MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60bdc4c80ad266ef7195a95323b6f1d130af0a2be19e7880d816285b308f2b26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60bdc4c80ad266ef7195a95323b6f1d130af0a2be19e7880d816285b308f2b26
SHA3-384 hash: 0b872cb192f6e1a8d30c6892c686c6fcaab16c6d65239e095ada68edd819e0bc16d1e63447f7162f1547e399e1c5caf4
SHA1 hash: a592d292b26b837ee334445a914f30f6e77f0848
MD5 hash: 2c13b01ae0c5fb1f94470af5b5e1685e
humanhash: magnesium-papa-echo-avocado
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'928'704 bytes
First seen:2025-04-18 19:18:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:qC+tMx97N2sglRQHjzi3ew9n7wRx8ox8McK3TH1DRSouZ4WkAvSOvdyLanoNk0AN:q3M9xUM3ilp7wZUaH1DuuZVNXgyv
TLSH T1829533907743E923EBE6867623635210AF39EB65C0E0D6FF2C44D0B7A913E8A572C44D
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter aachum
Tags:exe LummaStealer


Avatar
iamaachum
http://185.39.17.162/luma/random.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
404
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-04-18 18:20:07 UTC
Tags:
lumma stealer themida amadey loader botnet telegram miner xmrig winring0x64-sys vuln-driver arch-exec auto-reg phishing auto generic pastebin credentialflusher rdp
Link:
https://app.any.run/tasks/58362da0-0f52-4d41-8547-16272741dc5c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/2931/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6802a67f2203b3e10cd13cf6
Tags:
autorun shell sage blic
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt entropy packed packed packer_detected rat virtual xpack
Link:
https://www.filescan.io/uploads/6802a5bae9c1e257979d121a/reports/ad328967-b59a-48a1-894c-3c2df48d586d/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/60bdc4c80ad266ef7195a95323b6f1d130af0a2be19e7880d816285b308f2b26
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/757f20a8-9d3a-43cf-9877-7f0e16d5ab9d
Result
Threat name:
Amadey, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1668716
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables the Smart Screen filter
Disables Windows Defender Tamper protection
Found malware configuration
Found strings related to Crypto-Mining
Hides threads from debuggers
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1668716 Sample: random.exe Startdate: 18/04/2025 Architecture: WINDOWS Score: 100 163 Found malware configuration 2->163 165 Antivirus detection for URL or domain 2->165 167 Antivirus / Scanner detection for submitted sample 2->167 169 10 other signatures 2->169 9 namez.exe 9 62 2->9         started        14 random.exe 1 2->14         started        16 0462117305.exe 2->16         started        18 11 other processes 2->18 process3 dnsIp4 147 185.215.113.59 WHOLESALECONNECTIONSNL Portugal 9->147 109 C:\Users\user\AppData\...\acae8085d5.exe, PE32 9->109 dropped 111 C:\Users\user\AppData\...\c28abb2c01.exe, PE32 9->111 dropped 125 6 other malicious files 9->125 dropped 203 Contains functionality to start a terminal service 9->203 205 Found strings related to Crypto-Mining 9->205 207 Creates multiple autostart registry keys 9->207 20 a8bf67308f.exe 2 9->20         started        24 0462117305.exe 9->24         started        26 c28abb2c01.exe 9->26         started        39 2 other processes 9->39 149 185.39.17.162 RU-TAGNET-ASRU Russian Federation 14->149 151 104.21.85.126 CLOUDFLARENETUS United States 14->151 113 C:\Users\...\8DPHLTFSFDP4BRJ2G9JVFPM4.exe, PE32 14->113 dropped 209 Detected unpacking (changes PE section rights) 14->209 211 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->211 213 Query firmware table information (likely to detect VMs) 14->213 225 3 other signatures 14->225 28 8DPHLTFSFDP4BRJ2G9JVFPM4.exe 4 14->28         started        115 C:\Users\user\...\OXZVMLVEHLOQEMHBCQZ4Q.exe, PE32 16->115 dropped 215 Tries to harvest and steal ftp login credentials 16->215 217 Tries to harvest and steal browser information (history, passwords, etc) 16->217 219 Tries to steal Crypto Currency Wallets 16->219 221 Tries to steal from password manager 16->221 30 chrome.exe 16->30         started        33 chrome.exe 16->33         started        153 23.76.34.6 AMXArgentinaSAAR United States 18->153 155 127.0.0.1 unknown unknown 18->155 117 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 18->117 dropped 119 C:\Users\user\AppData\Local\...\cecho.exe, PE32 18->119 dropped 121 C:\Users\user\AppData\Local\...121SudoLG.exe, PE32+ 18->121 dropped 123 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32 18->123 dropped 223 Changes security center settings (notifications, updates, antivirus, firewall) 18->223 227 2 other signatures 18->227 35 firefox.exe 18->35         started        37 MpCmdRun.exe 18->37         started        file5 signatures6 process7 dnsIp8 95 C:\Users\user\AppData\...\a8bf67308f.tmp, PE32 20->95 dropped 181 Multi AV Scanner detection for dropped file 20->181 41 a8bf67308f.tmp 24 11 20->41         started        97 C:\Users\user\...\1Q6W4WDZHAOU0ZU3DWT0F.exe, PE32 24->97 dropped 183 Detected unpacking (changes PE section rights) 24->183 185 Attempt to bypass Chrome Application-Bound Encryption 24->185 187 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->187 199 7 other signatures 24->199 44 1Q6W4WDZHAOU0ZU3DWT0F.exe 24->44         started        189 Tries to detect sandboxes and other dynamic analysis tools (window names) 26->189 191 Modifies windows update settings 26->191 193 Disables Windows Defender Tamper protection 26->193 201 2 other signatures 26->201 99 C:\Users\user\AppData\Local\...\namez.exe, PE32 28->99 dropped 195 Contains functionality to start a terminal service 28->195 197 Contains functionality to inject code into remote processes 28->197 47 namez.exe 28->47         started        157 192.168.2.4 unknown unknown 30->157 49 chrome.exe 30->49         started        52 chrome.exe 33->52         started        159 34.107.221.82 GOOGLEUS United States 35->159 161 35.190.72.216 GOOGLEUS United States 35->161 54 firefox.exe 35->54         started        56 conhost.exe 37->56         started        58 taskkill.exe 39->58         started        60 5 other processes 39->60 file9 signatures10 process11 dnsIp12 101 C:\Users\user\AppData\...\unins000.exe (copy), PE32 41->101 dropped 103 C:\Users\user\AppData\...\is-RACFB.tmp, PE32 41->103 dropped 105 C:\Users\user\AppData\...\is-7B35U.tmp, PE32 41->105 dropped 107 6 other malicious files 41->107 dropped 62 KMSpico.exe 41->62         started        65 core.exe 41->65         started        69 info.exe 41->69         started        229 Multi AV Scanner detection for dropped file 47->229 231 Contains functionality to start a terminal service 47->231 129 108.177.122.94 GOOGLEUS United States 49->129 131 142.251.15.139 GOOGLEUS United States 49->131 137 7 other IPs or domains 49->137 133 108.177.122.100 GOOGLEUS United States 52->133 135 142.250.105.84 GOOGLEUS United States 52->135 139 4 other IPs or domains 52->139 71 conhost.exe 58->71         started        73 conhost.exe 60->73         started        75 conhost.exe 60->75         started        77 conhost.exe 60->77         started        79 conhost.exe 60->79         started        file13 signatures14 process15 dnsIp16 127 C:\Users\user\AppData\Local\...\KMSpico.tmp, PE32 62->127 dropped 81 KMSpico.tmp 62->81         started        141 104.22.68.199 CLOUDFLARENETUS United States 65->141 143 172.67.197.226 CLOUDFLARENETUS United States 65->143 171 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 65->171 173 Query firmware table information (likely to detect VMs) 65->173 175 Tries to harvest and steal browser information (history, passwords, etc) 65->175 177 Tries to steal Crypto Currency Wallets 65->177 145 82.115.223.212 MIDNET-ASTK-TelecomRU Russian Federation 69->145 85 conhost.exe 69->85         started        file17 signatures18 process19 file20 87 C:\Windows\...\Vestris.ResourceLib.dll (copy), PE32 81->87 dropped 89 C:\Windows\System32\is-ELRK3.tmp, PE32 81->89 dropped 91 C:\Windows\System32\is-AGBLV.tmp, PE32 81->91 dropped 93 18 other malicious files 81->93 dropped 179 Disables the Smart Screen filter 81->179 signatures21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/60bdc4c80ad266ef7195a95323b6f1d130af0a2be19e7880d816285b308f2b26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/60bdc4c80ad266ef7195a95323b6f1d130af0a2be19e7880d816285b308f2b26/
Threat name:
Win32.Trojan.Symmi
Create hunting rule
Status:
Malicious
First seen:
2025-04-18 19:19:25 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mc64jsak2jto64mvvfjshnxr2eyk6crl4gphragycyufwmepfmta._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250418-x1nxpasybz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://clarmodq.top/qoxo
https://piratetwrath.run/ytus
https://3changeaie.top/geps
https://quilltayle.live/gksi
https://liftally.top/xasj
https://nighetwhisper.top/lekd
https://salaccgfa.top/gsooz
https://zestmodp.top/zeda
https://starofliught.top/wozd
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/87450b46-b9c6-43b7-aad0-5fd2d6dd7fb6
Unpacked files
SH256 hash:
60bdc4c80ad266ef7195a95323b6f1d130af0a2be19e7880d816285b308f2b26
MD5 hash:
2c13b01ae0c5fb1f94470af5b5e1685e
SHA1 hash:
a592d292b26b837ee334445a914f30f6e77f0848
Link:
https://www.unpac.me/results/701251b5-9f5b-4485-b7d2-dc8cd1d461f1/
SH256 hash:
23c9be14819c4e6f3dd21ccb6210ac772e54a0cd9d7a8075cfc795e47d6df6e0
MD5 hash:
08032c443bb65cd2bb344054495aa1a8
SHA1 hash:
52c2e650551aa8b998fc7102c759b46e21120890
Link:
https://www.unpac.me/results/701251b5-9f5b-4485-b7d2-dc8cd1d461f1/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/60bdc4c80ad2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/60bdc4c80ad266ef7195a95323b6f1d130af0a2be19e7880d816285b308f2b26

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 60bdc4c80ad266ef7195a95323b6f1d130af0a2be19e7880d816285b308f2b26

(this sample)

  
Link
https://tria.ge/250418-xvz3rssxay/behavioral1
  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/2931/
  
URLhaus
https://urlhaus.abuse.ch/url/3511779/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments