MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bd034f709cafad125c1614593b0305716d698b1f05b34fab97fc2df04bfa2dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bd034f709cafad125c1614593b0305716d698b1f05b34fab97fc2df04bfa2dd
SHA3-384 hash: 4411f80d6af70b1fd4859b70c59955a80b9a3aa415f0e4a21bbfe4ec6d312c711233630c9a113baf427091edbf7473b3
SHA1 hash: d41c795c4f348ee4f28e9a9b98b6490b735984c8
MD5 hash: b830ca4b5d9d2e67a0f3d6f8e5db8dd3
humanhash: mockingbird-mars-mirror-carbon
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'925'632 bytes
First seen:2025-04-17 06:18:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:borOIPgJ4WdnazXIgfgz2mE9vy95IiDAqibJY3/gf:baOIYJpaz4gIz2m025MqCJY3U
TLSH T12F953319BA793CF7E14BE33BB6579BE14899363049BCC69C3712713E6A0764E63408E1
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
438
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
1dbbf81d6f4b2222b37594e8ff30672bf85fd360f347cbd20b1a5d7b841dd276.exe
Verdict:
Malicious activity
Analysis date:
2025-04-16 01:48:10 UTC
Tags:
amadey botnet stealer loader netsupport remote rmm-tool auto rat telegram lumma pastebin limerat trojan gcleaner generic
Link:
https://app.any.run/tasks/0a8f0cbc-c0e8-4861-8614-ea7347ced4e2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/2651/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6800a105280f5f89a0d034a1
Tags:
vmdetect autorun emotet spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm crypt packed packed packer_detected xpack
Link:
https://www.filescan.io/uploads/68009d68e9c1e257979ba6a9/reports/d07fda4c-9417-4a1e-b8bb-11f2ec66956b/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/6bd034f709cafad125c1614593b0305716d698b1f05b34fab97fc2df04bfa2dd
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ca14cb03-3c10-4859-ae2b-1872c98915a9
Result
Threat name:
Amadey, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1667173
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables the Smart Screen filter
Disables Windows Defender Tamper protection
Found malware configuration
Hides threads from debuggers
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1667173 Sample: random.exe Startdate: 17/04/2025 Architecture: WINDOWS Score: 100 130 pastebin.com 2->130 132 revitmodh.run 2->132 134 49 other IPs or domains 2->134 164 Suricata IDS alerts for network traffic 2->164 166 Found malware configuration 2->166 168 Antivirus detection for URL or domain 2->168 172 11 other signatures 2->172 10 namez.exe 7 29 2->10         started        15 random.exe 1 2->15         started        17 e35c8813bb.exe 2->17         started        19 11 other processes 2->19 signatures3 170 Connects to a pastebin service (likely for C&C) 130->170 process4 dnsIp5 150 185.215.113.59, 49702, 49703, 80 WHOLESALECONNECTIONSNL Portugal 10->150 152 www.facebook.com 10->152 154 star-mini.c10r.facebook.com 10->154 110 C:\Users\user\AppData\...\10f840a014.exe, PE32 10->110 dropped 112 C:\Users\user\AppData\...\70432468ba.exe, PE32 10->112 dropped 126 6 other malicious files 10->126 dropped 204 Contains functionality to start a terminal service 10->204 206 Creates multiple autostart registry keys 10->206 21 9a3a49cf85.exe 2 10->21         started        25 e35c8813bb.exe 1 10->25         started        27 70432468ba.exe 10->27         started        40 2 other processes 10->40 156 185.39.17.162, 49699, 49704, 80 RU-TAGNET-ASRU Russian Federation 15->156 158 clarmodq.top 172.67.205.184, 443, 49689, 49693 CLOUDFLARENETUS United States 15->158 114 C:\Users\user\...\7OFLQD4A110RG65YP9UJS.exe, PE32 15->114 dropped 208 Detected unpacking (changes PE section rights) 15->208 210 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->210 212 Query firmware table information (likely to detect VMs) 15->212 226 2 other signatures 15->226 29 7OFLQD4A110RG65YP9UJS.exe 4 15->29         started        160 127.0.0.1 unknown unknown 17->160 116 C:\Users\user\...\W9M3HT39M8357V4GDD14.exe, PE32 17->116 dropped 214 Tries to harvest and steal browser information (history, passwords, etc) 17->214 216 Tries to steal Crypto Currency Wallets 17->216 218 Hides threads from debuggers 17->218 31 chrome.exe 17->31         started        34 chrome.exe 17->34         started        118 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 19->118 dropped 120 C:\Users\user\AppData\Local\...\cecho.exe, PE32 19->120 dropped 122 C:\Users\user\AppData\Local\...122SudoLG.exe, PE32+ 19->122 dropped 124 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32 19->124 dropped 220 Changes security center settings (notifications, updates, antivirus, firewall) 19->220 222 Tries to detect sandboxes / dynamic malware analysis system (registry check) 19->222 224 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 19->224 36 MpCmdRun.exe 19->36         started        38 firefox.exe 19->38         started        file6 signatures7 process8 dnsIp9 96 C:\Users\user\AppData\...\9a3a49cf85.tmp, PE32 21->96 dropped 182 Multi AV Scanner detection for dropped file 21->182 42 9a3a49cf85.tmp 24 11 21->42         started        98 C:\Users\...\D6GOM4K2IPGQHBWOZ7L0G1KB.exe, PE32 25->98 dropped 184 Detected unpacking (changes PE section rights) 25->184 186 Attempt to bypass Chrome Application-Bound Encryption 25->186 188 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->188 200 7 other signatures 25->200 45 D6GOM4K2IPGQHBWOZ7L0G1KB.exe 25->45         started        190 Tries to detect sandboxes and other dynamic analysis tools (window names) 27->190 192 Modifies windows update settings 27->192 194 Disables Windows Defender Tamper protection 27->194 202 2 other signatures 27->202 100 C:\Users\user\AppData\Local\...\namez.exe, PE32 29->100 dropped 196 Contains functionality to start a terminal service 29->196 198 Contains functionality to inject code into remote processes 29->198 48 namez.exe 29->48         started        162 192.168.2.5, 443, 49675, 49689 unknown unknown 31->162 50 chrome.exe 31->50         started        53 chrome.exe 34->53         started        55 conhost.exe 36->55         started        57 firefox.exe 38->57         started        59 taskkill.exe 40->59         started        61 5 other processes 40->61 file10 signatures11 process12 dnsIp13 102 C:\Users\user\AppData\...\unins000.exe (copy), PE32 42->102 dropped 104 C:\Users\user\AppData\...\is-RVIF8.tmp, PE32 42->104 dropped 106 C:\Users\user\AppData\...\is-INI99.tmp, PE32+ 42->106 dropped 108 6 other malicious files 42->108 dropped 63 KMSpico.exe 42->63         started        66 core.exe 42->66         started        70 info.exe 42->70         started        228 Multi AV Scanner detection for dropped file 48->228 230 Contains functionality to start a terminal service 48->230 136 plus.l.google.com 142.250.217.206 GOOGLEUS United States 50->136 138 play.google.com 142.251.15.138 GOOGLEUS United States 50->138 142 3 other IPs or domains 50->142 140 www.google.com 74.125.136.99 GOOGLEUS United States 53->140 72 conhost.exe 59->72         started        74 conhost.exe 61->74         started        76 conhost.exe 61->76         started        78 conhost.exe 61->78         started        80 conhost.exe 61->80         started        file14 signatures15 process16 dnsIp17 128 C:\Users\user\AppData\Local\...\KMSpico.tmp, PE32 63->128 dropped 82 KMSpico.tmp 63->82         started        144 changeaie.top 104.21.42.7 CLOUDFLARENETUS United States 66->144 146 pastebin.com 104.22.69.199 CLOUDFLARENETUS United States 66->146 174 Query firmware table information (likely to detect VMs) 66->174 176 Tries to harvest and steal browser information (history, passwords, etc) 66->176 178 Tries to steal Crypto Currency Wallets 66->178 148 stats-1.crabdance.com 82.115.223.212 MIDNET-ASTK-TelecomRU Russian Federation 70->148 86 conhost.exe 70->86         started        file18 signatures19 process20 file21 88 C:\Windows\...\Vestris.ResourceLib.dll (copy), PE32 82->88 dropped 90 C:\Windows\System32\is-UN5K4.tmp, PE32 82->90 dropped 92 C:\Windows\System32\is-81O9A.tmp, PE32 82->92 dropped 94 18 other malicious files 82->94 dropped 180 Disables the Smart Screen filter 82->180 signatures22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6bd034f709cafad125c1614593b0305716d698b1f05b34fab97fc2df04bfa2dd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6bd034f709cafad125c1614593b0305716d698b1f05b34fab97fc2df04bfa2dd/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2025-04-16 04:57:30 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
29 of 38 (76.32%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=npidj5yjzl5ncjobmfczhmbqk4lnngfr6bntj6vzp7bn6bf7uloq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250417-g3cdnsyzht/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://clarmodq.top/qoxo
https://jawdedmirror.run/ewqd
https://changeaie.top/geps
https://7dlonfgshadow.live/xawi
https://liftally.top/xasj
https://nighetwhisper.top/lekd
https://salaccgfa.top/gsooz
https://zestmodp.top/zeda
https://owlflright.digital/qopy
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e3182e61-c932-48cc-a56d-1c459542de7e
Unpacked files
SH256 hash:
6bd034f709cafad125c1614593b0305716d698b1f05b34fab97fc2df04bfa2dd
MD5 hash:
b830ca4b5d9d2e67a0f3d6f8e5db8dd3
SHA1 hash:
d41c795c4f348ee4f28e9a9b98b6490b735984c8
Link:
https://www.unpac.me/results/70452c45-01e4-4c5a-8b23-1cf5e0467a83/
SH256 hash:
0e0ece2e024efcca092ab8b84a0f245d2c2a7458f4dcabe55897be1924a20452
MD5 hash:
0b0fead94a9992ad5ec6dae36d3f8831
SHA1 hash:
068b0c6278cff0876a7e40776461542354588dbf
Link:
https://www.unpac.me/results/70452c45-01e4-4c5a-8b23-1cf5e0467a83/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 6bd034f709cafad125c1614593b0305716d698b1f05b34fab97fc2df04bfa2dd

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/2651/
  
URLhaus
https://urlhaus.abuse.ch/url/3511779/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments