MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 209ebefce8003cd6bd8015dd7d46124fb9a6a5ef7deffafe8459a949ec56cfde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 209ebefce8003cd6bd8015dd7d46124fb9a6a5ef7deffafe8459a949ec56cfde
SHA3-384 hash: 63a2c2614da288bb7692f241ee2eac36791d4a7b0df8dd7a034663d7fda48d84ecb6b28dd1fe2736ccfbcc1b5aabd683
SHA1 hash: 2f0e7ffb4b9f6c4cc08742218c223e7e441b6d3c
MD5 hash: e047d259ab26b74f0aea0b7e2aea2c74
humanhash: zebra-moon-seventeen-music
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'901'568 bytes
First seen:2025-05-20 11:46:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:VQwaSpu6U/gI8+IE7a/BjQMSOV//gdsKxiZyVREIOAmniA6TAoZYuUUXGT70iOr:VQwasu6dI8n+a1V//cY8R1OBn564qd
Threatray 1 similar samples on MalwareBazaar
TLSH T13595336428A2B215D564B8F5666C423F3F3B52CB0189BE66AE00BD3D85C772C2CB197D
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
479
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
69e2f131204f0a75de1ed80f43e509d4.exe
Verdict:
Malicious activity
Analysis date:
2025-05-20 09:37:48 UTC
Tags:
lumma stealer themida loader amadey botnet telegram purecrypter purelogs auto-reg auto-sch rdp evasion
Link:
https://app.any.run/tasks/0f707a89-d75e-4eb7-82bc-5671edf03985

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682c6bc8c28c67d666424b14
Tags:
vmdetect phishing autorun spoof
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Connection attempt to an infection source
DNS request
Connection attempt
Sending an HTTP GET request
Behavior that indicates a threat
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt packed packed packer_detected xpack
Link:
https://www.filescan.io/uploads/682c6bca0de036ed65acc7e2/reports/2a8d6762-1679-49e2-ab49-50ebcbe27080/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/209ebefce8003cd6bd8015dd7d46124fb9a6a5ef7deffafe8459a949ec56cfde
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f583e005-cf87-4dfe-ad42-b602816db57e
Result
Threat name:
Amadey, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1694895
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to start a terminal service
Creates HTA files
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: PUA - NSudo Execution
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1694895 Sample: random.exe Startdate: 20/05/2025 Architecture: WINDOWS Score: 100 113 zenithcorde.top 2->113 115 www.google.com 2->115 117 12 other IPs or domains 2->117 143 Suricata IDS alerts for network traffic 2->143 145 Found malware configuration 2->145 147 Antivirus detection for URL or domain 2->147 149 24 other signatures 2->149 13 random.exe 1 2->13         started        18 ramez.exe 2->18         started        20 mshta.exe 2->20         started        22 6 other processes 2->22 signatures3 process4 dnsIp5 121 185.156.72.2, 49706, 49709, 49714 ITDELUXE-ASRU Russian Federation 13->121 123 techguidet.digital 40.91.108.115, 443, 49687, 49688 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 13->123 125 2 other IPs or domains 13->125 107 C:\Users\user\...\25AKXCQPFUAMHY7X.exe, PE32 13->107 dropped 175 Detected unpacking (changes PE section rights) 13->175 177 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->177 179 Query firmware table information (likely to detect VMs) 13->179 193 8 other signatures 13->193 24 25AKXCQPFUAMHY7X.exe 4 13->24         started        181 Antivirus detection for dropped file 18->181 183 Contains functionality to start a terminal service 18->183 185 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 18->185 187 Suspicious powershell command line found 20->187 189 Tries to download and execute files (via powershell) 20->189 28 powershell.exe 20->28         started        191 Changes security center settings (notifications, updates, antivirus, firewall) 22->191 30 MpCmdRun.exe 22->30         started        file6 signatures7 process8 file9 93 C:\Users\user\AppData\Local\...\ramez.exe, PE32 24->93 dropped 151 Antivirus detection for dropped file 24->151 153 Detected unpacking (changes PE section rights) 24->153 155 Contains functionality to start a terminal service 24->155 157 6 other signatures 24->157 32 ramez.exe 3 25 24->32         started        37 conhost.exe 28->37         started        39 conhost.exe 30->39         started        signatures10 process11 dnsIp12 111 185.156.72.96, 49707, 49708, 49711 ITDELUXE-ASRU Russian Federation 32->111 85 C:\Users\user\AppData\...\177d6fdd50.exe, PE32+ 32->85 dropped 87 C:\Users\user\AppData\...\81f0912305.exe, PE32 32->87 dropped 89 C:\Users\user\AppData\...\307da69940.exe, PE32 32->89 dropped 91 5 other malicious files 32->91 dropped 127 Contains functionality to start a terminal service 32->127 129 Creates multiple autostart registry keys 32->129 131 Hides threads from debuggers 32->131 133 2 other signatures 32->133 41 44be5fe5aa.exe 1 32->41         started        46 307da69940.exe 32->46         started        48 81f0912305.exe 32->48         started        file13 signatures14 process15 dnsIp16 119 23.222.161.105, 443, 49720 AKAMAI-ASUS United States 41->119 95 C:\Users\user\...\7QKJQ66YGTSDQ19096JSIU.exe, PE32 41->95 dropped 163 Antivirus detection for dropped file 41->163 165 Detected unpacking (changes PE section rights) 41->165 167 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 41->167 173 10 other signatures 41->173 97 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 46->97 dropped 99 C:\Users\user\AppData\Local\...\cecho.exe, PE32 46->99 dropped 101 C:\Users\user\AppData\Local\...101SudoLG.exe, PE32+ 46->101 dropped 105 2 other malicious files 46->105 dropped 50 cmd.exe 46->50         started        103 C:\Users\user\AppData\Local\...\KZQ8F9xFz.hta, HTML 48->103 dropped 169 Binary is likely a compiled AutoIt script file 48->169 171 Creates HTA files 48->171 53 mshta.exe 48->53         started        55 cmd.exe 48->55         started        file17 signatures18 process19 signatures20 135 Uses cmd line tools excessively to alter registry or file data 50->135 137 Uses schtasks.exe or at.exe to add and modify task schedules 50->137 57 cmd.exe 50->57         started        60 conhost.exe 50->60         started        139 Suspicious powershell command line found 53->139 141 Tries to download and execute files (via powershell) 53->141 62 powershell.exe 53->62         started        65 schtasks.exe 55->65         started        67 conhost.exe 55->67         started        process21 file22 159 Uses cmd line tools excessively to alter registry or file data 57->159 69 cmd.exe 57->69         started        71 conhost.exe 57->71         started        73 chcp.com 57->73         started        81 19 other processes 57->81 75 Conhost.exe 60->75         started        109 Temp5PXHRKFBTHQYMERHO9QEQWDGCMLKEOLO.EXE, PE32 62->109 dropped 161 Powershell drops PE file 62->161 77 conhost.exe 62->77         started        79 Conhost.exe 65->79         started        signatures23 process24 process25 83 tasklist.exe 69->83         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/209ebefce8003cd6bd8015dd7d46124fb9a6a5ef7deffafe8459a949ec56cfde
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/209ebefce8003cd6bd8015dd7d46124fb9a6a5ef7deffafe8459a949ec56cfde/
Threat name:
Win32.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-05-20 11:47:18 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ecpl57hiaa6nnpmacxox2rqsj642njpppxx7v7uelguut3cwz7pa._file
Verdict:
malicious
Label(s):
admintool_nsudo
Create hunting rule
lummastealer
Create hunting rule
amadey
Create hunting rule
Similar samples:
209ebefce8003cd6bd8015dd7d46124fb9a6a5ef7deffafe8459a949ec56cfde
LummaStealer
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma botnet:8d33eb bootkit credential_access defense_evasion discovery execution persistence spyware stealer trojan
Link:
https://tria.ge/reports/250520-nxzeksyns7/
Behaviour
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Hide Artifacts: Ignore Process Interrupts
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Checks computer location settings
Credentials from Password Stores: Windows Credential Manager
Executes dropped EXE
Identifies Wine through registry keys
Reads ssh keys stored on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Event Triggered Execution: Image File Execution Options Injection
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Lumma Stealer, LummaC
Lumma family
Modifies WinLogon for persistence
Malware Config
C2 Extraction:
https://clarmodq.top/qoxo
https://pzenithcorde.top/auid
https://techguidet.digital/apdo
https://btcgeared.live/lbak
https://buzzarddf.live/ktnt
https://techsyncq.run/riid
https://parakehjet.run/kewk
https://trotwhvn.live/lxak
https://onarrathfpt.top/tekq
https://jackthyfuc.run/xpas
https://4gettoknwg.life/xapd
https://leasegjjr.digital/iwi
https://haircuirfm.top/aldk
https://gthreatqjqy.top/nybe
https://winterghzp.digital/ywq
https://gbubblezdjw.live/kudf
http://185.156.72.96
Unpacked files
SH256 hash:
209ebefce8003cd6bd8015dd7d46124fb9a6a5ef7deffafe8459a949ec56cfde
MD5 hash:
e047d259ab26b74f0aea0b7e2aea2c74
SHA1 hash:
2f0e7ffb4b9f6c4cc08742218c223e7e441b6d3c
Link:
https://www.unpac.me/results/7f567fa8-b931-4c12-9f5c-e87d8a822266/
SH256 hash:
753b91ac2d1b05e75815f4009f32c4a66c30059acbff43e5651a003f255ee4bf
MD5 hash:
ae31ddf967190ce347ff09d0e51a2c8b
SHA1 hash:
b6baa1ce0c6a088a41f48c916b6314e6b38d0649
Link:
https://www.unpac.me/results/7f567fa8-b931-4c12-9f5c-e87d8a822266/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/209ebefce800/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/209ebefce8003cd6bd8015dd7d46124fb9a6a5ef7deffafe8459a949ec56cfde

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 209ebefce8003cd6bd8015dd7d46124fb9a6a5ef7deffafe8459a949ec56cfde

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3542096/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments