MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ae0e18e2b5021ac1f5a8a2ae0041bf33fb46ecb2ff465f1a96807634a3acae3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ae0e18e2b5021ac1f5a8a2ae0041bf33fb46ecb2ff465f1a96807634a3acae3
SHA3-384 hash: a33bd0e4d153938255f6ab288e53a5d51a7e02b51bf8be0b2aac5c2e7109c3de9dcf5cbd0a070884585e452756c3400b
SHA1 hash: 79c5dc86c0ece1486550f91456564bc369c1c8df
MD5 hash: 37d87bfc0008f2a3dca742aac12a4b97
humanhash: india-utah-idaho-yankee
File name:37d87bfc0008f2a3dca742aac12a4b97.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'875'456 bytes
First seen:2025-04-29 05:45:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:Pc6J70Rehr9mlWlkwz5t+CqvYdMrW2JtdfaxFY1:PchqBawzb+7vYdMrW0t5a3Y1
Threatray 10 similar samples on MalwareBazaar
TLSH T146953318CFFB9BFCD40C6171CAE29A587770BFA278A0A1521F058B55172332963EB54E
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
406
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
37d87bfc0008f2a3dca742aac12a4b97.exe
Verdict:
Malicious activity
Analysis date:
2025-04-29 06:05:17 UTC
Tags:
lumma stealer loader themida auto botnet amadey auto-reg credentialflusher auto-sch rdp
Link:
https://app.any.run/tasks/420f66e5-1360-4ffc-8a83-535e83f4e514

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4874/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68106cdcc8b2e86d0ac42c30
Tags:
vmdetect autorun emotet cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm crypt entropy packed packed packer_detected rat virtual xpack
Link:
https://www.filescan.io/uploads/681067ac833df795debd1706/reports/f856a5fa-4384-4ba0-9983-659e1eb5da2d/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/1ae0e18e2b5021ac1f5a8a2ae0041bf33fb46ecb2ff465f1a96807634a3acae3
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3943b357-c68c-49f9-bf66-7db107527b82
Result
Threat name:
PureCrypter, Amadey, CryptOne, LummaC St, LummaC Stealer, RHADAMANTHYS, Vi
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1676939
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Detected PureCrypter Trojan
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected CryptOne packer
Yara detected LummaC Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1676939 Sample: u96C4lipvW.exe Startdate: 29/04/2025 Architecture: WINDOWS Score: 100 57 techguidet.digital 2->57 59 62.3a.4t.com 2->59 61 8 other IPs or domains 2->61 115 Suricata IDS alerts for network traffic 2->115 117 Found malware configuration 2->117 119 Malicious sample detected (through community Yara rule) 2->119 121 16 other signatures 2->121 8 saved.exe 30 2->8         started        13 u96C4lipvW.exe 1 2->13         started        15 laren.exe 2->15         started        signatures3 process4 dnsIp5 63 185.39.17.163, 49730, 49731, 49733 RU-TAGNET-ASRU Russian Federation 8->63 65 185.39.17.122, 49770, 80 RU-TAGNET-ASRU Russian Federation 8->65 67 94.26.90.80, 49767, 80 ASDETUKhttpwwwheficedcomGB Bulgaria 8->67 47 C:\Users\user\AppData\Local\...\amnew.exe, PE32 8->47 dropped 49 C:\Users\user\AppData\...\VisualCode.exe, PE32+ 8->49 dropped 51 C:\Users\user\AppData\Local\...\K2bpz1U.exe, PE32+ 8->51 dropped 55 5 other malicious files 8->55 dropped 123 Contains functionality to start a terminal service 8->123 17 f9a223fb8a.exe 1 8->17         started        21 K2bpz1U.exe 8->21         started        23 VisualCode.exe 8->23         started        25 amnew.exe 8->25         started        69 techguidet.digital 104.21.4.42, 443, 49726 CLOUDFLARENETUS United States 13->69 71 185.39.17.162, 49728, 49732, 49763 RU-TAGNET-ASRU Russian Federation 13->71 73 zenithcorde.top 172.67.190.162, 443, 49710, 49713 CLOUDFLARENETUS United States 13->73 53 C:\Users\...\T71FHX1IK5M46AWUQN53WAO8P4N5.exe, PE32 13->53 dropped 125 Detected unpacking (changes PE section rights) 13->125 127 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->127 129 Query firmware table information (likely to detect VMs) 13->129 133 9 other signatures 13->133 27 T71FHX1IK5M46AWUQN53WAO8P4N5.exe 4 13->27         started        131 Multi AV Scanner detection for dropped file 15->131 file6 signatures7 process8 file9 41 C:\Users\user\AppData\...\svchost015.exe, PE32 17->41 dropped 97 Detected unpacking (changes PE section rights) 17->97 99 Tries to detect sandboxes and other dynamic analysis tools (window names) 17->99 101 Writes to foreign memory regions 17->101 113 6 other signatures 17->113 29 svchost015.exe 14 17->29         started        103 Allocates memory in foreign processes 21->103 105 Injects a PE file into a foreign processes 21->105 32 MSBuild.exe 2 21->32         started        35 MSBuild.exe 23->35         started        43 C:\Users\user\AppData\Local\...\laren.exe, PE32 25->43 dropped 37 laren.exe 25->37         started        45 C:\Users\user\AppData\Local\...\saved.exe, PE32 27->45 dropped 107 Multi AV Scanner detection for dropped file 27->107 109 Contains functionality to start a terminal service 27->109 111 Contains functionality to inject code into remote processes 27->111 39 saved.exe 27->39         started        signatures10 process11 dnsIp12 75 185.156.72.196, 80 ITDELUXE-ASRU Russian Federation 29->75 77 drive.usercontent.google.com 142.250.68.65, 443, 49745 GOOGLEUS United States 29->77 79 149.28.87.212, 49768, 56002 AS-CHOOPAUS United States 32->79 85 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 32->85 87 Found many strings related to Crypto-Wallets (likely being stolen) 32->87 89 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 32->89 95 4 other signatures 32->95 81 62.3a.4t.com 5.75.209.111, 443, 49773, 49774 HETZNER-ASDE Germany 35->81 83 t.me 149.154.167.99, 443, 49771 TELEGRAMRU United Kingdom 35->83 91 Multi AV Scanner detection for dropped file 39->91 93 Contains functionality to start a terminal service 39->93 signatures13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1ae0e18e2b5021ac1f5a8a2ae0041bf33fb46ecb2ff465f1a96807634a3acae3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ae0e18e2b5021ac1f5a8a2ae0041bf33fb46ecb2ff465f1a96807634a3acae3/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-04-29 05:46:30 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dlqoddrlkaq2yh22rivoaba36m73i3wlf72gl4njnadwgsr2zlrq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
lummastealer
Create hunting rule
admintool_putty
Create hunting rule
Similar samples:
1ae0e18e2b5021ac1f5a8a2ae0041bf33fb46ecb2ff465f1a96807634a3acae3
LummaStealer
2a571c59ffbf801083d9ba971d4b52cee9661f19086283cfb1d59235d1e0f08c
LummaStealer
2f6e289419a131d8e5108ffa8ae0833d94fbbc3bae716b3db87c11388b544b5a
LummaStealer
3c992ef8543faef845cb3c48bb713273246091870919b746ac316f778bb3e5f7
LummaStealer
3c9dcf8048e75c25b02798b0e3199da87b0d3a62cea8348078ed34a6f89a28ba
LummaStealer
5b2589c815563a4ec9032d33073e2d899b6773889f61b6dacf9a3f84e000c29c
LummaStealer
8313c081a92b8c3e8debe8b6662ce1531cbf3d0e6464c1a6d0ee178568a52c40
LummaStealer
a66ad1178645f946e6e9b98c181e660df8bf87c38c88b220a24f35f0406cc107
LummaStealer
b1518ce4a36f563927de0d126157fd02be37c147f81afcc29b62e10a17dddea5
LummaStealer
dc25d718f31abfb22d767a38383cc4534ecec474e88e9b84b9e437fb97fd5017
LummaStealer
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250429-gggfhavtat/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://clarmodq.top/qoxo
https://zenithcorde.top/auid
https://techguidet.digital/apdo
https://btcgeared.live/lbak
https://3buzzarddf.live/ktnt
https://techsyncq.run/riid
https://parakehjet.run/kewk
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bd85addd-7fab-44f1-9cf2-8e3aae058c8d
Unpacked files
SH256 hash:
1ae0e18e2b5021ac1f5a8a2ae0041bf33fb46ecb2ff465f1a96807634a3acae3
MD5 hash:
37d87bfc0008f2a3dca742aac12a4b97
SHA1 hash:
79c5dc86c0ece1486550f91456564bc369c1c8df
Link:
https://www.unpac.me/results/bf4822ab-296c-4a4b-a5ca-ec4e90c77d24/
SH256 hash:
d04ce8397aff280daf94684174c68f0c9b07afde467b6b8c513dc81fa258cb7f
MD5 hash:
ca6ac032db14c5cbf3a029bdddfdb126
SHA1 hash:
f9e159c4784d887e758ba3fd7832572ea539f421
Link:
https://www.unpac.me/results/bf4822ab-296c-4a4b-a5ca-ec4e90c77d24/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1ae0e18e2b50/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ae0e18e2b5021ac1f5a8a2ae0041bf33fb46ecb2ff465f1a96807634a3acae3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 1ae0e18e2b5021ac1f5a8a2ae0041bf33fb46ecb2ff465f1a96807634a3acae3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3511779/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3518568/
Cape
Cape
https://www.capesandbox.com/analysis/4874/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments