MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 230708176e04f4b15936a52136c4fad3729afbe09c5041666d8b8f8900dd0472. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 230708176e04f4b15936a52136c4fad3729afbe09c5041666d8b8f8900dd0472
SHA3-384 hash: 83915d73b6bd7844707a2c183636e5f9ae23f995054b8b27b5f99ccea1ab50596522ff01711d894f3e5689db3cbedfe8
SHA1 hash: e1d4dbfbae8df78c88464905d4459145709d2922
MD5 hash: 055548d07a1caf07081a62d2de4c32a3
humanhash: berlin-december-blue-football
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'879'040 bytes
First seen:2025-04-27 07:55:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:I1LFaEqv7at+iwwqQvVYvNiNpqf/c9Z+:9F8YvNi8/c
Threatray 1 similar samples on MalwareBazaar
TLSH T1EC95338B10D3257BE38198BD31FA9971E5EA89B00DC8D76C07D17D2A72B274D21215FB
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
420
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-04-27 08:14:23 UTC
Tags:
lumma stealer themida loader amadey botnet rdp
Link:
https://app.any.run/tasks/dede706f-0b2a-4d49-ac3d-e1bca75adf7e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4266/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680de558cc5fb3600cc32d92
Tags:
phishing autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt entropy packed packed packer_detected rat virtual xpack
Link:
https://www.filescan.io/uploads/680de2fd218c4a98ade3a4a5/reports/d258c008-f035-4edd-93aa-fd4a9c748721/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/230708176e04f4b15936a52136c4fad3729afbe09c5041666d8b8f8900dd0472
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a4ccc84b-326f-4f69-b692-cdfec2a1ce2d
Result
Threat name:
Amadey, Credential Flusher, Healer AV Di
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1675404
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates HTA files
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Credential Flusher
Yara detected Healer AV Disabler
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1675404 Sample: random.exe Startdate: 27/04/2025 Architecture: WINDOWS Score: 100 108 www.google.com 2->108 110 play.google.com 2->110 112 2 other IPs or domains 2->112 130 Suricata IDS alerts for network traffic 2->130 132 Found malware configuration 2->132 134 Antivirus detection for URL or domain 2->134 136 24 other signatures 2->136 12 random.exe 1 2->12         started        17 23a21b1f6c.exe 2->17         started        19 d723d03d8b.exe 2->19         started        21 7 other processes 2->21 signatures3 process4 dnsIp5 126 185.39.17.162, 49697, 49764, 49767 RU-TAGNET-ASRU Russian Federation 12->126 128 clarmodq.top 104.21.85.126, 443, 49687, 49688 CLOUDFLARENETUS United States 12->128 104 C:\...\2STT93JV3SHOOY9VDJTZ408HANUBAJ.exe, PE32 12->104 dropped 184 Detected unpacking (changes PE section rights) 12->184 186 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->186 188 Query firmware table information (likely to detect VMs) 12->188 206 3 other signatures 12->206 23 2STT93JV3SHOOY9VDJTZ408HANUBAJ.exe 4 12->23         started        106 C:\Users\user\...\D3V0NYM400UL7VL3.exe, PE32 17->106 dropped 190 Found many strings related to Crypto-Wallets (likely being stolen) 17->190 192 Tries to harvest and steal ftp login credentials 17->192 194 Tries to harvest and steal browser information (history, passwords, etc) 17->194 196 Tries to steal from password manager 17->196 27 chrome.exe 17->27         started        30 chrome.exe 17->30         started        198 Hides threads from debuggers 19->198 200 Tries to detect sandboxes / dynamic malware analysis system (registry check) 19->200 202 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 19->202 204 Contains functionality to start a terminal service 21->204 32 firefox.exe 21->32         started        file6 signatures7 process8 dnsIp9 98 C:\Users\user\AppData\Local\...\saved.exe, PE32 23->98 dropped 156 Multi AV Scanner detection for dropped file 23->156 158 Contains functionality to start a terminal service 23->158 160 Contains functionality to inject code into remote processes 23->160 34 saved.exe 4 25 23->34         started        122 192.168.2.6, 138, 443, 49199 unknown unknown 27->122 39 chrome.exe 27->39         started        124 127.0.0.1 unknown unknown 32->124 162 Found many strings related to Crypto-Wallets (likely being stolen) 32->162 41 firefox.exe 32->41         started        file10 signatures11 process12 dnsIp13 114 185.39.17.163, 49699, 49700, 49701 RU-TAGNET-ASRU Russian Federation 34->114 88 C:\Users\user\AppData\...\55ea4b8f69.exe, PE32 34->88 dropped 90 C:\Users\user\AppData\...\e85647a9da.exe, PE32 34->90 dropped 92 C:\Users\user\AppData\...\d723d03d8b.exe, PE32 34->92 dropped 94 5 other malicious files 34->94 dropped 138 Multi AV Scanner detection for dropped file 34->138 140 Contains functionality to start a terminal service 34->140 142 Creates multiple autostart registry keys 34->142 43 23a21b1f6c.exe 1 34->43         started        47 d723d03d8b.exe 9 1 34->47         started        49 55ea4b8f69.exe 34->49         started        51 e85647a9da.exe 34->51         started        116 ogads-pa.clients6.google.com 142.250.188.234, 443, 49805, 49810 GOOGLEUS United States 39->116 118 www.google.com 142.250.189.4, 443, 49784, 49785 GOOGLEUS United States 39->118 120 3 other IPs or domains 39->120 file14 signatures15 process16 file17 100 C:\Users\...\37K4XQHJ7GQ35OTHPM3DXU15.exe, PE32 43->100 dropped 164 Antivirus detection for dropped file 43->164 166 Multi AV Scanner detection for dropped file 43->166 168 Detected unpacking (changes PE section rights) 43->168 180 9 other signatures 43->180 53 37K4XQHJ7GQ35OTHPM3DXU15.exe 43->53         started        170 Tries to detect sandboxes and other dynamic analysis tools (window names) 47->170 172 Modifies windows update settings 47->172 174 Disables Windows Defender Tamper protection 47->174 182 2 other signatures 47->182 102 C:\Users\user\AppData\Local\...\12cOFzk6M.hta, HTML 49->102 dropped 176 Binary is likely a compiled AutoIt script file 49->176 178 Creates HTA files 49->178 56 mshta.exe 49->56         started        58 cmd.exe 49->58         started        60 taskkill.exe 51->60         started        62 taskkill.exe 51->62         started        64 taskkill.exe 51->64         started        66 3 other processes 51->66 signatures18 process19 signatures20 144 Multi AV Scanner detection for dropped file 53->144 146 Contains functionality to start a terminal service 53->146 148 Suspicious powershell command line found 56->148 150 Tries to download and execute files (via powershell) 56->150 68 powershell.exe 56->68         started        152 Uses schtasks.exe or at.exe to add and modify task schedules 58->152 72 conhost.exe 58->72         started        74 schtasks.exe 58->74         started        76 conhost.exe 60->76         started        78 conhost.exe 62->78         started        80 conhost.exe 64->80         started        82 conhost.exe 66->82         started        84 conhost.exe 66->84         started        process21 file22 96 TempX8GMGVAKGC39D2JJ4MDFVZN9FODVKMZP.EXE, PE32 68->96 dropped 154 Powershell drops PE file 68->154 86 conhost.exe 68->86         started        signatures23 process24
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/230708176e04f4b15936a52136c4fad3729afbe09c5041666d8b8f8900dd0472
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/230708176e04f4b15936a52136c4fad3729afbe09c5041666d8b8f8900dd0472/
Threat name:
Win32.Trojan.Symmi
Create hunting rule
Status:
Malicious
First seen:
2025-04-27 07:55:47 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=emdqqf3oat2lcwjwuuqtnrh22nzjv67atriecztnrohysag5arza._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
62ff9bde8dda857c8650b9d23b9c30a551a36b92bee73663f530ce6f07dd3c24
LummaStealer
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250427-jsegdsyqx7/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://clarmodq.top/qoxo
https://geographys.run/eirq
https://woodpeckersd.run/glsk
https://tropiscbs.live/iuwxx
https://cartograhphy.top/ixau
https://biosphxere.digital/tqoa
https://topographky.top/xlak
https://climatologfy.top/kbud
https://vigorbridgoe.top/banb
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0f7e9685-8c62-4026-9144-5c092f90bb77
Unpacked files
SH256 hash:
230708176e04f4b15936a52136c4fad3729afbe09c5041666d8b8f8900dd0472
MD5 hash:
055548d07a1caf07081a62d2de4c32a3
SHA1 hash:
e1d4dbfbae8df78c88464905d4459145709d2922
Link:
https://www.unpac.me/results/6015952c-746e-4f84-8f81-9bce6318be90/
SH256 hash:
2d49abaa4d52ce95e839c603070570ac21a817e1aa2e522f09e24c2ec1eeb898
MD5 hash:
0fd420501e051337ac72c2b48b6dde03
SHA1 hash:
fff902ba23d1db675daea64ca0dd87c7ce527dd8
Link:
https://www.unpac.me/results/6015952c-746e-4f84-8f81-9bce6318be90/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/230708176e04f4b15936a52136c4fad3729afbe09c5041666d8b8f8900dd0472

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 230708176e04f4b15936a52136c4fad3729afbe09c5041666d8b8f8900dd0472

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/4266/
  
URLhaus
https://urlhaus.abuse.ch/url/3511779/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3518568/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments