MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69af611bea457fc1c372bf333b2da65c9a0b5de828afe79d918458e67a70ab4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69af611bea457fc1c372bf333b2da65c9a0b5de828afe79d918458e67a70ab4a
SHA3-384 hash: fe6b7059bc845044b1dfc04e0cb97fb05226c20a661e3c5fc8893dbc92b43b8fcee8cee7c07f7063c78f2a4bbfd8d319
SHA1 hash: 362cae510cc88d97001f4ac32cfdc068d251c230
MD5 hash: 7bb1ab2402f6558c7271646db8ac249e
humanhash: pasta-speaker-tango-equal
File name:koplopryidkadt.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'309'696 bytes
First seen:2025-03-19 19:33:50 UTC
Last seen:2025-03-21 20:29:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 71cc5af9daad65e58c6f29c42cdf9201 (140 x LummaStealer)
ssdeep 24576:6I3NDiDNB84uMBxgPLpl4qT159y0KCoHQrNpb38/f61j7le9fTzcL:ZdDi5RB8aqT155ZowrNxiW74f
Threatray 69 similar samples on MalwareBazaar
TLSH T1CC553310649504ABC2D56738049EB3C1683E066A437A71FACC67084E1DF9FAEF67D6CE
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter aachum
Tags:exe LummaStealer


Avatar
iamaachum
https://github.com/deripascod/romawer/raw/refs/heads/main/koplopryidkadt.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
408
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
koplopryidkadt.exe
Verdict:
Malicious activity
Analysis date:
2025-03-19 20:59:52 UTC
Tags:
lumma stealer antivm enigma delphi
Link:
https://app.any.run/tasks/b9f5c9f0-53bc-4962-844a-6b9b0bf9982a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67db1c33115e7b48b48ed2bf
Tags:
enigmaprotector phishing delphi
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
enigma obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67db1c351dd35ee4a0e87a18/reports/bf6a96f0-e5f4-45b6-95a2-4b728cd30667/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/69af611bea457fc1c372bf333b2da65c9a0b5de828afe79d918458e67a70ab4a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Spark
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/97fc108e-bd65-446b-abd9-7074a96e0ee6
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1643465
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/69af611bea457fc1c372bf333b2da65c9a0b5de828afe79d918458e67a70ab4a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69af611bea457fc1c372bf333b2da65c9a0b5de828afe79d918458e67a70ab4a/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-03-19 12:18:04 UTC
File Type:
PE (Exe)
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ngxwcg7kiv74dq3sx4ztwlnglsnawxpifcx6phmrqrmom6tqvnfa._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
3520d8fc19fd27c13cef6414b4cf5004a5daa1598a455f10b51688ca4e4be0d9
LummaStealer
3639e8caa3b92f6ead9b7622a48bace79e158811c9819811ce919cfcf50f3429
LummaStealer
40be170151f76d5b4f17094abb9817d5b8686a33fad6e92a4974904450d544c9
LummaStealer
47268fe68e22b14bfccf2d53d8ec55d72100774430f1504f49b088f04d93b2e5
LummaStealer
4c13ebe1361e08fad18d8bb5ee8377d0518ce03a2592b5784e023703d2e3ba9c
LummaStealer
9a2163b925e9ba9aa6e17b0e6c813c36f0dbc3f2b8c6e74d1005553aca99e22c
LummaStealer
a4ef2b2fb82a9cd793ad679208b1d5c3f174ec798674972372ee894c3f403259
LummaStealer
eda503252b71d8e453b1c18f9f81fac90ad8af7a4c285a4899c8301df39081b5
LummaStealer
error
LummaStealer
+ 59 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/250319-x95xkavkz4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c2ccaeb3-f5aa-4e54-b0b2-408d3abc9f54
Unpacked files
SH256 hash:
69af611bea457fc1c372bf333b2da65c9a0b5de828afe79d918458e67a70ab4a
MD5 hash:
7bb1ab2402f6558c7271646db8ac249e
SHA1 hash:
362cae510cc88d97001f4ac32cfdc068d251c230
Link:
https://www.unpac.me/results/27114e0c-2661-48f1-ad1e-e007e13d3012/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/69af611bea457fc1c372bf333b2da65c9a0b5de828afe79d918458e67a70ab4a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:EnigmaProtector11X13XSukhovVladimirSergeNMarkin
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 69af611bea457fc1c372bf333b2da65c9a0b5de828afe79d918458e67a70ab4a

(this sample)

  
Link
https://tria.ge/250319-xzc4ssz1gz/behavioral13
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
WIN_BASE_IO_APICan Create Filesversion.dll::GetFileVersionInfoA

Comments