MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42d37e42110f177ffdfc32bc5655ba5b0b85031c110f5f36d681d336190d34ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42d37e42110f177ffdfc32bc5655ba5b0b85031c110f5f36d681d336190d34ff
SHA3-384 hash: 0ce63c6eee096c429529f8b43da77c825d29db315a273e58e47d2a81e58ba7c393005fae2a60e3b758a508c947a8f534
SHA1 hash: 67e6814cb5555afd4848d6e357c233b70ff0bcf0
MD5 hash: b1976a593889190d2c0d5d854a37ef14
humanhash: tennessee-july-undress-july
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'864'704 bytes
First seen:2025-04-17 06:02:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:pmZYrXr2pNxBngJd3gvHjstZm5ScSMzJyvs9sgNlRn45C4vhjcw4797/ocoj:s0gmJYYtZVcSMVws9/Nlp45vo7a
Threatray 4 similar samples on MalwareBazaar
TLSH T1A1853327DF63E5ABC0A942BB19365603FB3936E965D380CB0F72ACE15CD7B79A400914
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
465
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-04-17 06:05:38 UTC
Tags:
lumma stealer themida
Link:
https://app.any.run/tasks/d00c9382-218d-437d-837b-b1ab6eecbc35

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/2626/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68009a32280f5f89a0d02dc8
Tags:
phishing autorun spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypt packed packed packer_detected xpack
Link:
https://www.filescan.io/uploads/68009961e9c1e257979ba3ab/reports/83d987ea-cf69-4a9c-9d10-ff8156f09455/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/42d37e42110f177ffdfc32bc5655ba5b0b85031c110f5f36d681d336190d34ff
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3e9ed8f2-0b8e-4f9a-bc07-27ccdd28f17f
Result
Threat name:
Amadey, DarkVision Rat, LummaC Stealer,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1667149
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Drops PE files to the document folder of the user
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Xmrig
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected DarkVision Rat
Yara detected LummaC Stealer
Yara detected PrivateLoader
Yara detected UAC Bypass using CMSTP
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1667149 Sample: random.exe Startdate: 17/04/2025 Architecture: WINDOWS Score: 100 141 Sigma detected: Xmrig 2->141 143 Found malware configuration 2->143 145 Malicious sample detected (through community Yara rule) 2->145 147 25 other signatures 2->147 10 namez.exe 45 2->10         started        15 random.exe 1 2->15         started        17 futors.exe 2->17         started        19 powershell.exe 2->19         started        process3 dnsIp4 133 185.215.113.59 WHOLESALECONNECTIONSNL Portugal 10->133 135 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 10->135 101 C:\Users\user\AppData\Local\...\zdZK6Nx.exe, PE32 10->101 dropped 103 C:\Users\user\AppData\Local\...\08MjT3W.exe, PE32+ 10->103 dropped 105 C:\Users\user\AppData\Local\...\amnew.exe, PE32 10->105 dropped 109 18 other malicious files 10->109 dropped 229 Contains functionality to start a terminal service 10->229 21 235T1TS.exe 10->21         started        24 07jGt0K.exe 10->24         started        27 410edf1c08.exe 10->27         started        33 7 other processes 10->33 137 185.39.17.162 RU-TAGNET-ASRU Russian Federation 15->137 139 104.21.85.126 CLOUDFLARENETUS United States 15->139 107 C:\Users\...\QR71D4QN0MXHOD2242N1ONMXX.exe, PE32 15->107 dropped 231 Detected unpacking (changes PE section rights) 15->231 233 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->233 235 Query firmware table information (likely to detect VMs) 15->235 241 7 other signatures 15->241 29 QR71D4QN0MXHOD2242N1ONMXX.exe 4 15->29         started        237 Antivirus detection for dropped file 17->237 239 Multi AV Scanner detection for dropped file 17->239 31 conhost.exe 19->31         started        file5 signatures6 process7 dnsIp8 149 Antivirus detection for dropped file 21->149 151 Query firmware table information (likely to detect VMs) 21->151 169 5 other signatures 21->169 36 svchost.exe 21->36         started        41 cmd.exe 21->41         started        93 C:\Users\user\Documents\...\000003640029.exe, PE32+ 24->93 dropped 153 Multi AV Scanner detection for dropped file 24->153 155 Suspicious powershell command line found 24->155 157 Drops PE files to the document folder of the user 24->157 159 Creates multiple autostart registry keys 24->159 43 000003640029.exe 24->43         started        53 2 other processes 24->53 171 3 other signatures 27->171 45 MSBuild.exe 27->45         started        47 MSBuild.exe 27->47         started        95 C:\Users\user\AppData\Local\...\namez.exe, PE32 29->95 dropped 161 Contains functionality to start a terminal service 29->161 163 Contains functionality to inject code into remote processes 29->163 49 namez.exe 29->49         started        111 104.21.80.1 CLOUDFLARENETUS United States 33->111 97 C:\Users\user\AppData\Local\...\futors.exe, PE32 33->97 dropped 165 Detected unpacking (creates a PE file in dynamic memory) 33->165 167 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->167 173 2 other signatures 33->173 51 MSBuild.exe 33->51         started        55 8 other processes 33->55 file9 signatures10 process11 dnsIp12 113 82.29.67.160 NTLGB United Kingdom 36->113 115 104.26.9.202 CLOUDFLARENETUS United States 36->115 117 107.174.192.179 AS-COLOCROSSINGUS United States 36->117 89 C:\Users\user\AppData\Local\...\w32tm.exe, PE32+ 36->89 dropped 91 C:\ProgramData\...\tzutil.exe, PE32+ 36->91 dropped 175 Benign windows process drops PE files 36->175 177 Creates autostart registry keys with suspicious names 36->177 179 Creates multiple autostart registry keys 36->179 57 tzutil.exe 36->57         started        62 w32tm.exe 36->62         started        181 Adds a directory exclusion to Windows Defender 41->181 64 powershell.exe 41->64         started        66 conhost.exe 41->66         started        183 Multi AV Scanner detection for dropped file 43->183 185 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 43->185 187 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 43->187 197 3 other signatures 43->197 68 000003640029.exe 43->68         started        119 149.154.167.99 TELEGRAMRU United Kingdom 45->119 121 104.21.112.1 CLOUDFLARENETUS United States 45->121 189 Query firmware table information (likely to detect VMs) 45->189 191 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 47->191 193 Contains functionality to start a terminal service 49->193 199 3 other signatures 51->199 195 Loading BitLocker PowerShell Module 53->195 70 conhost.exe 53->70         started        123 104.21.42.7 CLOUDFLARENETUS United States 55->123 file13 signatures14 process15 dnsIp16 125 104.168.28.10 AS-COLOCROSSINGUS United States 57->125 127 127.0.0.1 unknown unknown 57->127 99 C:\Windows\Temp\426GlM_4932.sys, PE32+ 57->99 dropped 207 Query firmware table information (likely to detect VMs) 57->207 209 Adds a directory exclusion to Windows Defender 57->209 211 Sample is not signed and drops a device driver 57->211 72 powershell.exe 57->72         started        75 powershell.exe 57->75         started        129 4.28.136.57 LEVEL3US United States 62->129 213 Multi AV Scanner detection for dropped file 62->213 215 Tries to evade analysis by execution special instruction (VM detection) 62->215 217 Found direct / indirect Syscall (likely to bypass EDR) 62->217 219 Loading BitLocker PowerShell Module 64->219 131 196.251.81.64 SONIC-WirelessZA Seychelles 68->131 221 Writes to foreign memory regions 68->221 223 Modifies the context of a thread in another process (thread injection) 68->223 225 Sample uses process hollowing technique 68->225 227 Injects a PE file into a foreign processes 68->227 77 AddInProcess.exe 68->77         started        79 AddInProcess.exe 68->79         started        81 AddInProcess.exe 68->81         started        file17 signatures18 process19 signatures20 201 Loading BitLocker PowerShell Module 72->201 83 conhost.exe 72->83         started        85 conhost.exe 75->85         started        203 Query firmware table information (likely to detect VMs) 77->203 87 conhost.exe 77->87         started        205 Found strings related to Crypto-Mining 79->205 process21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/42d37e42110f177ffdfc32bc5655ba5b0b85031c110f5f36d681d336190d34ff
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42d37e42110f177ffdfc32bc5655ba5b0b85031c110f5f36d681d336190d34ff/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-04-16 03:26:32 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iljx4qqrb4lx77p4gk6fmvn2lmfykay4cehv6nwwqhjtmgingt7q._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
0d7498868db177729da82ff4652d944ab6d4700c7467e8b8a6a2a65b423042a2
LummaStealer
42d37e42110f177ffdfc32bc5655ba5b0b85031c110f5f36d681d336190d34ff
LummaStealer
46b2de15860d23bb541610209f307d5007f3811b0cdfcf3860f3a7d76ae42d5b
LummaStealer
error
LummaStealer
f767fa2879dc1d53e423e63f9d7773611002594c63fcfc0f02cf42bdee5b4731
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250417-grjcvatjv9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://vclarmodq.top/qoxo
https://jawdedmirror.run/ewqd
https://changeaie.top/geps
https://tlonfgshadow.live/xawi
https://8liftally.top/xasj
https://nighetwhisper.top/lekd
https://salaccgfa.top/gsooz
https://zestmodp.top/zeda
https://owlflright.digital/qopy
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ba58fc12-1864-4cae-8c7c-50883fa00cb8
Unpacked files
SH256 hash:
42d37e42110f177ffdfc32bc5655ba5b0b85031c110f5f36d681d336190d34ff
MD5 hash:
b1976a593889190d2c0d5d854a37ef14
SHA1 hash:
67e6814cb5555afd4848d6e357c233b70ff0bcf0
Link:
https://www.unpac.me/results/720de0c1-8528-4011-9716-757e3781eace/
SH256 hash:
ba7b5864bd3f44f03b2542890322e291b4c524d6a3aa9330a3f609fa006799c1
MD5 hash:
b9d493cb7ec4969f438887472bb6242c
SHA1 hash:
f11373f46175b496b1d7b6af92b59254e30fea10
Link:
https://www.unpac.me/results/720de0c1-8528-4011-9716-757e3781eace/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 42d37e42110f177ffdfc32bc5655ba5b0b85031c110f5f36d681d336190d34ff

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3511779/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/2626/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments