MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c992ef8543faef845cb3c48bb713273246091870919b746ac316f778bb3e5f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c992ef8543faef845cb3c48bb713273246091870919b746ac316f778bb3e5f7
SHA3-384 hash: 27a395ec0225403fbe74e46c0d8440cc254ee25df73033404ac8b007ac8d1ef8acf6e522cf5455d4b5c2c7d92792cab1
SHA1 hash: e7ed610dc3b3b79258ca63f276cbadeb98be9266
MD5 hash: 822d8e89f3456f224ca678302b11038a
humanhash: foxtrot-kilo-princess-pip
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:3'867'648 bytes
First seen:2025-04-13 15:52:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:BilB8hfgVayNKwwnwlEfrgXGW5Gx9GH4IejCw0Hq7+f4YAd:UlKhfriKAij8GW5GqH4rWwGqafH0
TLSH T11406331BE7AEC177E475D3B298F3528B1D62B58126200113A68F9D9514F8930FA3E37B
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter aachum
Tags:092155 Amadey exe LummaStealer


Avatar
iamaachum
http://176.113.115.7/download.php

Amadey Botnet: 092155
Amadey C2: http://176.113.115.6/Ni9kiput/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
492
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-04-13 15:29:46 UTC
Tags:
lumma stealer amadey botnet loader themida rdp
Link:
https://app.any.run/tasks/6000d139-e8e5-492b-be9b-64b6ef68c024

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/2073/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67fbd8ce1dba888a93d2bbab
Tags:
phishing autorun mint
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context CAB crypt explorer installer lolbin microsoft_visual_cc packed packed packer_detected rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/67fbdde62d430c849e1693f4/reports/475a1afc-d525-4e9c-80e8-7b84782b9927/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/3c992ef8543faef845cb3c48bb713273246091870919b746ac316f778bb3e5f7
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/21baef78-2f5d-44c4-9458-563186fb6e1b
Result
Threat name:
Amadey, LummaC Stealer, Quasar, Vidar, X
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1664121
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Contains functionality to start a terminal service
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: Disable power options
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Stop EventLog
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses powercfg.exe to modify the power settings
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected Quasar RAT
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1664121 Sample: random.exe Startdate: 13/04/2025 Architecture: WINDOWS Score: 100 101 pastebin.com 2->101 103 api.telegram.org 2->103 105 14 other IPs or domains 2->105 139 Suricata IDS alerts for network traffic 2->139 141 Found malware configuration 2->141 143 Malicious sample detected (through community Yara rule) 2->143 149 21 other signatures 2->149 10 rapes.exe 2->10         started        15 random.exe 1 4 2->15         started        17 updater.exe 2->17         started        19 10 other processes 2->19 signatures3 145 Connects to a pastebin service (likely for C&C) 101->145 147 Uses the Telegram API (likely for C&C communication) 103->147 process4 dnsIp5 107 176.113.115.6, 49733, 49734, 49736 SELECTELRU Russian Federation 10->107 109 185.81.68.7, 49757, 80 KLNOPT-ASFI Finland 10->109 87 C:\Users\user\AppData\Local\...\XYQ5buK.exe, PE32 10->87 dropped 89 C:\Users\user\AppData\Local\...\ZGvJyhV.exe, PE32+ 10->89 dropped 91 C:\Users\user\AppData\Local\...\gbz6UL4.exe, PE32 10->91 dropped 99 11 other malicious files 10->99 dropped 203 Contains functionality to start a terminal service 10->203 205 Hides threads from debuggers 10->205 207 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->207 209 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 10->209 21 2KdMigj.exe 10->21         started        24 h5HvaLO.exe 10->24         started        26 qNNDTVN.exe 10->26         started        93 C:\Users\user\AppData\Local\...\2U1136.exe, PE32 15->93 dropped 95 C:\Users\user\AppData\Local\...\1R38r3.exe, PE32 15->95 dropped 29 2U1136.exe 1 15->29         started        32 1R38r3.exe 4 15->32         started        97 C:\Windows\Temp\pphaiywlozqt.sys, PE32+ 17->97 dropped 211 Multi AV Scanner detection for dropped file 17->211 213 Modifies the context of a thread in another process (thread injection) 17->213 215 Adds a directory exclusion to Windows Defender 17->215 219 2 other signatures 17->219 34 powershell.exe 17->34         started        40 2 other processes 17->40 111 127.0.0.1 unknown unknown 19->111 217 Changes security center settings (notifications, updates, antivirus, firewall) 19->217 36 MpCmdRun.exe 19->36         started        38 WerFault.exe 2 19->38         started        file6 signatures7 process8 dnsIp9 151 Writes to foreign memory regions 21->151 153 Allocates memory in foreign processes 21->153 155 Injects a PE file into a foreign processes 21->155 42 MSBuild.exe 21->42         started        58 3 other processes 24->58 79 C:\ProgramDatabehaviorgraphoogle\Chrome\updater.exe, PE32+ 26->79 dropped 81 C:\Windows\System32\drivers\etc\hosts, ASCII 26->81 dropped 157 Uses powercfg.exe to modify the power settings 26->157 171 3 other signatures 26->171 60 10 other processes 26->60 125 176.113.115.7, 49729, 49735, 49737 SELECTELRU Russian Federation 29->125 127 clarmodq.top 172.67.205.184, 443, 49716, 49717 CLOUDFLARENETUS United States 29->127 83 C:\Users\...\DYIJ37ML3W9UBV5Q35GMISGGT3C.exe, PE32 29->83 dropped 159 Antivirus detection for dropped file 29->159 161 Multi AV Scanner detection for dropped file 29->161 163 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->163 173 5 other signatures 29->173 46 DYIJ37ML3W9UBV5Q35GMISGGT3C.exe 2 29->46         started        48 WerFault.exe 29->48         started        85 C:\Users\user\AppData\Local\...\rapes.exe, PE32 32->85 dropped 165 Detected unpacking (changes PE section rights) 32->165 167 Contains functionality to start a terminal service 32->167 175 2 other signatures 32->175 50 rapes.exe 32->50         started        169 Loading BitLocker PowerShell Module 34->169 52 conhost.exe 34->52         started        54 conhost.exe 36->54         started        56 conhost.exe 40->56         started        file10 signatures11 process12 dnsIp13 113 qo.ap.4t.com 78.47.105.59, 443, 49739, 49741 HETZNER-ASDE Germany 42->113 115 t.me 149.154.167.99, 443, 49738 TELEGRAMRU United Kingdom 42->115 177 Attempt to bypass Chrome Application-Bound Encryption 42->177 179 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 42->179 181 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->181 195 4 other signatures 42->195 62 chrome.exe 42->62         started        183 Antivirus detection for dropped file 46->183 185 Detected unpacking (changes PE section rights) 46->185 187 Contains functionality to start a terminal service 46->187 197 2 other signatures 46->197 65 rapes.exe 46->65         started        189 Tries to detect sandboxes and other dynamic analysis tools (window names) 50->189 199 2 other signatures 50->199 117 104.21.85.126, 443, 49758 CLOUDFLARENETUS United States 58->117 191 Query firmware table information (likely to detect VMs) 58->191 201 2 other signatures 58->201 193 Loading BitLocker PowerShell Module 60->193 68 conhost.exe 60->68         started        70 conhost.exe 60->70         started        72 conhost.exe 60->72         started        74 8 other processes 60->74 signatures14 process15 dnsIp16 129 192.168.2.4, 443, 49709, 49716 unknown unknown 62->129 76 chrome.exe 62->76         started        131 Contains functionality to start a terminal service 65->131 133 Hides threads from debuggers 65->133 135 Tries to detect sandboxes / dynamic malware analysis system (registry check) 65->135 137 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 65->137 signatures17 process18 dnsIp19 119 plus.l.google.com 108.177.122.139 GOOGLEUS United States 76->119 121 ogads-pa.clients6.google.com 108.177.122.95 GOOGLEUS United States 76->121 123 2 other IPs or domains 76->123
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3c992ef8543faef845cb3c48bb713273246091870919b746ac316f778bb3e5f7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c992ef8543faef845cb3c48bb713273246091870919b746ac316f778bb3e5f7/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-04-13 15:31:28 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hsms56cuh6xpqrolhrelw4jsomsgbemhbem3orvmgfxxpc5t4x3q._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
lummastealer
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma botnet:092155 defense_evasion discovery persistence spyware stealer trojan
Link:
https://tria.ge/reports/250413-tbpadayzhs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
http://176.113.115.6
https://clarmodq.top/qoxo
https://jawdedmirror.run/ewqd
https://changeaie.top/geps
https://lonfgshadow.live/xawi
https://liftally.top/xasj
https://nighetwhisper.top/lekd
https://salaccgfa.top/gsooz
https://-zestmodp.top/zeda
https://owlflright.digital/qopy
Verdict:
Malicious
Tags:
stealer redline stealc
YARA:
detect_Redline_Stealer win_redline_wextract_hunting_oct_2023
Link:
https://app.threat.zone/submission/9a50ce21-40e0-43d9-a81b-9912901ed59c
Unpacked files
SH256 hash:
3c992ef8543faef845cb3c48bb713273246091870919b746ac316f778bb3e5f7
MD5 hash:
822d8e89f3456f224ca678302b11038a
SHA1 hash:
e7ed610dc3b3b79258ca63f276cbadeb98be9266
Link:
https://www.unpac.me/results/cc336c35-7308-42bd-a872-354437cee555/
SH256 hash:
74dc7b186b4dac572b54100c18900d90fac8baaeb8f8f52b5cb05b4359f5026f
MD5 hash:
f599aeb2c2bec2479f98ec7356c7c326
SHA1 hash:
a223c87b3b3e6a1dbce2cf87675d9f48940a9848
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/cc336c35-7308-42bd-a872-354437cee555/
SH256 hash:
fc75f6d292b15e4ca60c5a3791d5cbce1f5bb8eb390c7009a941a28cf006d807
MD5 hash:
bd8a594350596b521fa1749e736a377f
SHA1 hash:
10ecea19efd07760c3cf9612d2c131274f39ea20
Link:
https://www.unpac.me/results/cc336c35-7308-42bd-a872-354437cee555/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3c992ef8543f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c992ef8543faef845cb3c48bb713273246091870919b746ac316f778bb3e5f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 3c992ef8543faef845cb3c48bb713273246091870919b746ac316f778bb3e5f7

(this sample)

  
Link
https://tria.ge/250413-srwtqayjw3/behavioral3
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3470479/
  
URLhaus
https://urlhaus.abuse.ch/url/3470476/
  
URLhaus
https://urlhaus.abuse.ch/url/3470471/
Cape
Cape
https://www.capesandbox.com/analysis/2073/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments