MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 640a56ac231ec705c9f0c334f57ccbd0279310bdfe47d5b1b56363a5af163780. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 19


Intelligence 19 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 640a56ac231ec705c9f0c334f57ccbd0279310bdfe47d5b1b56363a5af163780
SHA3-384 hash: fb13b97e42ca8819218e2f10b679675e009ae6ef48cac4dd19af47f64b1920113c39cc0758450cab06bd9b2425f29365
SHA1 hash: dd408690d4636c90e1ba225e0879ce317c6705c0
MD5 hash: aeb501aaff744b2e4176c497529124b4
humanhash: johnny-helium-shade-california
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:6'426'112 bytes
First seen:2025-04-10 18:44:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 196608:FxTSXgjUf2OTyLNWqNMxVIV1xJ8CgGbvg0d7h6V3ai:F1Qd2OeLNFmxVO1v7rbvg07S
TLSH T16D56331AF1EDC5E9E03417B10EE00492173ABAA1467DCBDBA91DBC1ED4317287924B6F
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
421
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-04-10 21:36:09 UTC
Tags:
lumma stealer amadey botnet loader credentialflusher themida rdp
Link:
https://app.any.run/tasks/b8181bb4-a16d-4172-a341-da084e7d84af

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/1696/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f816ced6e7c3effacf41fa
Tags:
phishing autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm CAB crypt explorer installer installer lolbin lolbin microsoft_visual_cc packed packed packer_detected rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/67f811bfeb7eb0aee043585d/reports/5af2a353-7575-4ae1-a300-b88b85db1147/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/640a56ac231ec705c9f0c334f57ccbd0279310bdfe47d5b1b56363a5af163780
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/93b0a85d-12ee-4867-9242-2f3a40fa9e02
Result
Threat name:
NetSupport RAT, Amadey, CryptOne, LummaC
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1662415
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell drops NetSupport RAT client
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Script Execution From Temp Folder
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected CryptOne packer
Yara detected LummaC Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1662415 Sample: random.exe Startdate: 10/04/2025 Architecture: WINDOWS Score: 100 143 Found malware configuration 2->143 145 Malicious sample detected (through community Yara rule) 2->145 147 Antivirus detection for URL or domain 2->147 149 19 other signatures 2->149 9 rapes.exe 63 2->9         started        14 random.exe 1 4 2->14         started        16 futors.exe 2->16         started        18 6 other processes 2->18 process3 dnsIp4 121 176.113.115.6 SELECTELRU Russian Federation 9->121 123 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 9->123 127 2 other IPs or domains 9->127 87 C:\Users\user\AppData\...\9c7de57a75.exe, PE32 9->87 dropped 89 C:\Users\user\AppData\Local\...\UZPt0hR.exe, PE32 9->89 dropped 91 C:\Users\user\AppData\Local\...\qhjMWht.exe, PE32 9->91 dropped 101 27 other malicious files 9->101 dropped 225 Contains functionality to start a terminal service 9->225 227 Hides threads from debuggers 9->227 229 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->229 20 WEpL8FD.exe 9->20         started        23 powershell.exe 9->23         started        26 oqjbSNf.exe 9->26         started        32 2 other processes 9->32 93 C:\Users\user\AppData\Local\...\d9g42.exe, PE32 14->93 dropped 95 C:\Users\user\AppData\Local\...\3n53T.exe, PE32+ 14->95 dropped 28 d9g42.exe 1 4 14->28         started        125 185.215.113.209 WHOLESALECONNECTIONSNL Portugal 16->125 97 C:\Users\user\AppData\...\dc5294214c.exe, PE32 16->97 dropped 99 C:\Users\user\AppData\...\a979193115.exe, PE32 16->99 dropped 103 2 other malicious files 16->103 dropped 231 Creates multiple autostart registry keys 16->231 30 a979193115.exe 16->30         started        233 Query firmware table information (likely to detect VMs) 18->233 235 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->235 file5 signatures6 process7 file8 177 Contains functionality to inject code into remote processes 20->177 179 Writes to foreign memory regions 20->179 181 Allocates memory in foreign processes 20->181 34 MSBuild.exe 20->34         started        37 MSBuild.exe 20->37         started        71 C:\Users\user\AppData\...\remcmdstub.exe, PE32 23->71 dropped 73 C:\Users\user\AppData\Roaming\...\pcicapi.DLL, PE32 23->73 dropped 75 C:\Users\user\AppData\...\msvcr100.dll, PE32 23->75 dropped 85 7 other malicious files 23->85 dropped 183 Creates multiple autostart registry keys 23->183 185 Found suspicious powershell code related to unpacking or dynamic code loading 23->185 199 2 other signatures 23->199 39 AdBlock.exe 23->39         started        42 conhost.exe 23->42         started        187 Injects a PE file into a foreign processes 26->187 44 MSBuild.exe 26->44         started        77 C:\Users\user\AppData\Local\...\2Q7356.exe, PE32 28->77 dropped 79 C:\Users\user\AppData\Local\...\1S39z3.exe, PE32 28->79 dropped 189 Multi AV Scanner detection for dropped file 28->189 46 1S39z3.exe 4 28->46         started        49 2Q7356.exe 1 28->49         started        81 C:\Users\user\AppData\...\svchost015.exe, PE32 30->81 dropped 191 Detected unpacking (changes PE section rights) 30->191 193 Tries to detect sandboxes and other dynamic analysis tools (window names) 30->193 195 Tries to evade debugger and weak emulator (self modifying code) 30->195 201 4 other signatures 30->201 83 C:\Users\user\AppData\Local\...\futors.exe, PE32 32->83 dropped 197 Antivirus detection for dropped file 32->197 51 futors.exe 32->51         started        signatures9 process10 dnsIp11 151 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 34->151 171 4 other signatures 34->171 53 explorer.exe 34->53 injected 153 Switches to a custom stack to bypass stack traces 37->153 113 178.32.90.245 OVHFR France 39->113 115 172.67.68.212 CLOUDFLARENETUS United States 39->115 173 3 other signatures 39->173 117 104.21.85.96 CLOUDFLARENETUS United States 44->117 155 Tries to harvest and steal ftp login credentials 44->155 175 2 other signatures 44->175 105 C:\Users\user\AppData\Local\...\rapes.exe, PE32 46->105 dropped 157 Multi AV Scanner detection for dropped file 46->157 159 Detected unpacking (changes PE section rights) 46->159 161 Contains functionality to start a terminal service 46->161 163 Tries to detect virtualization through RDTSC time measurements 46->163 58 rapes.exe 46->58         started        119 172.67.205.184 CLOUDFLARENETUS United States 49->119 107 C:\Users\...\Y606LYDA0NG3YN5CDKGUK7SDS.exe, PE32 49->107 dropped 165 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 49->165 167 Query firmware table information (likely to detect VMs) 49->167 169 Tries to evade debugger and weak emulator (self modifying code) 49->169 60 Y606LYDA0NG3YN5CDKGUK7SDS.exe 49->60         started        62 WerFault.exe 49->62         started        file12 signatures13 process14 dnsIp15 109 190.92.174.36 DesarrollosDigitalesdePulsarConsultingAR Argentina 53->109 69 C:\Users\user\AppData\Roaming\ciswihg, PE32 53->69 dropped 203 System process connects to network (likely due to code injection or exploit) 53->203 205 Benign windows process drops PE files 53->205 207 Injects code into the Windows Explorer (explorer.exe) 53->207 223 2 other signatures 53->223 64 AdBlock.exe 53->64         started        67 explorer.exe 53->67         started        209 Multi AV Scanner detection for dropped file 58->209 211 Detected unpacking (changes PE section rights) 58->211 213 Contains functionality to start a terminal service 58->213 215 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 58->215 217 Tries to evade debugger and weak emulator (self modifying code) 60->217 219 Hides threads from debuggers 60->219 221 Tries to detect sandboxes / dynamic malware analysis system (registry check) 60->221 111 20.189.173.21 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 62->111 file16 signatures17 process18 signatures19 129 Query firmware table information (likely to detect VMs) 64->129 131 Hides threads from debuggers 64->131 133 Tries to detect sandboxes / dynamic malware analysis system (registry check) 64->133 135 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 64->135 137 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 67->137 139 Tries to steal Mail credentials (via file / registry access) 67->139 141 Tries to harvest and steal browser information (history, passwords, etc) 67->141
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/640a56ac231ec705c9f0c334f57ccbd0279310bdfe47d5b1b56363a5af163780
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/640a56ac231ec705c9f0c334f57ccbd0279310bdfe47d5b1b56363a5af163780/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2025-04-09 19:16:38 UTC
File Type:
PE (Exe)
Extracted files:
78
AV detection:
27 of 37 (72.97%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mqffnlbdd3dqlspqym2pk7gl2atzgef57zd5lmnvmnr2llywg6aa._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma botnet:092155 defense_evasion discovery persistence spyware stealer trojan
Link:
https://tria.ge/reports/250410-xd8zcazk18/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
http://176.113.115.6
https://clarmodq.top/qoxo
https://soursopsf.run/gsoiao
https://changeaie.top/geps
https://easyupgw.live/eosz
https://liftally.top/xasj
https://upmodini.digital/gokk
https://salaccgfa.top/gsooz
https://zestmodp.top/zeda
https://hxcelmodo.run/nahd
Verdict:
Malicious
Tags:
stealer redline
YARA:
detect_Redline_Stealer
Link:
https://app.threat.zone/submission/39bd22e1-6c64-49ef-a6a5-da38928da232
Unpacked files
SH256 hash:
640a56ac231ec705c9f0c334f57ccbd0279310bdfe47d5b1b56363a5af163780
MD5 hash:
aeb501aaff744b2e4176c497529124b4
SHA1 hash:
dd408690d4636c90e1ba225e0879ce317c6705c0
Link:
https://www.unpac.me/results/b95871ec-c042-4ad5-9d5f-617174c2f5c2/
SH256 hash:
000f16526a48aa62bcd386393a939e1f9bc18e9736ac589909f2a5394e8f2bdb
MD5 hash:
1820fa489a7172c8815001b7b63bf791
SHA1 hash:
3f669aae3b93c06b8f8374bcf8c8b100cc2cbb61
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/b95871ec-c042-4ad5-9d5f-617174c2f5c2/
SH256 hash:
1ef84d9d65c24dbaadffb3aa62ab422d841bd2e2f53bbfa727b0e092e0c5c8e1
MD5 hash:
6d62402c4b913f8a4ecec5c242c2f534
SHA1 hash:
84b9cf7967ae5cb329c0c468463e60d426671a3a
Link:
https://www.unpac.me/results/b95871ec-c042-4ad5-9d5f-617174c2f5c2/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/640a56ac231e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/640a56ac231ec705c9f0c334f57ccbd0279310bdfe47d5b1b56363a5af163780

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 640a56ac231ec705c9f0c334f57ccbd0279310bdfe47d5b1b56363a5af163780

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/1696/
  
URLhaus
https://urlhaus.abuse.ch/url/3470479/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3470471/
  
URLhaus
https://urlhaus.abuse.ch/url/3470476/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments