MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 210ef5b2cef2850fac76f9542ef21b3dfd704cf5912a74d7a429563f8d48226b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 210ef5b2cef2850fac76f9542ef21b3dfd704cf5912a74d7a429563f8d48226b
SHA3-384 hash: 97b49950097e22f5960715092934cd489e571dd2df338542579700bd113611bff12393472408eaa7f048a467a48443b4
SHA1 hash: 89b0a442504b485cb01dc65eff91db22ab11c668
MD5 hash: ea61922dae2d227f2a8541d653801603
humanhash: thirteen-mississippi-connecticut-item
File name:IMSoftware{Launcher}3.21.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:162'304 bytes
First seen:2025-04-12 00:07:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 69 x LummaStealer, 61 x Rhadamanthys)
ssdeep 3072:GahKyd2n31L5GWp1icKAArDZz4N9GhbkrNEk1GT:GahOjp0yN90QEh
Threatray 363 similar samples on MalwareBazaar
TLSH T16FF38D4A73E420A6E4B653B498F202939A32BCB15B7582FF12D4D57E0E336D4A532F17
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter aachum
Tags:exe LummaStealer


Avatar
iamaachum
https://www.youtube.com/watch?v=XYgcR95wX5U => https://u.to/i7I4Ig => https://dl.dropboxusercontent.com/scl/fi/y7tzimbxpx4dpylfpnzqz/Menu-Software-V3.21.zip?rlkey=s775hpagakzljzg9dw5nyejwi&st=gsyw9my0&dl=0

Intelligence

File Origin
# of uploads :
1
# of downloads :
520
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IMSoftware{Launcher}3.21.exe
Verdict:
Malicious activity
Analysis date:
2025-04-12 00:16:47 UTC
Tags:
stegocampaign lumma stealer
Link:
https://app.any.run/tasks/83138658-7c18-4c8f-b9ee-77c695350ada

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/1950/
Detection(s):
TwinWave.EvilVBA.LostAtSeaFuncInDirection.20240306.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f9b5e1d6e7c3effad07282
Tags:
xtreme shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Сreating synchronization primitives
Creating a process from a recently created file
Launching a process
Sending an HTTP GET request to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Launching a file downloaded from the Internet
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context CAB cmd explorer installer lolbin microsoft_visual_cc obfuscated packed powershell rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/67f9aeac40adfb5162c05a2d/reports/c5d4a9b0-29a5-4a95-b3ba-702d296427f1/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/210ef5b2cef2850fac76f9542ef21b3dfd704cf5912a74d7a429563f8d48226b
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/51c3ede2-a94f-4463-84e0-71cc4629c3b3
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1663633
Signature
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell download and load assembly
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1663633 Sample: IMSoftware{Launcher}3.21.exe Startdate: 12/04/2025 Architecture: WINDOWS Score: 100 43 xcelmodo.run 2->43 45 soursopsf.run 2->45 47 5 other IPs or domains 2->47 65 Suricata IDS alerts for network traffic 2->65 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 15 other signatures 2->71 11 IMSoftware{Launcher}3.21.exe 1 3 2->11         started        14 svchost.exe 1 1 2->14         started        signatures3 process4 dnsIp5 39 C:\Users\user\AppData\...\67f525209658e.vbs, ASCII 11->39 dropped 17 cmd.exe 3 2 11->17         started        53 127.0.0.1 unknown unknown 14->53 file6 process7 process8 19 wscript.exe 1 17->19         started        22 conhost.exe 17->22         started        signatures9 73 Suspicious powershell command line found 19->73 75 Wscript starts Powershell (via cmd or directly) 19->75 77 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->77 79 Suspicious execution chain found 19->79 24 powershell.exe 7 19->24         started        process10 signatures11 81 Suspicious powershell command line found 24->81 83 Found suspicious powershell code related to unpacking or dynamic code loading 24->83 27 powershell.exe 14 23 24->27         started        31 conhost.exe 24->31         started        process12 dnsIp13 49 ofice365.github.io 185.199.108.153, 443, 49711 FASTLYUS Netherlands 27->49 51 62.60.226.112, 49717, 80 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 27->51 85 Writes to foreign memory regions 27->85 87 Injects a PE file into a foreign processes 27->87 89 Loading BitLocker PowerShell Module 27->89 33 MSBuild.exe 27->33         started        37 MSBuild.exe 27->37         started        signatures14 process15 dnsIp16 41 changeaie.top 104.21.42.7, 443, 49719, 49724 CLOUDFLARENETUS United States 33->41 55 Query firmware table information (likely to detect VMs) 33->55 57 Tries to harvest and steal ftp login credentials 33->57 59 Tries to harvest and steal browser information (history, passwords, etc) 33->59 61 Tries to steal Crypto Currency Wallets 33->61 63 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->63 signatures17
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/210ef5b2cef2850fac76f9542ef21b3dfd704cf5912a74d7a429563f8d48226b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/210ef5b2cef2850fac76f9542ef21b3dfd704cf5912a74d7a429563f8d48226b/
Threat name:
Win64.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2025-04-10 05:52:25 UTC
File Type:
PE+ (Exe)
Extracted files:
36
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eehplmwo6kcq7ldw7fkc54q3hx6xathvsevhjv5effld7dkiejvq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a
LummaStealer
3d4a95b512c8629f9d45145d14133e673b466903c399f54ed6279adb0bd5e6bc
LummaStealer
7a83f3bab7fb9169cd2d5737f9d362b76e9e1574bb54384ebd2ebe9d17649dae
LummaStealer
8982eecbc6365b0320c57d0d186f0b0569a6cb619da669f5a87ad3ad7b09e698
LummaStealer
9c348075ed5b4586cb68c9d794189661b4bcb53c86eff81afd634e29ef9e8369
LummaStealer
c041e7547fc7f9dbbcde766a199fb6226309c60f76795ddfe46da698664f9311
LummaStealer
error
LummaStealer
f38fa95a5c036c2193db7d9b9c28f6bb6b5173c89e61cb396f1fbe03c457988b
LummaStealer
+ 353 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/250412-aebznstjy8/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Verdict:
Malicious
Tags:
stealer redline
YARA:
detect_Redline_Stealer
Link:
https://app.threat.zone/submission/c4cbb29d-17a9-4d73-a924-d0f03c1aa43c
Unpacked files
SH256 hash:
210ef5b2cef2850fac76f9542ef21b3dfd704cf5912a74d7a429563f8d48226b
MD5 hash:
ea61922dae2d227f2a8541d653801603
SHA1 hash:
89b0a442504b485cb01dc65eff91db22ab11c668
Link:
https://www.unpac.me/results/c2559e39-e991-4e1e-a365-f28c207fd18e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/210ef5b2cef2850fac76f9542ef21b3dfd704cf5912a74d7a429563f8d48226b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:Lumma
Create hunting rule
Author:kevoreilly
Description:Lumma Payload
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:win_lumma_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lumma.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 210ef5b2cef2850fac76f9542ef21b3dfd704cf5912a74d7a429563f8d48226b

(this sample)

unknown f401ccc147b87f93a9751d82a684645f187607c7c706130ebd251c03e3f9c39f

LummaStealer

Visual Basic Script (vbs) vbs 81e8bd1cfbfff36b8773bda24940d0fa4abe9df5081ed785e95687405af13747

  
Link
https://tria.ge/250411-3ew9tsspt8/behavioral1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/1950/
  
Dropping
SHA256 81e8bd1cfbfff36b8773bda24940d0fa4abe9df5081ed785e95687405af13747
  
Dropping
MD5 765ee19c7067124dd4904ea24e90eabb
  
Dropping
SHA256 f401ccc147b87f93a9751d82a684645f187607c7c706130ebd251c03e3f9c39f
  
Dropping
MD5 35b268abe21f40784de7dc8b20be5b92

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments