MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a634b2d431432cff6511043c57f5c0b8fe5317e8683170053293a848c95056e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a634b2d431432cff6511043c57f5c0b8fe5317e8683170053293a848c95056e
SHA3-384 hash: 9e820e18c5561795732ed889afd10aefc351e398b9b1b91bb3afb61b0b8c74864cd3e8c3e68471d5191887fb4e3e34c9
SHA1 hash: 66f9aa5b03a35c7eaca4044a6edd5dce2adbd65c
MD5 hash: f4564e51eb36540875cfe49d6342615e
humanhash: quebec-bluebird-earth-queen
File name:Setup_patched.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:6'843'904 bytes
First seen:2025-04-29 11:30:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2ba47c66cd861650cbec14b6dcb28e66 (2 x LummaStealer)
ssdeep 196608:rog7AC5maHsGyeeeeeeDeeeeeeeemOkyApxRqeJE:rog7AC5mZBeeeeeeDeeeeeeeeRDApPq1
TLSH T17966AE62F341C873C5671E389C4792EC992ABF106F34594B3BE53E4C2F76681392A297
TrID 89.2% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
5.7% (.EXE) InstallShield setup (43053/19/16)
1.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
0.6% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon e0e4ece4f2c6f0c4 (2 x LummaStealer)
Reporter aachum
Tags:de-pumped exe LummaStealer


Avatar
iamaachum
https://uploadify.cloud/0MdWlkPTE0JmZpZD0zMWQ0Zg => https://www.mediafire.com/file/jj87fycoyk3agem/#P@$$%C9%AF08%C9%BED!-2025_%E2%9D%96%C2%A20%CA%8Dpl%C4%934%C6%90-%C5%9E%C6%903t-%E0%B8%99p%E2%9A%9D-4fr%C6%90%C6%90%E2%A7%89.zip/file

Intelligence

File Origin
# of uploads :
1
# of downloads :
476
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup_patched.exe
Verdict:
Malicious activity
Analysis date:
2025-04-29 11:36:49 UTC
Tags:
lumma stealer
Link:
https://app.any.run/tasks/e286b6b1-1d7e-4f7e-b6f2-5b78c4cdfcc1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4960/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6810b9b9c8b2e86d0ac445b9
Tags:
vmdetect delphi
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
borland_delphi entropy expand fingerprint keylogger lolbin overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/6810b880212716475fb09a57/reports/f11a2880-290c-425c-85d9-ec6d3a70c4eb/overview
Verdict:
Suspicious
Labled as:
Trojan.GenHeur
Link:
https://www.hybrid-analysis.com/sample/1a634b2d431432cff6511043c57f5c0b8fe5317e8683170053293a848c95056e
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c36aefa7-3d0d-480a-a29f-407205da320c
Result
Threat name:
Amadey, CryptOne, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1677237
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected CryptOne packer
Yara detected LummaC Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1677237 Sample: Setup_patched.exe Startdate: 29/04/2025 Architecture: WINDOWS Score: 100 75 tackleoutplayed.com 2->75 77 nodepathr.run 2->77 79 4 other IPs or domains 2->79 93 Suricata IDS alerts for network traffic 2->93 95 Found malware configuration 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 11 other signatures 2->99 9 Setup_patched.exe 18 2->9         started        14 Clus-Blue.exe 2->14         started        16 Safari.exe 2->16         started        signatures3 process4 dnsIp5 89 nodepathr.run 172.67.204.131, 443, 49682, 49684 CLOUDFLARENETUS United States 9->89 91 h1.startingshabby.world 172.67.178.177, 443, 49694 CLOUDFLARENETUS United States 9->91 61 C:\...\KS4K1YA8VGN568AQGFAFWOX4GDL9IKJ.exe, PE32 9->61 dropped 63 C:\Users\user\AppData\Local\...\msvcr120.dll, PE32+ 9->63 dropped 65 C:\Users\user\AppData\Local\...\msvcp120.dll, PE32+ 9->65 dropped 67 12 other malicious files 9->67 dropped 117 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->117 119 Query firmware table information (likely to detect VMs) 9->119 121 Found many strings related to Crypto-Wallets (likely being stolen) 9->121 127 5 other signatures 9->127 18 Clus-Blue.exe 16 9->18         started        22 6S0T6CAXCMQ26QUJDRFBOVL5A1FGV4O.exe 3 9->22         started        25 KS4K1YA8VGN568AQGFAFWOX4GDL9IKJ.exe 2 2 9->25         started        123 Hides threads from debuggers 14->123 125 Multi AV Scanner detection for dropped file 16->125 file6 signatures7 process8 dnsIp9 49 C:\ProgramData\Fidl\Clus-Blue.exe, PE32+ 18->49 dropped 51 C:\ProgramData\Fidl\msvcr120.dll, PE32+ 18->51 dropped 53 C:\ProgramData\Fidl\msvcp120.dll, PE32+ 18->53 dropped 59 10 other files (none is malicious) 18->59 dropped 101 Hides threads from debuggers 18->101 103 Found direct / indirect Syscall (likely to bypass EDR) 18->103 27 Clus-Blue.exe 8 18->27         started        81 a8a00b7a27dd309f6.awsglobalaccelerator.com 3.33.196.84, 49711, 8545 AMAZONEXPANSIONGB United States 22->81 83 x.ss2.us 3.167.212.36, 49714, 80 AMAZON-02US United States 22->83 85 127.0.0.1 unknown unknown 22->85 55 C:\ProgramData\shark.exe, PE32 22->55 dropped 105 Multi AV Scanner detection for dropped file 22->105 107 Detected unpacking (changes PE section rights) 22->107 31 cmd.exe 22->31         started        33 WerFault.exe 2 22->33         started        35 WerFault.exe 2 22->35         started        37 8 other processes 22->37 57 C:\ProgramData\Safari\Safari.exe, PE32 25->57 dropped 109 Creates multiple autostart registry keys 25->109 file10 signatures11 process12 file13 69 C:\Users\user\AppData\Local\...\F67BC61.tmp, PE32 27->69 dropped 71 C:\Users\user\AppData\Local\Temp\...\ping.com, PE32 27->71 dropped 73 C:\ProgramData\Fidl\360Tray.exe, PE32 27->73 dropped 129 Tries to detect sandboxes and other dynamic analysis tools (window names) 27->129 131 Drops PE files with a suspicious file extension 27->131 133 Tries to evade debugger and weak emulator (self modifying code) 27->133 135 4 other signatures 27->135 39 ping.com 12 27->39         started        43 360Tray.exe 27->43         started        45 reg.exe 31->45         started        47 conhost.exe 31->47         started        signatures14 process15 dnsIp16 87 tackleoutplayed.com 104.21.49.4, 49701, 49702, 49703 CLOUDFLARENETUS United States 39->87 111 Switches to a custom stack to bypass stack traces 39->111 113 Found direct / indirect Syscall (likely to bypass EDR) 39->113 115 Creates multiple autostart registry keys 45->115 signatures17
Score:
66%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/1a634b2d431432cff6511043c57f5c0b8fe5317e8683170053293a848c95056e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a634b2d431432cff6511043c57f5c0b8fe5317e8683170053293a848c95056e/
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2025-04-29 11:31:13 UTC
File Type:
PE (Exe)
Extracted files:
408
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=djruwlkdcqzm75srcbb4k724boh6kml6q2broactfe5ijdevavxa._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma botnet:200131 discovery persistence spyware stealer trojan
Link:
https://tria.ge/reports/250429-nmsjaax1av/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Amadey
Amadey family
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://nodepathr.run/oturu
https://zenithcorde.top/auid
https://techguidet.digital/apdo
https://btcgeared.live/lbak
https://buzzarddf.live/ktnt
https://0techsyncq.run/riid
https://parakehjet.run/kewk
http://tackleoutplayed.com
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b58c3d7a-c543-4713-b4f4-08d5c8fdbf4f
Unpacked files
SH256 hash:
1a634b2d431432cff6511043c57f5c0b8fe5317e8683170053293a848c95056e
MD5 hash:
f4564e51eb36540875cfe49d6342615e
SHA1 hash:
66f9aa5b03a35c7eaca4044a6edd5dce2adbd65c
Link:
https://www.unpac.me/results/96cbfdc6-bb84-43d1-99a7-860dea6abf58/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1a634b2d4314/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a634b2d431432cff6511043c57f5c0b8fe5317e8683170053293a848c95056e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

7z e5c6afdad0e1eac65ec925a5fe7c54f301ff85f09556383aac6ffc5993f926a2

LummaStealer

Executable exe 1a634b2d431432cff6511043c57f5c0b8fe5317e8683170053293a848c95056e

(this sample)

  
Link
https://tria.ge/250429-ndkgba1kx7/behavioral1
  
Dropped by
SHA256 e5c6afdad0e1eac65ec925a5fe7c54f301ff85f09556383aac6ffc5993f926a2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/4960/
  
Dropped by
MD5 1720ebc0651d8f6beb15b53accdf6d5d

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play Multimediamsacm32.dll::acmDriverClose
msacm32.dll::acmDriverDetailsA
msacm32.dll::acmDriverEnum
msacm32.dll::acmDriverOpen
msacm32.dll::acmFormatEnumA
msacm32.dll::acmFormatSuggest
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::WriteProcessMemory
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetDriveTypeA
kernel32.dll::GetVolumeInformationA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
WIN_BASE_EXEC_APICan Execute other programskernel32.dll::WinExec
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::DeleteFileA
kernel32.dll::GetSystemDirectoryA
kernel32.dll::GetFileAttributesA
kernel32.dll::FindFirstFileA
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegCreateKeyExA
advapi32.dll::RegDeleteKeyA
advapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryInfoKeyA
advapi32.dll::RegQueryValueExA
advapi32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::EmptyClipboard
user32.dll::FindWindowA
user32.dll::OpenClipboard
user32.dll::PeekMessageA

Comments