MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56162db01c93539b352675b59709d36c0bafdff9b502e22037c417e4c5964293. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56162db01c93539b352675b59709d36c0bafdff9b502e22037c417e4c5964293
SHA3-384 hash: 5aa373ee0942bde06f93c0478d29154d938b3c013142c6c9a74f60c9af4b2081cabd920abd36f6f620676a152ebd4bff
SHA1 hash: 469bc6c82f70339468cc23c0580ebaef3c9723d0
MD5 hash: 769a06e6437a18908e4f1522af90bb8e
humanhash: nevada-west-winter-mango
File name:769a06e6437a18908e4f1522af90bb8e.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'872'384 bytes
First seen:2025-06-03 06:04:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:fev9sBE613FBLKaKmfm3xybVcr9IPYtN5eTl:mF8beIAtHe
TLSH T18E85338A65725E9ED6281CB8B98C9BCC2DA8FF75C8F1374A4B1A3530193F64002D4C9F
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
417
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
769a06e6437a18908e4f1522af90bb8e.exe
Verdict:
Malicious activity
Analysis date:
2025-06-03 06:19:13 UTC
Tags:
lumma stealer themida
Link:
https://app.any.run/tasks/64d85682-df9b-4543-8c1f-972ab3332983

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6945/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683e915007b5e8c1cfe4194e
Tags:
vmdetect autorun emotet spoof
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Connection attempt to an infection source
DNS request
Connection attempt
Sending an HTTP GET request
Behavior that indicates a threat
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt packed packed packer_detected xpack
Link:
https://www.filescan.io/uploads/683e9068e336a33801e222d8/reports/3ae22ad4-4c27-4396-b0ae-f7dce0680750/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/56162db01c93539b352675b59709d36c0bafdff9b502e22037c417e4c5964293
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/433f9a8c-7d25-4a95-a4c2-c7dc492c119b
Result
Threat name:
ACR Stealer, Amadey, AsyncRAT, HTMLPhish, LummaC Stealer, Quasar
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1704541
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Contains functionality to start a terminal service
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Tries to steal Mail credentials (via file registry)
Uses known network protocols on non-standard ports
Uses threadpools to delay analysis
Writes a notice file (html or txt) to demand a ransom
Writes to foreign memory regions
Yara detected ACR Stealer
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected AsyncRAT
Yara detected BlockedWebSite
Yara detected Costura Assembly Loader
Yara detected Discord Token Stealer
Yara detected LummaC Stealer
Yara detected Powershell decode and execute
Yara detected Quasar RAT
Yara detected SugarDump
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1704541 Sample: mj2fW1OcAG.exe Startdate: 03/06/2025 Architecture: WINDOWS Score: 100 147 pastebin.com 2->147 149 tinklertjp.bet 2->149 151 21 other IPs or domains 2->151 219 Suricata IDS alerts for network traffic 2->219 221 Found malware configuration 2->221 223 Malicious sample detected (through community Yara rule) 2->223 227 26 other signatures 2->227 13 mj2fW1OcAG.exe 1 2->13         started        18 b3a09269f9.exe 2->18         started        20 ramez.exe 2->20         started        22 elevation_service.exe 2->22         started        signatures3 225 Connects to a pastebin service (likely for C&C) 147->225 process4 dnsIp5 171 185.156.72.2, 49710, 49714, 49717 ITDELUXE-ASRU Russian Federation 13->171 173 witchdbhy.run 195.82.147.188, 443, 49692, 49693 DREAMTORRENT-CORP-ASRU Russian Federation 13->173 175 2 other IPs or domains 13->175 135 C:\Users\user\...\D4GMSXCWLFFYYOP92Y2.exe, PE32 13->135 dropped 245 Detected unpacking (changes PE section rights) 13->245 247 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->247 249 Query firmware table information (likely to detect VMs) 13->249 265 2 other signatures 13->265 24 D4GMSXCWLFFYYOP92Y2.exe 4 13->24         started        137 C:\...\JQBKHQTACQQ7966KWIXN63GAPDKH9.exe, PE32 18->137 dropped 251 Tries to harvest and steal ftp login credentials 18->251 253 Tries to harvest and steal browser information (history, passwords, etc) 18->253 255 Tries to steal Crypto Currency Wallets 18->255 257 Tries to steal from password manager 18->257 28 chrome.exe 18->28         started        31 chrome.exe 18->31         started        33 chrome.exe 18->33         started        259 Hides threads from debuggers 20->259 261 Tries to detect sandboxes / dynamic malware analysis system (registry check) 20->261 263 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 20->263 file6 signatures7 process8 dnsIp9 133 C:\Users\user\AppData\Local\...\ramez.exe, PE32 24->133 dropped 237 Detected unpacking (changes PE section rights) 24->237 239 Contains functionality to start a terminal service 24->239 241 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 24->241 243 5 other signatures 24->243 35 ramez.exe 5 88 24->35         started        169 192.168.2.5, 443, 49675, 49691 unknown unknown 28->169 40 chrome.exe 28->40         started        42 chrome.exe 28->42         started        44 chrome.exe 31->44         started        46 chrome.exe 31->46         started        file10 signatures11 process12 dnsIp13 153 185.156.72.96, 49712, 49713, 49715 ITDELUXE-ASRU Russian Federation 35->153 155 77.83.207.69 DINET-ASRU Russian Federation 35->155 125 C:\Users\user\AppData\Local\...\08IyOOF.exe, PE32+ 35->125 dropped 127 C:\Users\user\AppData\...\85baf55549.exe, PE32+ 35->127 dropped 129 C:\Users\user\AppData\Local\...\7Mnq9mr.exe, PE32 35->129 dropped 131 35 other malicious files 35->131 dropped 229 Detected unpacking (changes PE section rights) 35->229 231 Contains functionality to start a terminal service 35->231 233 Tries to evade debugger and weak emulator (self modifying code) 35->233 235 3 other signatures 35->235 48 a0f2efd956.exe 35->48         started        53 b3a09269f9.exe 1 35->53         started        55 fipu26A.exe 35->55         started        57 5 other processes 35->57 157 www.google.com 142.250.113.106 GOOGLEUS United States 40->157 159 ogads-pa.clients6.google.com 142.251.116.95 GOOGLEUS United States 40->159 163 3 other IPs or domains 40->163 161 142.250.115.106 GOOGLEUS United States 44->161 file14 signatures15 process16 dnsIp17 139 104.21.47.28 CLOUDFLARENETUS United States 48->139 107 C:\Users\user\hjksfvq.exe, HTML 48->107 dropped 109 C:\Users\user\hjksfsu.exe, HTML 48->109 dropped 193 Multi AV Scanner detection for dropped file 48->193 195 Tries to steal Mail credentials (via file registry) 48->195 197 Creates HTML files with .exe extension (expired dropper behavior) 48->197 211 9 other signatures 48->211 59 chrome.exe 48->59         started        61 msedge.exe 48->61         started        63 msedge.exe 48->63         started        75 5 other processes 48->75 111 C:\Users\...\1AE6VIB8V8C1K6RFST5BJ7AJK1.exe, PE32 53->111 dropped 199 Detected unpacking (changes PE section rights) 53->199 201 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 53->201 203 Query firmware table information (likely to detect VMs) 53->203 213 3 other signatures 53->213 65 1AE6VIB8V8C1K6RFST5BJ7AJK1.exe 53->65         started        141 ip-api.com 208.95.112.1 TUT-ASUS United States 55->141 143 github.com 140.82.112.4 GITHUBUS United States 55->143 145 3 other IPs or domains 55->145 113 C:\Users\user\AppData\Local\Temp\Zip.exe, PE32 55->113 dropped 115 C:\Users\user\AppData\...115ewtonsoft.Json.dll, PE32 55->115 dropped 117 C:\Users\user\...\recovery_summary.txt, Unicode 55->117 dropped 205 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 55->205 207 Writes a notice file (html or txt) to demand a ransom 55->207 215 3 other signatures 55->215 68 powershell.exe 55->68         started        119 C:\Users\user\AppData\Local\Temp\Vs.xltx, DOS 57->119 dropped 209 Encrypted powershell cmdline option found 57->209 217 4 other signatures 57->217 70 8f2lGlV.exe 57->70         started        73 cmd.exe 57->73         started        file18 signatures19 process20 dnsIp21 77 WerFault.exe 59->77         started        79 WerFault.exe 59->79         started        90 2 other processes 61->90 92 2 other processes 63->92 177 Detected unpacking (changes PE section rights) 65->177 179 Tries to detect sandboxes and other dynamic analysis tools (window names) 65->179 181 Tries to evade debugger and weak emulator (self modifying code) 65->181 191 3 other signatures 65->191 183 Compiles code for process injection (via .Net compiler) 68->183 185 Loading BitLocker PowerShell Module 68->185 81 conhost.exe 68->81         started        165 4.99.4t.com 88.198.124.110 HETZNER-ASDE Germany 70->165 167 t.me 149.154.167.99 TELEGRAMRU United Kingdom 70->167 187 Encrypted powershell cmdline option found 70->187 189 Tries to harvest and steal browser information (history, passwords, etc) 70->189 83 powershell.exe 70->83         started        86 powershell.exe 70->86         started        94 2 other processes 70->94 88 conhost.exe 73->88         started        signatures22 process23 file24 121 C:\Users\user\AppData\...\tsxqkbpb.cmdline, Unicode 83->121 dropped 96 csc.exe 83->96         started        99 conhost.exe 83->99         started        123 C:\Users\user\AppData\Local\...\5btv2i02.0.cs, Unicode 86->123 dropped 101 conhost.exe 86->101         started        process25 file26 105 C:\Users\user\AppData\Local\...\tsxqkbpb.dll, PE32 96->105 dropped 103 cvtres.exe 96->103         started        process27
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/56162db01c93539b352675b59709d36c0bafdff9b502e22037c417e4c5964293
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56162db01c93539b352675b59709d36c0bafdff9b502e22037c417e4c5964293/
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-06-03 01:42:59 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kylc3ma4snjzwnjgow2zocotnqf27x7zwuboeibxyql6jrmwikjq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
amadey
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250603-gssb5syvf1/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://battlefled.top/gaoi
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://localixbiw.top/zlpa
https://korxddl.top/qidz
https://tinklertjp.bet/nzaf
https://diecam.top/laur/api
https://citellcagt.top/gjtu
https://witchdbhy.run/pzal
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ab5a7c19-876f-4704-a024-54ee4de010a4
Unpacked files
SH256 hash:
56162db01c93539b352675b59709d36c0bafdff9b502e22037c417e4c5964293
MD5 hash:
769a06e6437a18908e4f1522af90bb8e
SHA1 hash:
469bc6c82f70339468cc23c0580ebaef3c9723d0
Link:
https://www.unpac.me/results/8fc674b4-969f-4a4d-8049-04b596a571d1/
SH256 hash:
b0dbe51405cf5960f9f9ee74271dba60f68f6c2ea6d0f2165023bc01ae395187
MD5 hash:
9161f286f44d38c20a510314de8ecf01
SHA1 hash:
9e5d0533220b4b64f54654acca40eaf63d52d311
Link:
https://www.unpac.me/results/8fc674b4-969f-4a4d-8049-04b596a571d1/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/56162db01c93/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56162db01c93539b352675b59709d36c0bafdff9b502e22037c417e4c5964293

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 56162db01c93539b352675b59709d36c0bafdff9b502e22037c417e4c5964293

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3542096/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/6945/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments