MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 163d9e5ba3c93d6b5041ba234571f393ed688a4005bb3570a42196080ff1594c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 163d9e5ba3c93d6b5041ba234571f393ed688a4005bb3570a42196080ff1594c
SHA3-384 hash: 6f73e501028cf34b9fec1b3efa4349892fd3cc77811e52c52b67ffa7dc2f763d655a409c451554b5738ff9c7e3851a53
SHA1 hash: d9736efe541b493ab9a5ad3998c9152e77613e3d
MD5 hash: 6043e4f14e64357b89e138085cf57e54
humanhash: spring-tennis-purple-virginia
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'896'448 bytes
First seen:2025-05-22 06:28:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:3N+epQSFjSYCKyJQosrY+9B365JtYsblGjac:9+epQaeYCnQoIX9B3OkZ
Threatray 4 similar samples on MalwareBazaar
TLSH T1D895330A2C58E6D2C85E65B04A1B6FC908B46B8101FB185B93C2673D776FFB468C1EF5
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
422
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-05-22 08:16:37 UTC
Tags:
lumma stealer themida
Link:
https://app.any.run/tasks/68f3fc68-c45e-440f-bb00-6f03e1ddb700

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682ec6db2f280a98fb43303c
Tags:
vmdetect phishing autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt packed packed packer_detected xpack
Link:
https://www.filescan.io/uploads/682ec461e336a33801dc6227/reports/0972c713-f5e3-49f2-8e3a-e1be3707346f/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/163d9e5ba3c93d6b5041ba234571f393ed688a4005bb3570a42196080ff1594c
Malware family:
LummaC2 Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4ea89f2b-91ad-4bbf-8d17-38f778ac1979
Result
Threat name:
ScreenConnect Tool, Amadey, LummaC Steal
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1696617
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Enables network access during safeboot for specific services
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies security policies related information
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Possible COM Object hijacking
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Reads the Security eventlog
Reads the System eventlog
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1696617 Sample: random.exe Startdate: 22/05/2025 Architecture: WINDOWS Score: 100 120 api.telegram.org 2->120 122 www.noticeofpleadings.net 2->122 124 24 other IPs or domains 2->124 164 Suricata IDS alerts for network traffic 2->164 166 Found malware configuration 2->166 168 Malicious sample detected (through community Yara rule) 2->168 172 20 other signatures 2->172 11 random.exe 1 2->11         started        16 msiexec.exe 2->16         started        18 ramez.exe 2->18         started        20 10 other processes 2->20 signatures3 170 Uses the Telegram API (likely for C&C communication) 120->170 process4 dnsIp5 140 185.156.72.2, 49695, 49702, 80 ITDELUXE-ASRU Russian Federation 11->140 142 cornerdurv.top 104.21.48.1, 443, 49683, 49684 CLOUDFLARENETUS United States 11->142 102 C:\Users\user\...\I3VR4PS7S45X8FDVGIVUD.exe, PE32 11->102 dropped 202 Detected unpacking (changes PE section rights) 11->202 204 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->204 206 Query firmware table information (likely to detect VMs) 11->206 220 5 other signatures 11->220 22 I3VR4PS7S45X8FDVGIVUD.exe 4 11->22         started        104 C:\Windows\Installer\MSIAD3B.tmp, PE32 16->104 dropped 106 C:\Windows\Installer\MSIA48F.tmp, PE32 16->106 dropped 108 C:\...\ScreenConnect.WindowsFileManager.exe, PE32 16->108 dropped 110 9 other malicious files 16->110 dropped 208 Enables network access during safeboot for specific services 16->208 210 Modifies security policies related information 16->210 26 msiexec.exe 16->26         started        28 msiexec.exe 16->28         started        30 msiexec.exe 16->30         started        212 Contains functionality to start a terminal service 18->212 214 Hides threads from debuggers 18->214 216 Tries to detect sandboxes / dynamic malware analysis system (registry check) 18->216 144 firmunssconnect.top 157.254.223.29 TECHNICOLORUS United States 20->144 146 127.0.0.1 unknown unknown 20->146 218 Changes security center settings (notifications, updates, antivirus, firewall) 20->218 32 WerFault.exe 20->32         started        34 ScreenConnect.WindowsClient.exe 20->34         started        36 ScreenConnect.WindowsClient.exe 20->36         started        file6 signatures7 process8 file9 84 C:\Users\user\AppData\Local\...\ramez.exe, PE32 22->84 dropped 174 Detected unpacking (changes PE section rights) 22->174 176 Contains functionality to start a terminal service 22->176 178 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 22->178 180 5 other signatures 22->180 38 ramez.exe 1 47 22->38         started        43 rundll32.exe 26->43         started        45 Conhost.exe 28->45         started        signatures10 process11 dnsIp12 126 185.156.72.96, 49696, 49700, 80 ITDELUXE-ASRU Russian Federation 38->126 86 C:\Users\user\AppData\...\9fc1fd5940.exe, PE32 38->86 dropped 88 C:\Users\user\AppData\...\dd4331c2ad.exe, PE32 38->88 dropped 90 C:\Users\user\AppData\...\7414aad5fb.exe, PE32 38->90 dropped 98 18 other malicious files 38->98 dropped 182 Detected unpacking (changes PE section rights) 38->182 184 Contains functionality to start a terminal service 38->184 186 Tries to evade debugger and weak emulator (self modifying code) 38->186 188 3 other signatures 38->188 47 TGM8VUj.exe 49 38->47         started        50 08IyOOF.exe 38->50         started        53 ntSPwd3.exe 38->53         started        55 4 other processes 38->55 92 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 43->92 dropped 94 C:\...\ScreenConnect.InstallerActions.dll, PE32 43->94 dropped 96 C:\Users\user\...\ScreenConnect.Core.dll, PE32 43->96 dropped 100 4 other malicious files 43->100 dropped file13 signatures14 process15 file16 112 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 47->112 dropped 114 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 47->114 dropped 116 C:\Users\user\AppData\Local\...\python313.dll, PE32+ 47->116 dropped 118 26 other malicious files 47->118 dropped 57 TGM8VUj.exe 47->57         started        148 Multi AV Scanner detection for dropped file 50->148 150 Writes to foreign memory regions 50->150 152 Allocates memory in foreign processes 50->152 60 MSBuild.exe 50->60         started        63 conhost.exe 50->63         started        154 Injects a PE file into a foreign processes 53->154 65 MSBuild.exe 53->65         started        67 MSBuild.exe 53->67         started        74 4 other processes 53->74 156 Detected unpacking (changes PE section rights) 55->156 158 Tries to detect sandboxes and other dynamic analysis tools (window names) 55->158 160 Tries to evade debugger and weak emulator (self modifying code) 55->160 162 5 other signatures 55->162 69 MSBuild.exe 55->69         started        72 msiexec.exe 55->72         started        76 2 other processes 55->76 signatures17 process18 dnsIp19 128 ip-api.com 208.95.112.1 TUT-ASUS United States 57->128 130 api.telegram.org 149.154.167.220 TELEGRAMRU United Kingdom 57->130 132 narrathfpt.top 172.67.222.194 CLOUDFLARENETUS United States 60->132 190 Query firmware table information (likely to detect VMs) 60->190 192 Tries to harvest and steal ftp login credentials 60->192 194 Tries to harvest and steal browser information (history, passwords, etc) 60->194 196 Tries to steal from password manager 60->196 134 judiivk.live 104.21.80.1 CLOUDFLARENETUS United States 65->134 136 t.me 149.154.167.99 TELEGRAMRU United Kingdom 65->136 198 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 67->198 138 77.83.207.69 DINET-ASRU Russian Federation 69->138 80 C:\...\5DH2RMU63K6S7MC5M2O6GCNG3ZWFG.exe, PE32 69->80 dropped 200 Tries to steal Crypto Currency Wallets 69->200 82 C:\Users\user\AppData\Local\...\MSI977E.tmp, PE32 72->82 dropped 78 Conhost.exe 74->78         started        file20 signatures21 process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/163d9e5ba3c93d6b5041ba234571f393ed688a4005bb3570a42196080ff1594c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/163d9e5ba3c93d6b5041ba234571f393ed688a4005bb3570a42196080ff1594c/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-05-21 18:13:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cy6z4w5dze6wwucbxiruk4ptspwwrcsaaw5tk4feeglaqd7rlfga._file
Verdict:
malicious
Label(s):
admintool_nsudo
Create hunting rule
lummastealer
Create hunting rule
amadey
Create hunting rule
Similar samples:
163d9e5ba3c93d6b5041ba234571f393ed688a4005bb3570a42196080ff1594c
LummaStealer
377377287369ce799e19f1b88a02475be707066e0fa2f34873dac181b606504d
LummaStealer
68df69be1d915aa7cd0a2693f48c3e3d3924d9cf1758c92f5d842ebbd9baaf4e
LummaStealer
b7c59aafd519e5290c3180bca5f244f12c84076be98ab5734b9b216daf4c0bf6
LummaStealer
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:donutloader family:lumma botnet:8d33eb bootkit defense_evasion discovery execution exploit loader persistence pyinstaller spyware stealer trojan
Link:
https://tria.ge/reports/250522-g9ht2aaj2v/
Behaviour
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry key
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Launches sc.exe
AutoIT Executable
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Looks up external IP address via web service
Power Settings
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Modifies file permissions
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Looks for VMWare Tools registry key
Possible privilege escalation attempt
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Amadey
Amadey family
Detects DonutLoader
DonutLoader
Donutloader family
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://cornerdurv.top/adwq
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://caitraohvi.bet/adks
https://dgalijd.shop/anbf
https://.ustrejqt.bet/mbnj
https://citellcagt.top/gjtu
https://maxmtsq.bet/xzid
https://.cornerdurv.top/adwq
https://rnarrathfpt.top/tekq
https://8escczlv.top/bufi
https://localixbiw.top/zlpa
https://3y7korxddl.top/qidz
http://185.156.72.96
Dropper Extraction:
http://185.156.72.2/testmine/random.exe
Unpacked files
SH256 hash:
163d9e5ba3c93d6b5041ba234571f393ed688a4005bb3570a42196080ff1594c
MD5 hash:
6043e4f14e64357b89e138085cf57e54
SHA1 hash:
d9736efe541b493ab9a5ad3998c9152e77613e3d
Link:
https://www.unpac.me/results/80f71de6-23dd-40ce-91cc-53c60285d781/
SH256 hash:
0df0cd2137bdf1f6589d791cbbced0534e5ed09063deb686f9862b290af22c2b
MD5 hash:
c1569914eaebdf0f2c203e6c429560c5
SHA1 hash:
d9d497c19c8ac8d9d34ac03d2710d0bd71911636
Link:
https://www.unpac.me/results/80f71de6-23dd-40ce-91cc-53c60285d781/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/163d9e5ba3c9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/163d9e5ba3c93d6b5041ba234571f393ed688a4005bb3570a42196080ff1594c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 163d9e5ba3c93d6b5041ba234571f393ed688a4005bb3570a42196080ff1594c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3542096/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments