MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3142aecf9794be2f3894d3e1429d28f80918c5b41d516c9160e7cd3984a6f5a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3142aecf9794be2f3894d3e1429d28f80918c5b41d516c9160e7cd3984a6f5a3
SHA3-384 hash: 335ad3ba49394478d7e0a3531243e61e7aca046e8321797ca033df17e2014887c7127dd1faa69f832687cecabcf2c452
SHA1 hash: 18c855f60fb83306f23634b10841655fb32a943b
MD5 hash: 1dbdcaeaac26f7d34e872439997ee68d
humanhash: magnesium-monkey-speaker-april
File name:qhjMWht.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:6'042'728 bytes
First seen:2025-04-05 13:34:07 UTC
Last seen:2025-04-06 07:30:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e59d00b0d90522ee1a983f13d4ff7e50 (2 x ACRStealer, 1 x LummaStealer)
ssdeep 98304:zZvqfZH0os+672PX492sJZH0os+672PX492sUZH0os+672PX492sY:xq90p+6SPX4p0p+6SPX4Q0p+6SPX4u
TLSH T15956339E7204D036D56323318F55AF1C829EF6B68FF6A5CB7398044D8CB26C15A60FB6
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon aa38ce868282b882 (110 x Adware.Generic, 6 x CoinMiner, 5 x Formbook)
Reporter aachum
Tags:exe LummaStealer


Avatar
iamaachum
http://176.113.115.7/files/5419477542/qhjMWht.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
36
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
9ea5d4fc9d5bd1b7245cd49fcf68b64a751f8a94c457681199be8b88f8c0f7bc.zip
Verdict:
Malicious activity
Analysis date:
2025-04-04 17:09:50 UTC
Tags:
amadey lumma stealer botnet loader arch-exec auto generic gcleaner credentialflusher telegram autoit rdp themida remote evasion autoit-loader
Link:
https://app.any.run/tasks/0475ad3d-cd28-4b5c-a6ba-145f13e1f043

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/769/
Verdict:
Clean
Score:
82.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f1323acfd0a37f830ede84
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint invalid-signature microsoft_visual_cc overlay packed packed packer_detected signed
Link:
https://www.filescan.io/uploads/67f131566258a97207fbb705/reports/c10fb5a9-930b-4b25-95bb-5bd059bc0578/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/3142aecf9794be2f3894d3e1429d28f80918c5b41d516c9160e7cd3984a6f5a3
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/96165b17-98bd-4451-89f8-1fbb69384dd8
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1657319
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
32%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/3142aecf9794be2f3894d3e1429d28f80918c5b41d516c9160e7cd3984a6f5a3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3142aecf9794be2f3894d3e1429d28f80918c5b41d516c9160e7cd3984a6f5a3/
Threat name:
Win32.Trojan.Stealc
Create hunting rule
Status:
Malicious
First seen:
2025-04-04 07:25:50 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gfbk5t4xss7c6oeu2pqufhji7aerrrnudviwzela47gttbfg6wrq._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery spyware stealer
Link:
https://tria.ge/reports/250405-qt9r9axwew/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Checks installed software on the system
Reads user/profile data of local email clients
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://xrfxcaseq.live/gspaz
https://jrxsafer.top/shpaoz
https://gkrxspint.digital/kendwz
https://erhxhube.run/pogrs
https://grxeasyw.digital/xxepw
https://advennture.top/GKsiio
https://targett.top/dsANGt
https://ywmedici.top/noagis
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/989921cc-0ef1-40a7-bde2-aa8a22582391
Unpacked files
SH256 hash:
3142aecf9794be2f3894d3e1429d28f80918c5b41d516c9160e7cd3984a6f5a3
MD5 hash:
1dbdcaeaac26f7d34e872439997ee68d
SHA1 hash:
18c855f60fb83306f23634b10841655fb32a943b
Link:
https://www.unpac.me/results/2f8d539c-37bb-4a6a-9433-c49816ea035f/
SH256 hash:
315781081633471476809c009d82cfbbefc83200023d91905345040c7e1cca2c
MD5 hash:
03a355d8b5ec7b79636c58bc2d922798
SHA1 hash:
5849caacefcc03d69046c78e975a6b5a74fb6d1e
Link:
https://www.unpac.me/results/2f8d539c-37bb-4a6a-9433-c49816ea035f/
SH256 hash:
2ea5a3d95f96ed8faede5c481d91922eafd0bc64efc6516ae448cf56aada866d
MD5 hash:
1a8eec7a6700f6bec26d1b375eba55f7
SHA1 hash:
85e2e4f1d79a382be03f4a0644caa73788f614b8
Link:
https://www.unpac.me/results/2f8d539c-37bb-4a6a-9433-c49816ea035f/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3142aecf9794/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3142aecf9794be2f3894d3e1429d28f80918c5b41d516c9160e7cd3984a6f5a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 3142aecf9794be2f3894d3e1429d28f80918c5b41d516c9160e7cd3984a6f5a3

(this sample)

  
Link
https://tria.ge/250405-qhz4nszlz9/behavioral1
  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/769/
  
URLhaus
https://urlhaus.abuse.ch/url/3502588/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW

Comments