infection source
DNS request
Connection attempt
Behavior that indicates a threat
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt packed packed packer_detected xpack
Link:
https://www.filescan.io/uploads/683d4de5985349514e5f3a01/reports/94b2f782-4ebd-4cb0-9b9f-19ed03ff850d/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/140ff4d6826a5530b55ff856206bd484b2849d48e45724f669b0732dece2cc19
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e94bbb59-55a0-4367-9e0a-f8587a873d99
Result
Threat name:
Amadey, CyberGate, LummaC Stealer, Venom
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1703747
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites Mozilla Firefox settings
PE file contains section with special chars
Potentially malicious time measurement code found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses dynamic DNS services
Uses threadpools to delay analysis
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected CyberGate RAT
Yara detected LummaC Stealer
Yara detected VenomRAT
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1703747 Sample: Yr2JKinYLW.exe Startdate: 02/06/2025 Architecture: WINDOWS Score: 100 144 brolyx95.duckdns.org 2->144 146 witchdbhy.run 2->146 148 25 other IPs or domains 2->148 200 Suricata IDS alerts for network traffic 2->200 202 Found malware configuration 2->202 204 Malicious sample detected (through community Yara rule) 2->204 208 25 other signatures 2->208 12 Yr2JKinYLW.exe 1 2->12         started        17 9ea87a847d.exe 2->17         started        19 9ea87a847d.exe 2->19         started        21 4 other processes 2->21 signatures3 206 Uses dynamic DNS services 144->206 process4 dnsIp5 168 185.156.72.2, 49709, 49712, 49716 ITDELUXE-ASRU Russian Federation 12->168 170 witchdbhy.run 195.82.147.188, 443, 49692, 49693 DREAMTORRENT-CORP-ASRU Russian Federation 12->170 172 2 other IPs or domains 12->172 126 C:\Users\user\...\O9MR7TG5LODXOIBSYMNI.exe, PE32 12->126 dropped 252 Detected unpacking (changes PE section rights) 12->252 254 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->254 256 Query firmware table information (likely to detect VMs) 12->256 274 2 other signatures 12->274 23 O9MR7TG5LODXOIBSYMNI.exe 4 12->23         started        128 C:\...\D2BMAV8XD4C5NIJR2CAOSL9UJK97X.exe, PE32 17->128 dropped 258 Tries to harvest and steal ftp login credentials 17->258 260 Tries to harvest and steal browser information (history, passwords, etc) 17->260 262 Tries to steal Crypto Currency Wallets 17->262 264 Tries to steal from password manager 17->264 130 C:\Users\...\2K7W1HR92FIOKP6XD3B016U3.exe, PE32 19->130 dropped 266 Hides threads from debuggers 19->266 268 Tries to detect sandboxes / dynamic malware analysis system (registry check) 19->268 270 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 19->270 27 chrome.exe 19->27         started        29 chrome.exe 19->29         started        31 chrome.exe 19->31         started        33 chrome.exe 19->33         started        132 C:\Users\user\AppData\...\0ffb17b21b.exe, PE32 21->132 dropped 272 Contains functionality to start a terminal service 21->272 35 0ffb17b21b.exe 21->35         started        file6 signatures7 process8 file9 118 C:\Users\user\AppData\Local\...\ramez.exe, PE32 23->118 dropped 218 Multi AV Scanner detection for dropped file 23->218 220 Detected unpacking (changes PE section rights) 23->220 222 Contains functionality to start a terminal service 23->222 224 7 other signatures 23->224 37 ramez.exe 1 77 23->37         started        42 chrome.exe 27->42         started        44 chrome.exe 27->44         started        46 chrome.exe 29->46         started        120 C:\Users\user\AppData\Local\Temp\...\YCL.exe, PE32 35->120 dropped 122 C:\Users\user\...\Bunifu_UI_v1.5.3.dll, PE32 35->122 dropped 124 C:\Users\user\AppData\Local\...\dll[1], PE32 35->124 dropped signatures10 process11 dnsIp12 150 185.156.72.96, 49710, 49711, 49713 ITDELUXE-ASRU Russian Federation 37->150 152 77.83.207.69 DINET-ASRU Russian Federation 37->152 110 C:\Users\user\AppData\Local\...\VCGo2Si.exe, PE32 37->110 dropped 112 C:\Users\user\AppData\Local\...\VCGo2Si.exe, PE32 37->112 dropped 114 C:\Users\user\AppData\...\2040440a23.exe, PE32+ 37->114 dropped 116 37 other malicious files 37->116 dropped 210 Multi AV Scanner detection for dropped file 37->210 212 Detected unpacking (changes PE section rights) 37->212 214 Contains functionality to start a terminal service 37->214 216 7 other signatures 37->216 48 9ea87a847d.exe 37->48         started        52 q4LTl2d.exe 37->52         started        54 d82a6f9738.exe 37->54         started        56 9 other processes 37->56 154 www.google.com 142.250.115.106 GOOGLEUS United States 42->154 156 play.google.com 172.217.14.238 GOOGLEUS United States 42->156 160 3 other IPs or domains 42->160 158 142.250.113.104 GOOGLEUS United States 46->158 file13 signatures14 process15 dnsIp16 94 C:\Users\...\M3VINFFLTQGHHIK5MELWX1NCQBBX.exe, PE32 48->94 dropped 174 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 48->174 176 Query firmware table information (likely to detect VMs) 48->176 194 5 other signatures 48->194 59 M3VINFFLTQGHHIK5MELWX1NCQBBX.exe 48->59         started        96 C:\directory\CyberGate\install\server.exe, PE32 52->96 dropped 178 Multi AV Scanner detection for dropped file 52->178 180 Creates an undocumented autostart registry key 52->180 182 Creates multiple autostart registry keys 52->182 196 2 other signatures 52->196 62 explorer.exe 52->62         started        64 explorer.exe 52->64         started        76 2 other processes 52->76 184 Attempt to bypass Chrome Application-Bound Encryption 54->184 198 2 other signatures 54->198 67 d82a6f9738.exe 54->67         started        70 conhost.exe 54->70         started        162 151.242.63.190 RASANAIR Iran (ISLAMIC Republic Of) 56->162 164 193.124.205.63, 4449, 49720 AS-REGRU Russian Federation 56->164 166 3 other IPs or domains 56->166 98 C:\Users\user\AppData\Local\Temp\...\YCL.exe, PE32 56->98 dropped 100 C:\Users\user\...\Bunifu_UI_v1.5.3.dll, PE32 56->100 dropped 102 C:\Users\user\AppData\Local\...\saren.exe, PE32 56->102 dropped 104 3 other malicious files 56->104 dropped 186 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 56->186 188 Writes to foreign memory regions 56->188 190 Allocates memory in foreign processes 56->190 192 Uses threadpools to delay analysis 56->192 72 8f2lGlV.exe 56->72         started        74 MSBuild.exe 56->74         started        78 3 other processes 56->78 file17 signatures18 process19 dnsIp20 226 Multi AV Scanner detection for dropped file 59->226 228 Tries to evade debugger and weak emulator (self modifying code) 59->228 250 3 other signatures 59->250 230 Creates an undocumented autostart registry key 62->230 80 server.exe 62->80         started        134 brolyx95.duckdns.org 176.160.157.96 BOUYGTEL-ISPFR France 64->134 232 System process connects to network (likely due to code injection or exploit) 64->232 136 stealer.cy 185.178.208.160 DDOS-GUARDRU Russian Federation 67->136 138 127.0.0.1 unknown unknown 67->138 106 C:\Users\user\...\cookies-copy.sqlite-shm, data 67->106 dropped 108 C:\Users\user\AppData\...\cookies-copy.sqlite, SQLite 67->108 dropped 234 Overwrites Mozilla Firefox settings 67->234 236 Tries to steal Crypto Currency Wallets 67->236 82 msedge.exe 67->82         started        84 conhost.exe 67->84         started        86 taskkill.exe 67->86         started        90 3 other processes 67->90 140 xx.7.4t.com 78.46.235.75 HETZNER-ASDE Germany 72->140 238 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 72->238 240 Tries to harvest and steal ftp login credentials 72->240 242 Tries to harvest and steal browser information (history, passwords, etc) 72->242 244 Tries to harvest and steal Bitcoin Wallet information 72->244 142 t.me 149.154.167.99, 443, 49723 TELEGRAMRU United Kingdom 74->142 246 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 74->246 248 Query firmware table information (likely to detect VMs) 74->248 88 server.exe 76->88         started        file21 signatures22 process23 process24 92 msedge.exe 82->92         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/140ff4d6826a5530b55ff856206bd484b2849d48e45724f669b0732dece2cc19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/140ff4d6826a5530b55ff856206bd484b2849d48e45724f669b0732dece2cc19/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-06-02 04:26:36 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cqh7jvucnjktbnk77blca26uqszijhki4rlsj5tjwbzs33hczqmq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
amadey
Create hunting rule
Similar samples:
140ff4d6826a5530b55ff856206bd484b2849d48e45724f669b0732dece2cc19
LummaStealer
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250602-hyehxaxsax/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://battlefled.top/gaoi
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://localixbiw.top/zlpa
https://korxddl.top/qidz
https://harumseeiw.top/tqmn
https://diecam.top/laur/api
https://citellcagt.top/gjtu
https://witchdbhy.run/pzal
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3b3b4393-232f-4640-9510-ba4c901e54a3
Unpacked files
SH256 hash:
140ff4d6826a5530b55ff856206bd484b2849d48e45724f669b0732dece2cc19
MD5 hash:
bb08492793d3f9792b0f13f0bf1edeb4
SHA1 hash:
9a5c2c147db82bfa65ee4576ebe3ac5c07ea7949
Link:
https://www.unpac.me/results/cbfb5e22-882f-4240-a97d-8b47dd66a877/
SH256 hash:
783b861ea523032f6406c59d4c6aba43ea96d9225eba6694698272598b12a26c
MD5 hash:
9d00b859dce8ebb11d8c0e7588a6e5b0
SHA1 hash:
dec0c35b0007e7136d7648fca78c57a745da0366
Link:
https://www.unpac.me/results/cbfb5e22-882f-4240-a97d-8b47dd66a877/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/140ff4d6826a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/140ff4d6826a5530b55ff856206bd484b2849d48e45724f669b0732dece2cc19

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 140ff4d6826a5530b55ff856206bd484b2849d48e45724f669b0732dece2cc19

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3542096/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/6815/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments