MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ddd2c06abc94aef41bbc697dd5bb4ca88bd013499067f082abc4a1c975f0796. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ddd2c06abc94aef41bbc697dd5bb4ca88bd013499067f082abc4a1c975f0796
SHA3-384 hash: 987bbd50316f7fc8771147c82cb689fe39ed12a03f1b99b38061edabb4ac6b2c7f0a578bc218c5484cdc5c68cd9412b4
SHA1 hash: ce1e56cc413edc65b0e44f95afa2e86e2cfec20a
MD5 hash: dcf95c94c1f8bf06dc0e56d32075ec4b
humanhash: july-georgia-uranus-network
File name:dcf95c94c1f8bf06dc0e56d32075ec4b.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'859'584 bytes
First seen:2025-02-01 15:53:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:Bpnh2b6UQplpby0XsrWOP+Vr0ifsP0tS8iThje4m:Bpnh2b6VN7XsrWzVr0glCRm
TLSH T12F8533698F252974D9489BF367EB41D86530AA0406F3F4B889F4E755CF7F29208EE212
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
474
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
dcf95c94c1f8bf06dc0e56d32075ec4b.exe
Verdict:
Malicious activity
Analysis date:
2025-02-01 16:23:18 UTC
Tags:
stealer lumma loader themida stealc amadey botnet telegram auto generic gcleaner autoit evasion remote xworm rat asyncrat
Link:
https://app.any.run/tasks/8b160d21-8bee-4959-a4ba-fbd0d247975b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679e43baa9881a7a01c4e985
Tags:
vmdetect autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
DNS request
Connection attempt
Sending a custom TCP request
Connection attempt to an infection source
Behavior that indicates a threat
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm packed packed packer_detected
Link:
https://www.filescan.io/uploads/679e43b91b148287dc1e71ab/reports/9a106538-7b32-4cc4-8647-ee7a8c1db55a/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/5ddd2c06abc94aef41bbc697dd5bb4ca88bd013499067f082abc4a1c975f0796
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LummaC2 Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fd63c36c-e9ad-41c5-b739-710603a5139b
Result
Threat name:
LummaC, Amadey, AsyncRAT, KeyLogger, Lum
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1604553
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to log keystrokes (.Net Source)
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Sigma detected: Powershell launch regsvr32
Sigma detected: Search for Antivirus process
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
Uses Register-ScheduledTask to add task schedules
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected Keylogger Generic
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected StormKitty Stealer
Yara detected Vidar stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1604553 Sample: SQ1NgqeTQy.exe Startdate: 01/02/2025 Architecture: WINDOWS Score: 100 156 UrDtxPvdestkLUKCgdoC.UrDtxPvdestkLUKCgdoC 2->156 158 DGGKjBirXBdcY.DGGKjBirXBdcY 2->158 160 59 other IPs or domains 2->160 228 Suricata IDS alerts for network traffic 2->228 230 Found malware configuration 2->230 232 Malicious sample detected (through community Yara rule) 2->232 234 35 other signatures 2->234 14 skotes.exe 29 2->14         started        19 SQ1NgqeTQy.exe 2 2->19         started        21 skotes.exe 2->21         started        23 3 other processes 2->23 signatures3 process4 dnsIp5 176 185.215.113.43, 49920, 49935, 49966 WHOLESALECONNECTIONSNL Portugal 14->176 178 185.215.113.97, 49941, 49972, 49992 WHOLESALECONNECTIONSNL Portugal 14->178 138 C:\Users\user\AppData\...\52d42007e3.exe, PE32 14->138 dropped 140 C:\Users\user\AppData\...\94cd0458cc.exe, PE32 14->140 dropped 142 C:\Users\user\AppData\...\21a4f8ff7d.exe, PE32 14->142 dropped 148 7 other malicious files 14->148 dropped 190 Hides threads from debuggers 14->190 192 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->192 194 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 14->194 25 21a4f8ff7d.exe 14->25         started        29 f35b37b5a5.exe 14->29         started        32 94cd0458cc.exe 14->32         started        34 ca3f738a4c.exe 20 14->34         started        180 185.215.113.16, 49712, 80 WHOLESALECONNECTIONSNL Portugal 19->180 182 warlikedbeliev.org 104.21.18.116, 443, 49704, 49705 CLOUDFLARENETUS United States 19->182 144 C:\...\VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe, PE32 19->144 dropped 146 C:\Users\user\...\78K21CNZITPIMAK88B8Q.exe, PE32 19->146 dropped 196 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->196 198 Query firmware table information (likely to detect VMs) 19->198 200 Found many strings related to Crypto-Wallets (likely being stolen) 19->200 208 5 other signatures 19->208 36 78K21CNZITPIMAK88B8Q.exe 4 19->36         started        38 VPW6HTTOAIDQ14BWA2DY59XSMKZYI.exe 13 19->38         started        184 127.0.0.1 unknown unknown 23->184 202 Suspicious powershell command line found 23->202 204 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 23->204 206 Windows Scripting host queries suspicious COM object (likely to drop second stage) 23->206 40 powershell.exe 23->40         started        42 AchillesGuard.com 23->42         started        file6 signatures7 process8 dnsIp9 116 C:\Users\user\AppData\...\21a4f8ff7d.tmp, PE32 25->116 dropped 238 Multi AV Scanner detection for dropped file 25->238 44 21a4f8ff7d.tmp 25->44         started        172 steamcommunity.com 23.197.127.21, 443, 49993 AKAMAI-ASN1EU United States 29->172 240 Tries to detect sandboxes and other dynamic analysis tools (window names) 29->240 242 Tries to evade debugger and weak emulator (self modifying code) 29->242 244 Hides threads from debuggers 29->244 246 LummaC encrypted strings found 29->246 47 cmd.exe 32->47         started        49 cmd.exe 34->49         started        118 C:\Users\user\AppData\Local\...\skotes.exe, PE32 36->118 dropped 248 Antivirus detection for dropped file 36->248 250 Detected unpacking (changes PE section rights) 36->250 252 Machine Learning detection for dropped file 36->252 254 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 36->254 52 skotes.exe 36->52         started        174 185.215.113.115, 49728, 80 WHOLESALECONNECTIONSNL Portugal 38->174 256 Tries to detect virtualization through RDTSC time measurements 38->256 258 Tries to detect sandboxes / dynamic malware analysis system (registry check) 38->258 260 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 38->260 54 conhost.exe 40->54         started        file10 signatures11 process12 file13 120 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 44->120 dropped 122 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 44->122 dropped 124 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 44->124 dropped 56 21a4f8ff7d.exe 44->56         started        126 C:\Users\user\AppData\...\Macromedia.com, PE32 47->126 dropped 59 Macromedia.com 47->59         started        62 conhost.exe 47->62         started        64 tasklist.exe 47->64         started        73 9 other processes 47->73 128 C:\Users\user\AppData\Local\...\Avoiding.com, PE32 49->128 dropped 218 Drops PE files with a suspicious file extension 49->218 66 Avoiding.com 49->66         started        69 conhost.exe 49->69         started        71 tasklist.exe 49->71         started        75 9 other processes 49->75 220 Antivirus detection for dropped file 52->220 222 Detected unpacking (changes PE section rights) 52->222 224 Machine Learning detection for dropped file 52->224 226 5 other signatures 52->226 signatures14 process15 dnsIp16 108 C:\Users\user\AppData\...\21a4f8ff7d.tmp, PE32 56->108 dropped 77 21a4f8ff7d.tmp 56->77         started        110 C:\Users\user\AppData\...\AchillesGuard.com, PE32 59->110 dropped 112 C:\Users\user\AppData\...\AchillesGuard.js, ASCII 59->112 dropped 262 Drops PE files with a suspicious file extension 59->262 264 Uses schtasks.exe or at.exe to add and modify task schedules 59->264 266 Writes to foreign memory regions 59->266 268 Injects a PE file into a foreign processes 59->268 80 MSBuild.exe 59->80         started        83 schtasks.exe 59->83         started        162 t.me 149.154.167.99 TELEGRAMRU United Kingdom 66->162 164 getyour.cyou 116.202.5.153 HETZNER-ASDE Germany 66->164 114 C:\ProgramData\5xtr1\jw4wb1, PE32+ 66->114 dropped 270 Attempt to bypass Chrome Application-Bound Encryption 66->270 272 Tries to harvest and steal ftp login credentials 66->272 274 Tries to harvest and steal browser information (history, passwords, etc) 66->274 276 Tries to steal Crypto Currency Wallets 66->276 85 chrome.exe 66->85         started        file17 signatures18 process19 dnsIp20 130 C:\Users\user\...\uxtheme_2.drv (copy), PE32+ 77->130 dropped 132 C:\Users\user\AppData\Roaming\is-KKQ75.tmp, PE32+ 77->132 dropped 134 C:\Users\user\AppData\...\unins000.exe (copy), PE32 77->134 dropped 136 4 other files (3 malicious) 77->136 dropped 87 regsvr32.exe 77->87         started        152 159.100.19.137 DE-FIRSTCOLOwwwfirst-colonetDE Germany 80->152 89 conhost.exe 83->89         started        154 239.255.255.250 unknown Reserved 85->154 91 chrome.exe 85->91         started        file21 process22 dnsIp23 94 regsvr32.exe 87->94         started        166 www.google.com 142.250.186.132 GOOGLEUS United States 91->166 168 plus.l.google.com 216.58.206.46 GOOGLEUS United States 91->168 170 2 other IPs or domains 91->170 process24 dnsIp25 186 91.212.166.99 MOBILY-ASEtihadEtisalatCompanyMobilySA United Kingdom 94->186 188 ip-api.com 208.95.112.1 TUT-ASUS United States 94->188 150 C:\Users\user\AppData\Local\dllhost.exe, PE32+ 94->150 dropped 210 System process connects to network (likely due to code injection or exploit) 94->210 212 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 94->212 214 Suspicious powershell command line found 94->214 216 4 other signatures 94->216 99 powershell.exe 94->99         started        102 powershell.exe 94->102         started        file26 signatures27 process28 signatures29 236 Loading BitLocker PowerShell Module 99->236 104 conhost.exe 99->104         started        106 conhost.exe 102->106         started        process30
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5ddd2c06abc94aef41bbc697dd5bb4ca88bd013499067f082abc4a1c975f0796
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ddd2c06abc94aef41bbc697dd5bb4ca88bd013499067f082abc4a1c975f0796/
Threat name:
Win32.Trojan.LummaC
Create hunting rule
Status:
Malicious
First seen:
2025-02-01 11:59:19 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lxosybvlzffo6qn3y2l52w5uzkel2ajutedh6cbkxrfbzf27a6la._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery stealer
Link:
https://tria.ge/reports/250201-tcdv2a1mdk/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://toppyneedus.biz/api
Verdict:
Malicious
Tags:
lumma c2 win32_amadey stealc stealer lumma_stealer
YARA:
n/a
Link:
https://app.threat.zone/submission/4d6b124a-951b-479c-8345-6b044bd75343
Unpacked files
SH256 hash:
5ddd2c06abc94aef41bbc697dd5bb4ca88bd013499067f082abc4a1c975f0796
MD5 hash:
dcf95c94c1f8bf06dc0e56d32075ec4b
SHA1 hash:
ce1e56cc413edc65b0e44f95afa2e86e2cfec20a
Link:
https://www.unpac.me/results/ec324622-f0c7-4fd1-9f60-c02d9feab8ed/
SH256 hash:
95d4d29a39c30b9778e671207c5107386383526689c922ceb31987761ad52fd2
MD5 hash:
61ce30130c3f0b2f5ff126679eea7a5f
SHA1 hash:
d9dc4883da278711f6387f7a5a6ecb0cfd3e7309
Link:
https://www.unpac.me/results/ec324622-f0c7-4fd1-9f60-c02d9feab8ed/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5ddd2c06abc9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_lumma_2eabe9054cad5152567f0699947a2c5b
Create hunting rule
Author:dubfib

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 5ddd2c06abc94aef41bbc697dd5bb4ca88bd013499067f082abc4a1c975f0796

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3337943/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3245480/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments