MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f40460d6d3b7e080fa9e9a176883895c25d586d1dd0670e44902f647a52c472. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f40460d6d3b7e080fa9e9a176883895c25d586d1dd0670e44902f647a52c472
SHA3-384 hash: 479970c6d16577e2d03ee1deaba3a3f118ec50cf6fc0a15a98a4a6d20503a07711cf92c2ccd6b631e07f6b58a827186e
SHA1 hash: a40bec323d1c52d46bc905348fec7823d3f3d0e3
MD5 hash: d986f670d5d422bfd1f7410c9fadb3ae
humanhash: fillet-rugby-autumn-alabama
File name:d986f670d5d422bfd1f7410c9fadb3ae.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'755'992 bytes
First seen:2025-03-08 04:54:48 UTC
Last seen:2025-03-08 05:18:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 994f18cb9978574a2203372470f204bc (7 x LummaStealer, 6 x Emmenhtal)
ssdeep 24576:n7LpZrGn9TQvn7LpZrGn9TQvG7LpZrGn9TQvn7LpZrGn9TQvD7LpZrGn9TQv:nmn9TQPmn9TQemn9TQPmn9TQ7mn9TQ
Threatray 8 similar samples on MalwareBazaar
TLSH T176858C317A448D72EEE322B919AD753A557DE4A20F2040C7678013DEAB61AD1BF307DB
TrID 46.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
25.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.5% (.EXE) Win64 Executable (generic) (10522/11/4)
5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon 10f079f892ea78b0 (18 x Emmenhtal, 7 x LummaStealer, 4 x CoinMiner)
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
451
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
connectwise
Create hunting rule
ID:
1
File name:
f3248fbe02915fc05a4aaaeed94778b4.lnk
Verdict:
Malicious activity
Analysis date:
2025-03-07 19:47:57 UTC
Tags:
loader connectwise rmm-tool
Link:
https://app.any.run/tasks/c6349174-c30a-401a-95eb-eb27a666dfcf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67cbd1d5721c50b5b0ee1583
Tags:
injection virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/6f40460d6d3b7e080fa9e9a176883895c25d586d1dd0670e44902f647a52c472
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MustardSandwich
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/14a3c168-85a7-43a5-afdb-909be28c39b9
Result
Threat name:
Emmenhtal Loader
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1632532
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Emmenhtal Loader
Behaviour
Behavior Graph:
Download SVG
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6f40460d6d3b7e080fa9e9a176883895c25d586d1dd0670e44902f647a52c472
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6f40460d6d3b7e080fa9e9a176883895c25d586d1dd0670e44902f647a52c472/
Threat name:
Win32.Trojan.Fakecaptcha
Create hunting rule
Status:
Malicious
First seen:
2025-03-08 01:07:32 UTC
File Type:
PE (Exe)
Extracted files:
134
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n5aemdlnhn7aqd5j5gqxncbysxbf2wdndxigodsesaxwi6ssyrza._file
Verdict:
malicious
Label(s):
emmenhtal
Create hunting rule
Similar samples:
1b575237fe7710a37298b388977068f39b254944e0a3f61fc0902acb75bc9d1a
LummaStealer
37340378c627de6cea2e035e06a85cbc4d28a2fa39554e94bb2bc6caa8ea47e9
LummaStealer
423da4e2261d8de3958931c9fa8a52d2b426ee6aef26ebb321e453e9b12db566
LummaStealer
b4f58a9c2f27210bd9f0e8acb291d24dbc45507258364b4cac8da9c2092f8cc9
LummaStealer
dbbc1a7666a2a94c6e00769562db238fa6fb5e1902e19d73f114751d2d467e06
LummaStealer
e6a522d6be11c443fb8c6dfa2e021580fdf71e431fdf0faa411a0f8c56f1fd1b
LummaStealer
eab7ba0ee6ec5659e461fbe4d9dadb9103a2c277ad572f869a8473b698944025
LummaStealer
eed535408d64700a6f63e523f2c4594a1f95e1e9dc359c931539a139da283286
LummaStealer
error
LummaStealer
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250308-fj8gbs11fw/
Behaviour
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/146bd194-2a49-4cd3-b585-e71d7d3c3fb4
Unpacked files
SH256 hash:
6f40460d6d3b7e080fa9e9a176883895c25d586d1dd0670e44902f647a52c472
MD5 hash:
d986f670d5d422bfd1f7410c9fadb3ae
SHA1 hash:
a40bec323d1c52d46bc905348fec7823d3f3d0e3
Detections:
Emmenhtal
Create hunting rule
Link:
https://www.unpac.me/results/d0e3cb18-4dc7-478b-bce3-1cefe04a5c1b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6f40460d6d3b7e080fa9e9a176883895c25d586d1dd0670e44902f647a52c472

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:IDATDropper
Create hunting rule
Author:NDA0E
Description:Detects files containing embedded JavaScript; the JS executes a PowerShell command which either downloads IDATLoader in an archive, or an executable (not IDATLoader) which is loaded into memory. The modified PE will only run if it's executed as an HTML Application (.hta).
Rule name:MALWARE_Win_FakeCaptcha_Downloader
Create hunting rule
Author:ditekshen
Description:Detects downloader executables dropped by fake captcha
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 6f40460d6d3b7e080fa9e9a176883895c25d586d1dd0670e44902f647a52c472

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3464151/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationapi-ms-win-security-sddl-l1-1-0.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
api-ms-win-security-sddl-l1-1-0.dll::ConvertStringSidToSidW
api-ms-win-security-base-l1-1-0.dll::CopySid
api-ms-win-security-base-l1-1-0.dll::CreateWellKnownSid
api-ms-win-security-base-l1-1-0.dll::EqualPrefixSid
api-ms-win-security-base-l1-1-0.dll::GetLengthSid
COM_BASE_APICan Download & Execute componentsapi-ms-win-core-com-l1-1-0.dll::CLSIDFromProgID
api-ms-win-core-com-l1-1-0.dll::CoCreateInstance
api-ms-win-core-com-l1-1-0.dll::CoInitializeSecurity
SECURITY_BASE_APIUses Security Base APIapi-ms-win-security-base-l1-1-0.dll::AddAccessAllowedAce
api-ms-win-security-base-l1-1-0.dll::AddAce
api-ms-win-security-base-l1-1-0.dll::AdjustTokenPrivileges
api-ms-win-security-base-l1-1-0.dll::GetAclInformation
api-ms-win-security-base-l1-1-0.dll::GetTokenInformation
api-ms-win-security-base-l1-1-0.dll::ImpersonateLoggedOnUser
WIN32_PROCESS_APICan Create Process and Threadsapi-ms-win-core-processthreads-l1-1-0.dll::OpenProcessToken
api-ms-win-core-processthreads-l1-1-0.dll::OpenThreadToken
api-ms-win-core-processthreads-l1-1-1.dll::SetProcessMitigationPolicy
api-ms-win-core-synch-l1-1-0.dll::OpenSemaphoreW
api-ms-win-core-memory-l1-1-0.dll::WriteProcessMemory
api-ms-win-core-handle-l1-1-0.dll::CloseHandle
WIN_BASE_APIUses Win Base APIapi-ms-win-core-processthreads-l1-1-0.dll::TerminateProcess
ntdll.dll::NtQueryInformationProcess
api-ms-win-core-libraryloader-l1-2-0.dll::LoadLibraryExW
api-ms-win-core-libraryloader-l1-2-1.dll::LoadLibraryW
WIN_BASE_IO_APICan Create Filesapi-ms-win-core-memory-l1-1-0.dll::CreateFileMappingW
ntdll.dll::NtCreateFile
api-ms-win-core-file-l1-1-0.dll::CreateFileW
api-ms-win-core-file-l1-1-0.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account Informationapi-ms-win-security-lsalookup-l2-1-0.dll::LookupAccountNameW
api-ms-win-security-lsalookup-l2-1-0.dll::LookupAccountSidW
api-ms-win-security-lsalookup-l2-1-0.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryapi-ms-win-core-registry-l1-1-0.dll::RegCreateKeyExW
api-ms-win-core-registry-l1-1-0.dll::RegDeleteKeyExW
api-ms-win-core-registry-l1-1-0.dll::RegGetValueW
api-ms-win-core-registry-l1-1-0.dll::RegOpenKeyExW
api-ms-win-core-registry-l1-1-0.dll::RegQueryInfoKeyW
api-ms-win-core-registry-l1-1-0.dll::RegQueryValueExW

Comments