MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2063f2c03a2d00224f42942762a5535ce767cd722b5e93cbae5c55cc9c92e255. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2063f2c03a2d00224f42942762a5535ce767cd722b5e93cbae5c55cc9c92e255
SHA3-384 hash: 14b7c450d56c5db15abe41be454197fbfe0d8e2cb09bc8b6cec91d757b58c223ec8eb01437f1a5287f5ef03aa1904d1c
SHA1 hash: fe60d4df8f1f6b682ccae4df0d48d1662c8aa8e1
MD5 hash: 4bf1ceb25a2893275cbdbd4026e51b28
humanhash: fillet-lamp-batman-spring
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'098'688 bytes
First seen:2025-03-15 12:29:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:xox2NFVHpLObWDki5ecRzizDjOqAVaBlA0lQQXzi+FO:xuU9gbyki0NzBlj+Mi+F
TLSH T1CBA512CD6B048F11CD878E7A3F9702F7F813E9E5420FA29FF1125A66996702D15AC326
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter aachum
Tags:092155 Amadey exe LummaStealer


Avatar
iamaachum
http://176.113.115.7/luma/random.exe

Amadey Botnet: 092155
Amadey C2: http://176.113.115.6/Ni9kiput/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
392
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-03-15 12:31:24 UTC
Tags:
stealer lumma
Link:
https://app.any.run/tasks/6a496053-93dd-41e5-8174-34e85e16b336

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d5809c3962f1a6f4719e79
Tags:
phishing virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
DNS request
Behavior that indicates a threat
Connection attempt
Sending a custom TCP request
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected
Link:
https://www.filescan.io/uploads/67d572ff0a7899f357974810/reports/ad968832-3bed-43e7-bb38-b17be7808d0f/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/2063f2c03a2d00224f42942762a5535ce767cd722b5e93cbae5c55cc9c92e255
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LummaC2 Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/56cb715f-380f-48f5-9f7c-27a28d7e260e
Result
Threat name:
Amadey, LummaC Stealer, Stealc, Xmrig
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1639365
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contain functionality to detect virtual machines
Contains functionality to start a terminal service
Creates HTA files
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect debuggers (CloseHandle check)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade analysis by execution special instruction (VM detection)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1639365 Sample: random.exe Startdate: 15/03/2025 Architecture: WINDOWS Score: 100 152 xabanak.online 2->152 154 www.google.com 2->154 156 30 other IPs or domains 2->156 174 Suricata IDS alerts for network traffic 2->174 176 Found malware configuration 2->176 178 Antivirus detection for URL or domain 2->178 180 27 other signatures 2->180 11 rapes.exe 3 42 2->11         started        16 random.exe 1 2->16         started        18 3536f39369.exe 2->18         started        20 11 other processes 2->20 signatures3 process4 dnsIp5 168 176.113.115.6, 49741, 49742, 49745 SELECTELRU Russian Federation 11->168 138 C:\Users\user\AppData\Local\...\ADFoyxP.exe, PE32+ 11->138 dropped 140 C:\Users\user\AppData\Local\...\j21Hq7C.exe, PE32+ 11->140 dropped 142 C:\Users\user\AppData\...\2d835d4c21.exe, PE32 11->142 dropped 150 22 other malicious files 11->150 dropped 248 Creates multiple autostart registry keys 11->248 250 Hides threads from debuggers 11->250 270 2 other signatures 11->270 22 j21Hq7C.exe 2 17 11->22         started        27 3536f39369.exe 11->27         started        29 dBKUxeI.exe 11->29         started        39 3 other processes 11->39 170 176.113.115.7, 49736, 49743, 49746 SELECTELRU Russian Federation 16->170 172 htardwarehu.icu 104.21.64.1, 443, 49722, 49723 CLOUDFLARENETUS United States 16->172 144 C:\...\V1UNQ5VYMAVQDN9M2A4L0Q53HZ3WL.exe, PE32 16->144 dropped 252 Detected unpacking (changes PE section rights) 16->252 254 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->254 256 Query firmware table information (likely to detect VMs) 16->256 272 4 other signatures 16->272 31 V1UNQ5VYMAVQDN9M2A4L0Q53HZ3WL.exe 4 16->31         started        146 C:\Users\user\AppData\Local\...\YZHZpU4Fo.hta, HTML 18->146 dropped 258 Binary is likely a compiled AutoIt script file 18->258 260 Creates HTA files 18->260 33 mshta.exe 18->33         started        35 cmd.exe 18->35         started        148 C:\Temp\MYUrZfFtv.hta, HTML 20->148 dropped 262 Suspicious powershell command line found 20->262 264 Contains functionality to start a terminal service 20->264 266 Changes security center settings (notifications, updates, antivirus, firewall) 20->266 268 Tries to download and execute files (via powershell) 20->268 37 powershell.exe 20->37         started        41 5 other processes 20->41 file6 signatures7 process8 dnsIp9 158 xabanak.online 45.150.34.140, 49744, 80 CLOUD-SOUTHUS Ukraine 22->158 104 C:\Users\user\AppData\Local\Temp\mine.exe, PE32+ 22->104 dropped 106 C:\Users\user\AppData\Local\...\debuger.exe, PE32+ 22->106 dropped 108 C:\Users\user\AppData\Local\...\mine[1].exe, PE32+ 22->108 dropped 110 C:\Users\user\AppData\...\debuger[1].exe, PE32+ 22->110 dropped 196 Multi AV Scanner detection for dropped file 22->196 214 4 other signatures 22->214 43 mine.exe 22->43         started        112 C:\Users\user\AppData\Local\...\QtLLuy1PV.hta, HTML 27->112 dropped 198 Antivirus detection for dropped file 27->198 216 3 other signatures 27->216 53 2 other processes 27->53 160 st58250.ispot.cc 64.20.39.162 IS-AS-1US United States 29->160 162 107.174.192.179 AS-COLOCROSSINGUS United States 29->162 114 C:\Users\user\AppData\Local\...\backup.zip, Zip 29->114 dropped 200 Suspicious powershell command line found 29->200 202 Found direct / indirect Syscall (likely to bypass EDR) 29->202 47 powershell.exe 29->47         started        116 C:\Users\user\AppData\Local\...\rapes.exe, PE32 31->116 dropped 204 Detected unpacking (changes PE section rights) 31->204 206 Contains functionality to start a terminal service 31->206 218 5 other signatures 31->218 49 rapes.exe 31->49         started        208 Tries to download and execute files (via powershell) 33->208 51 powershell.exe 33->51         started        55 2 other processes 35->55 210 Powershell drops PE file 37->210 57 2 other processes 37->57 164 104.21.80.1 CLOUDFLARENETUS United States 39->164 166 steamcommunity.com 23.197.127.21 AKAMAI-ASN1EU United States 39->166 118 C:\Temp\PMxZm9EYH.hta, HTML 39->118 dropped 212 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->212 220 4 other signatures 39->220 59 7 other processes 39->59 61 4 other processes 41->61 file10 signatures11 process12 file13 124 C:\ProgramData\...\WindowsAutHost, PE32+ 43->124 dropped 126 C:\Windows\System32\drivers\etc\hosts, ASCII 43->126 dropped 222 Multi AV Scanner detection for dropped file 43->222 224 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 43->224 226 Query firmware table information (likely to detect VMs) 43->226 246 8 other signatures 43->246 63 powershell.exe 43->63         started        77 2 other processes 43->77 128 C:\Users\user\AppData\...\vsgraphicscore.dll, PE32+ 47->128 dropped 130 C:\Users\user\AppData\...\vcruntime227.dll, PE32+ 47->130 dropped 132 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 47->132 dropped 136 5 other malicious files 47->136 dropped 228 Loading BitLocker PowerShell Module 47->228 66 conhost.exe 47->66         started        230 Detected unpacking (changes PE section rights) 49->230 232 Contains functionality to start a terminal service 49->232 234 Tries to evade debugger and weak emulator (self modifying code) 49->234 236 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 49->236 134 TempHF6TBMUMIZENPZLJBRGYAXC8ESJIZI8B.EXE, PE32 51->134 dropped 68 TempHF6TBMUMIZENPZLJBRGYAXC8ESJIZI8B.EXE 51->68         started        70 conhost.exe 51->70         started        238 Uses schtasks.exe or at.exe to add and modify task schedules 53->238 72 powershell.exe 53->72         started        79 2 other processes 53->79 240 Tries to detect sandboxes / dynamic malware analysis system (registry check) 57->240 242 Suspicious powershell command line found 59->242 244 Tries to download and execute files (via powershell) 59->244 75 powershell.exe 59->75         started        81 3 other processes 59->81 signatures14 process15 file16 274 Loading BitLocker PowerShell Module 63->274 83 conhost.exe 63->83         started        276 Antivirus detection for dropped file 68->276 278 Detected unpacking (changes PE section rights) 68->278 280 Tries to evade debugger and weak emulator (self modifying code) 68->280 284 3 other signatures 68->284 120 TempHTMURNBIUEWHWBBW17KZL6OAVPMFKIJC.EXE, PE32 72->120 dropped 282 Powershell drops PE file 72->282 85 TempHTMURNBIUEWHWBBW17KZL6OAVPMFKIJC.EXE 72->85         started        88 conhost.exe 72->88         started        122 C:\Users\...\483d2fa8a0d53818306efeb32d3.exe, PE32 75->122 dropped 90 483d2fa8a0d53818306efeb32d3.exe 75->90         started        92 conhost.exe 75->92         started        94 conhost.exe 77->94         started        96 conhost.exe 77->96         started        98 wusa.exe 77->98         started        100 Conhost.exe 77->100         started        signatures17 process18 signatures19 102 Conhost.exe 83->102         started        182 Antivirus detection for dropped file 85->182 184 Detected unpacking (changes PE section rights) 85->184 186 Contains functionality to start a terminal service 85->186 188 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 85->188 190 Tries to evade debugger and weak emulator (self modifying code) 90->190 192 Hides threads from debuggers 90->192 194 Tries to detect sandboxes / dynamic malware analysis system (registry check) 90->194 process20
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2063f2c03a2d00224f42942762a5535ce767cd722b5e93cbae5c55cc9c92e255
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2063f2c03a2d00224f42942762a5535ce767cd722b5e93cbae5c55cc9c92e255/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-03-15 12:30:14 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 36 (63.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ebr7fqb2fuacet2csqtwfjktlttwptlsfnpjhs5olrk4zhes4jkq._file
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:asyncrat family:healer family:lumma family:stealc botnet:092155 botnet:trump credential_access defense_evasion discovery dropper evasion execution persistence pyinstaller rat spyware stealer trojan upx
Link:
https://tria.ge/reports/250315-pph83atvhz/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
GoLang User-Agent
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs net.exe
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
AutoIT Executable
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Looks up external IP address via web service
Power Settings
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Indicator Removal: Clear Windows Event Logs
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
Blocklisted process makes network request
Boot or Logon Autostart Execution: Active Setup
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Drops file in Drivers directory
Sets service image path in registry
Stops running service(s)
Uses browser remote debugging
Async RAT payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
AsyncRat
Asyncrat family
Detects Healer an antivirus disabler dropper
Healer
Healer family
Lumma Stealer, LummaC
Lumma family
Modifies Windows Defender DisableAntiSpyware settings
Modifies Windows Defender Real-time Protection settings
Modifies Windows Defender TamperProtection settings
Modifies Windows Defender notification settings
Stealc
Stealc family
Malware Config
C2 Extraction:
https://citydisco.bet/api
https://crosshairc.life/api
https://mrodularmall.top/api
https://jowinjoinery.icu/api
https://legenassedk.top/api
https://4htardwarehu.icu/api
https://cjlaspcorne.icu/api
https://bugildbett.top/api
https://weaponrywo.digital/api
https://.cocjkoonpillow.today/api
https://zfeatureccus.shop/api
https://yhtardwarehu.icu/api
https://latchclan.shop/api
https://absoulpushx.life/api
https://begindecafer.world/api
https://garagedrootz.top/api
https://9modelshiverd.icu/api
https://arisechairedd.shop/api
https://catterjur.run/api
https://orangemyther.live/api
https://fostinjec.today/api
https://sterpickced.digital/api
https://9garagedrootz.top/api
https://modelshiverd.icu/api
https://ksterpickced.digital/api
https://zcrosshairc.life/api
https://1jowinjoinery.icu/api
https://htardwarehu.icu/api
https://scjlaspcorne.icu/api
https://kbracketba.shop/api
https://featureccus.shop/api
https://zfurrycomp.top/api
https://8cjlaspcorne.icu/api
https://adweaponrywo.digital/api
https://biochextryhub.bet/api
https://q8explorebieology.run/api
https://gadgethgfub.icu/api
https://moderzysics.top/api
https://5ktechmindzs.live/api
https://6codxefusion.top/api
https://7phygcsforum.life/api
https://techspherxe.top/api
https://earthsymphzony.today/api
http://176.113.115.6
http://45.93.20.28
https://codxefusion.top/api
Dropper Extraction:
http://176.113.115.7/mine/random.exe
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/40f7dd5c-a82a-4cf0-94c2-64d092fe4d86
Unpacked files
SH256 hash:
2063f2c03a2d00224f42942762a5535ce767cd722b5e93cbae5c55cc9c92e255
MD5 hash:
4bf1ceb25a2893275cbdbd4026e51b28
SHA1 hash:
fe60d4df8f1f6b682ccae4df0d48d1662c8aa8e1
Link:
https://www.unpac.me/results/53775346-1b06-4759-92af-378265119d63/
SH256 hash:
9bcd73b3a5141b1b62b5785e7ea3d6968eb6cb06cef98da8d0dda9e98b0f05eb
MD5 hash:
8dd55ba58c11272cd4de2895f7ffef29
SHA1 hash:
c53f1ce4344a91100d1472a72df2cb866e12db73
Link:
https://www.unpac.me/results/53775346-1b06-4759-92af-378265119d63/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2063f2c03a2d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2063f2c03a2d00224f42942762a5535ce767cd722b5e93cbae5c55cc9c92e255

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 2063f2c03a2d00224f42942762a5535ce767cd722b5e93cbae5c55cc9c92e255

(this sample)

  
Link
https://tria.ge/250315-pcmqqatsey/behavioral1
  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3452044/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments