MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78
SHA3-384 hash: 669e712f37e25dfc0f210e6e8cb510a7ff7563dd8210621ab338ef3b54c81723591b2605fcb6ae41a07ce2577a7e107b
SHA1 hash: e316ff6b3b8c2333e303fead5366dab17bf5bedd
MD5 hash: 9bc4c8ecb6d8b3e6b7209067f389cea7
humanhash: march-michigan-bluebird-spaghetti
File name:9bc4c8ecb6d8b3e6b7209067f389cea7.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'848'320 bytes
First seen:2025-02-13 09:32:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:s7OZQKz37BVU9Fk1JByBHmv6FOxhux49lnItLO:gXKzrBX1JEVG6Qxd4O
Threatray 81 similar samples on MalwareBazaar
TLSH T1D58533205EE2B474C57E5FF6267F8F9D27752BD28802F12D384A4A6E88461FBD2C5093
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
443
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
9bc4c8ecb6d8b3e6b7209067f389cea7.exe
Verdict:
Malicious activity
Analysis date:
2025-02-13 09:34:14 UTC
Tags:
amadey botnet stealer loader auto lumma telegram gcleaner opendir redline lefthook themida vidar smoke smokeloader stealc tofsee credentialflusher generic evasion cryptbot
Link:
https://app.any.run/tasks/b6d1b11c-074d-4a2b-a54b-ad4bb70fb4cc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67adbc5ea0fd713c335aaa9f
Tags:
vmdetect autorun spoof spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d458a1be-414b-468f-8c6c-b84b59c45bea
Result
Threat name:
Amadey, GCleaner, LummaC Stealer, PureLo
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1614113
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected GCleaner
Yara detected LummaC Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1614113 Sample: 1w5RpHuliE.exe Startdate: 13/02/2025 Architecture: WINDOWS Score: 100 97 voicesharped.com 2->97 99 mixedrecipew.biz 2->99 101 27 other IPs or domains 2->101 121 Suricata IDS alerts for network traffic 2->121 123 Found malware configuration 2->123 125 Malicious sample detected (through community Yara rule) 2->125 127 21 other signatures 2->127 11 skotes.exe 53 2->11         started        16 1w5RpHuliE.exe 5 2->16         started        18 skotes.exe 2->18         started        20 2 other processes 2->20 signatures3 process4 dnsIp5 117 185.215.113.43, 49915, 49931, 49963 WHOLESALECONNECTIONSNL Portugal 11->117 119 185.215.113.75, 49937, 49971, 49999 WHOLESALECONNECTIONSNL Portugal 11->119 81 C:\Users\user\AppData\Local\...\PqodvBZ.exe, PE32 11->81 dropped 83 C:\Users\user\AppData\Local\...\Bjkm5hE.exe, PE32 11->83 dropped 85 C:\Users\user\AppData\Local\...\ViGgA8C.exe, PE32 11->85 dropped 91 23 other malicious files 11->91 dropped 163 Hides threads from debuggers 11->163 165 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->165 167 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 11->167 22 14b550e5e3.exe 11->22         started        25 cbf2b6294a.exe 11->25         started        28 KbSwZup.exe 11->28         started        36 9 other processes 11->36 87 C:\Users\user\AppData\Local\...\skotes.exe, PE32 16->87 dropped 89 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 16->89 dropped 169 Detected unpacking (changes PE section rights) 16->169 171 Tries to evade debugger and weak emulator (self modifying code) 16->171 173 Tries to detect virtualization through RDTSC time measurements 16->173 30 skotes.exe 16->30         started        32 WerFault.exe 2 20->32         started        34 WerFault.exe 20->34         started        file6 signatures7 process8 dnsIp9 129 Detected unpacking (changes PE section rights) 22->129 131 Writes to foreign memory regions 22->131 151 4 other signatures 22->151 38 BitLockerToGo.exe 22->38         started        111 soulfulimusic.cyou 172.67.155.64 CLOUDFLARENETUS United States 25->111 133 Multi AV Scanner detection for dropped file 25->133 135 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->135 137 Query firmware table information (likely to detect VMs) 25->137 139 Tries to harvest and steal ftp login credentials 28->139 141 Tries to harvest and steal browser information (history, passwords, etc) 28->141 143 Tries to steal Crypto Currency Wallets 28->143 153 3 other signatures 30->153 113 floweringtstrip.help 172.67.183.104 CLOUDFLARENETUS United States 36->113 115 steamcommunity.com 104.73.234.102 AKAMAI-ASUS United States 36->115 145 Tries to detect sandboxes and other dynamic analysis tools (window names) 36->145 147 Found many strings related to Crypto-Wallets (likely being stolen) 36->147 149 Contains functionality to inject code into remote processes 36->149 42 xkV9ZML.exe 36->42         started        45 4dfe6dfd76.exe 36->45         started        47 BitLockerToGo.exe 36->47         started        49 8 other processes 36->49 signatures10 process11 dnsIp12 103 backgroundtasks.info 93.95.97.49 MTW-ASRU Russian Federation 38->103 65 C:\Users\user\AppData\...\lt8kslFxQ.exe, PE32 38->65 dropped 67 C:\Users\user\AppData\...\rnHV2EM9rK6P.exe, PE32 38->67 dropped 69 C:\Users\user\AppData\Local\...\Y-Cleaner.exe, PE32 38->69 dropped 71 4 other malicious files 38->71 dropped 51 rnHV2EM9rK6P.exe 38->51         started        54 lt8kslFxQ.exe 38->54         started        105 paleboreei.biz 188.114.96.3, 443, 49954, 49959 CLOUDFLARENETUS European Union 42->105 157 Query firmware table information (likely to detect VMs) 42->157 159 Found many strings related to Crypto-Wallets (likely being stolen) 42->159 161 Tries to steal Crypto Currency Wallets 42->161 107 104.102.49.254 AKAMAI-ASUS United States 47->107 109 185.156.73.73 RELDAS-NETRU Russian Federation 49->109 file13 signatures14 process15 file16 63 C:\Users\user\AppData\...\rnHV2EM9rK6P.tmp, PE32 51->63 dropped 57 rnHV2EM9rK6P.tmp 51->57         started        155 Multi AV Scanner detection for dropped file 54->155 signatures17 process18 file19 73 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 57->73 dropped 75 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 57->75 dropped 77 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 57->77 dropped 79 21 other files (1 malicious) 57->79 dropped 60 filebasedassist.exe 57->60         started        process20 file21 93 C:\ProgramData\...\sqlite3.dll, PE32 60->93 dropped 95 C:\ProgramData\...\FileBasedAssistant.exe, PE32 60->95 dropped
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-02-12 20:46:38 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
29 of 37 (78.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=llzdvbynhtawmy5pcouicwrkb7de3xrrdcr2kyzt4moq7nfapz4a._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
014857e05f8c8abace4ccf74a6e613a755a651d724c510dc5959bea75295f53b
LummaStealer
259b76b23a393bbe38478a12f7df76eb71b676a0a0b6c1bb8f3085c5f4e6b461
LummaStealer
447fa6e76e1f5060cf82af86a9f8f4a7916d77a25ae28214f9469c3f66c6ba66
LummaStealer
5d70475bd1a769142acba551507ee56de727c93a5ff508f6d6b21d40f43c2fe4
LummaStealer
86b9d17c28f513e6610f028215365d251053d95326a6e2d4dc5d3d84d791887e
LummaStealer
9f0abf47cad061be840a75ca8ac707125c81244dace6f47b05f3311b3d8e5431
LummaStealer
ac0b68558b6952cba1922a80d3c687c3789909db072e27ac0d0be6e2169f7ac6
LummaStealer
bba49d9c5a233f7916671750711049be4108a7ffae09e955bc9e90c03d2c4ab1
LummaStealer
ee170a14d676b69cab768f8a94e482ee9ad6dc1766038d6e26c24fe2cfbd7677
LummaStealer
error
LummaStealer
+ 71 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma botnet:9c9aa5 defense_evasion discovery spyware stealer trojan
Link:
https://tria.ge/reports/250213-ljasyswlcm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
.NET Reactor proctector
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
http://185.215.113.43
https://paleboreei.biz/api
Verdict:
Malicious
Tags:
stealer c2 lumma lumma_stealer win32_amadey
YARA:
n/a
Link:
https://app.threat.zone/submission/6e839b1f-2f44-4614-9e18-485087c7d533
Unpacked files
SH256 hash:
5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78
MD5 hash:
9bc4c8ecb6d8b3e6b7209067f389cea7
SHA1 hash:
e316ff6b3b8c2333e303fead5366dab17bf5bedd
Link:
https://www.unpac.me/results/730cf3f5-d31a-4a7c-8172-f1202ac92f2d/
SH256 hash:
9a0510cbd1a41fcca2395f4e23db1fb9c0581ec17fd610ede2b93ae88326b3bc
MD5 hash:
769f1fa0136873a4d5b861678fba87c0
SHA1 hash:
55500c4daf73f6f89a7c3090b7f1ed9434426a22
Detections:
Amadey
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/730cf3f5-d31a-4a7c-8172-f1202ac92f2d/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5af23a870d3c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Amadey
Create hunting rule
Author:kevoreilly
Description:Amadey Payload
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_1f2e969c
Create hunting rule
Author:Elastic Security
Rule name:win_amadey_a9f4
Create hunting rule
Author:Johannes Bader
Description:matches unpacked Amadey samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments