MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7bb18d801898f326c0578b635dfd16275ba9f159120a48ba11f2a03d64ad44ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7bb18d801898f326c0578b635dfd16275ba9f159120a48ba11f2a03d64ad44ad
SHA3-384 hash: c378b0f9e5a2a8dffd2bcbb7a5688c7c14274295c6fbdfe8aed6e765788e3f841e5af288f87e7583d3ab5b2cdca85978
SHA1 hash: c138f25c55178a025b2340141ce4ab3564697acf
MD5 hash: 963b1445ba08753aaee9739606040eae
humanhash: montana-video-pizza-hot
File name:963b1445ba08753aaee9739606040eae.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'116'608 bytes
First seen:2025-06-12 09:14:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:cRD6n3Gb6ig2N+8E3kFuEKlFUlHqcLomgk:lWb6igb8E3kFuqNqc5g
Threatray 4 similar samples on MalwareBazaar
TLSH T127A5019A3D76313DC846CF3666A3334A56EE1A2B7793C9308AC8FF965ED00DD650085E
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
432
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
963b1445ba08753aaee9739606040eae.exe
Verdict:
Malicious activity
Analysis date:
2025-06-12 09:31:55 UTC
Tags:
lumma stealer
Link:
https://app.any.run/tasks/8343e81d-0b61-440b-8fdc-e2c071dbfbb6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/9103/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684a9ab107b5e8c1cfe66768
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Connection attempt to an infection source
DNS request
Connection attempt
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/7bb18d801898f326c0578b635dfd16275ba9f159120a48ba11f2a03d64ad44ad
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6d76cdfd-d527-4d22-acb3-f09fb2607d0b
Result
Threat name:
Amadey, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1713029
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Found API chain indicative of sandbox detection
Found malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PUA - NSudo Execution
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the nircmd tool (NirSoft)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1713029 Sample: jimg2NZGnO.exe Startdate: 12/06/2025 Architecture: WINDOWS Score: 100 130 www.google.com 2->130 132 plus.l.google.com 2->132 134 4 other IPs or domains 2->134 144 Suricata IDS alerts for network traffic 2->144 146 Found malware configuration 2->146 148 Antivirus detection for dropped file 2->148 150 16 other signatures 2->150 13 jimg2NZGnO.exe 1 2->13         started        18 ALTerGDg.exe 2->18         started        20 ramez.exe 2->20         started        22 5 other processes 2->22 signatures3 process4 dnsIp5 138 185.156.72.2, 49692, 49739, 49751 ITDELUXE-ASRU Russian Federation 13->138 140 battlefled.top 195.82.147.188, 443, 49681, 49682 DREAMTORRENT-CORP-ASRU Russian Federation 13->140 128 C:\...\8ILXRSTREY26F9315ZV4DWSF83W8M.exe, PE32 13->128 dropped 192 Detected unpacking (changes PE section rights) 13->192 194 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->194 196 Query firmware table information (likely to detect VMs) 13->196 206 7 other signatures 13->206 24 8ILXRSTREY26F9315ZV4DWSF83W8M.exe 8 13->24         started        28 WerFault.exe 21 16 13->28         started        198 Binary is likely a compiled AutoIt script file 18->198 30 IQWITT73.exe 18->30         started        32 n5m6MOCS.exe 18->32         started        34 cmd.exe 18->34         started        36 cmd.exe 18->36         started        200 Contains functionality to start a terminal service 20->200 202 Hides threads from debuggers 20->202 204 Tries to detect sandboxes / dynamic malware analysis system (registry check) 20->204 142 127.0.0.1 unknown unknown 22->142 38 WerFault.exe 2 22->38         started        40 Conhost.exe 22->40         started        file6 signatures7 process8 file9 104 C:\Users\user\profile\ALTerGDg.exe, PE32 24->104 dropped 106 C:\Users\user\profile\1gdpeMuD.exe, PE32 24->106 dropped 152 Multi AV Scanner detection for dropped file 24->152 42 ALTerGDg.exe 24->42         started        108 C:\ProgramData\Microsoft\...\Report.wer, Unicode 28->108 dropped 154 Contains functionality to start a terminal service 30->154 156 Hides threads from debuggers 30->156 158 Tries to detect sandboxes / dynamic malware analysis system (registry check) 30->158 160 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 30->160 45 cmd.exe 32->45         started        47 conhost.exe 34->47         started        49 schtasks.exe 34->49         started        51 Conhost.exe 34->51         started        53 conhost.exe 36->53         started        55 1gdpeMuD.exe 36->55         started        signatures10 process11 signatures12 172 Multi AV Scanner detection for dropped file 42->172 174 Binary is likely a compiled AutoIt script file 42->174 176 Found API chain indicative of sandbox detection 42->176 57 IQWITT73.exe 4 42->57         started        61 n5m6MOCS.exe 42->61         started        63 cmd.exe 1 42->63         started        65 cmd.exe 42->65         started        67 conhost.exe 45->67         started        69 nircmd.exe 45->69         started        process13 file14 118 C:\Users\user\AppData\Local\...\ramez.exe, PE32 57->118 dropped 178 Antivirus detection for dropped file 57->178 180 Multi AV Scanner detection for dropped file 57->180 182 Detected unpacking (changes PE section rights) 57->182 190 7 other signatures 57->190 71 ramez.exe 57->71         started        120 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 61->120 dropped 122 C:\Users\user\AppData\Local\...\cecho.exe, PE32 61->122 dropped 124 C:\Users\user\AppData\Local\...124SudoLG.exe, PE32+ 61->124 dropped 126 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32 61->126 dropped 76 cmd.exe 61->76         started        184 Uses cmd line tools excessively to alter registry or file data 63->184 186 Uses schtasks.exe or at.exe to add and modify task schedules 63->186 188 Uses the nircmd tool (NirSoft) 63->188 78 1gdpeMuD.exe 3 63->78         started        80 conhost.exe 63->80         started        82 conhost.exe 65->82         started        84 schtasks.exe 65->84         started        86 Conhost.exe 67->86         started        signatures15 process16 dnsIp17 136 185.156.72.96, 49699, 49704, 49708 ITDELUXE-ASRU Russian Federation 71->136 110 C:\Users\user\AppData\...\0071d62128.exe, PE32 71->110 dropped 112 C:\Users\user\AppData\Local\...\random[1].exe, PE32 71->112 dropped 162 Antivirus detection for dropped file 71->162 164 Multi AV Scanner detection for dropped file 71->164 166 Detected unpacking (changes PE section rights) 71->166 170 5 other signatures 71->170 168 Uses cmd line tools excessively to alter registry or file data 76->168 88 cmd.exe 76->88         started        90 reg.exe 76->90         started        92 reg.exe 76->92         started        94 16 other processes 76->94 114 C:\Users\user\profile\n5m6MOCS.exe, PE32 78->114 dropped 116 C:\Users\user\profile\IQWITT73.exe, PE32 78->116 dropped file18 signatures19 process20 process21 96 tasklist.exe 88->96         started        98 Conhost.exe 90->98         started        100 Conhost.exe 92->100         started        process22 102 Conhost.exe 96->102         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7bb18d801898f326c0578b635dfd16275ba9f159120a48ba11f2a03d64ad44ad
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7bb18d801898f326c0578b635dfd16275ba9f159120a48ba11f2a03d64ad44ad/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/7bb18d801898f326c0578b635dfd16275ba9f159120a48ba11f2a03d64ad44ad
Threat name:
Win32.Trojan.Symmi
Create hunting rule
Status:
Malicious
First seen:
2025-06-11 09:06:01 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=poyy3aaytdzsnqcxrnrv37iwe5n2t4kzciferoqr6kqd2zfniswq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
4b1ace47cfcbfb2d45ced82fa14a1eb111435094a7e6fd2857a8bded7bc95c60
LummaStealer
67762d49ebdd5e7142ff8e932bea77a380ce989db5afe5219dfaa8bfc85cf50d
LummaStealer
7bb18d801898f326c0578b635dfd16275ba9f159120a48ba11f2a03d64ad44ad
LummaStealer
be3fe734774966013cccbf85f4c83d74e9a073abb72ceffa0859babdc7b38da8
LummaStealer
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250612-k9fapavxf1/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://battlefled.top/gaoi
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://localixbiw.top/zlpa
https://korxddl.top/qidz
https://stochalyqp.xyz/alfp
https://diecam.top/laur/api
https://citellcagt.top/gjtu
https://peppinqikp.xyz/xaow
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bb2aa80d-df1a-462a-b0ed-b54995cea320
Unpacked files
SH256 hash:
7bb18d801898f326c0578b635dfd16275ba9f159120a48ba11f2a03d64ad44ad
MD5 hash:
963b1445ba08753aaee9739606040eae
SHA1 hash:
c138f25c55178a025b2340141ce4ab3564697acf
Link:
https://www.unpac.me/results/f69e5e5d-1c19-420b-b880-5d39fa93a969/
SH256 hash:
a6d10198bae6cd7a1344d8445b3972a45fe57c7c6a8201da5d791d89e090b65e
MD5 hash:
bf16ba000171404a8e4e4168b16a0b87
SHA1 hash:
51aa19d80f947713e77fbfc65d544fe42a5b3080
Link:
https://www.unpac.me/results/f69e5e5d-1c19-420b-b880-5d39fa93a969/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7bb18d801898/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7bb18d801898f326c0578b635dfd16275ba9f159120a48ba11f2a03d64ad44ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 7bb18d801898f326c0578b635dfd16275ba9f159120a48ba11f2a03d64ad44ad

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3542096/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/9103/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments