MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85af4ca3283856bbb2354b9adbfc26f212b085cb0323a4396a49eedbad7a6f59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85af4ca3283856bbb2354b9adbfc26f212b085cb0323a4396a49eedbad7a6f59
SHA3-384 hash: 45a490206cad43b32d532477aeab0b245696ef894651806a9662e684d15393534251876fd8cd559e8774c4eb38ce45ed
SHA1 hash: beabe9ba0949295a7efc6172231bf97faab1c857
MD5 hash: 5ec87fb8ecb01cb24598d5e07eff6ddc
humanhash: east-orange-fruit-winter
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'878'016 bytes
First seen:2025-04-27 07:54:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:Xt9tGIvBSo+1bv+6qF1BU0MpsyR0EBSyCp7e:d7GIvGtmtF1BtyR0E9ge
TLSH T10D9533D3BD72A965CE2E12B07084F4209B1A0C1E7F5853D437C60987B0EA6D766C6EB2
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
406
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-04-27 07:57:22 UTC
Tags:
lumma stealer themida loader amadey botnet telegram auto-reg rdp credentialflusher auto-sch putty rmm-tool phishing redline metastealer miner github auto generic gcleaner stealc vidar autoit
Link:
https://app.any.run/tasks/bf8dc497-d134-4bae-8201-1633c770b188

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4256/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680de362cc5fb3600cc32b88
Tags:
vmdetect autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt entropy packed packed packer_detected rat virtual xpack
Link:
https://www.filescan.io/uploads/680de2f0218c4a98ade3a493/reports/d563b03f-1906-4697-a201-7c6c7ac38b07/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/85af4ca3283856bbb2354b9adbfc26f212b085cb0323a4396a49eedbad7a6f59
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/76bc3f6b-05cd-4ab4-b7ef-d1bb2953502a
Result
Threat name:
Amadey, LummaC Stealer, Quasar, RedLine,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1675401
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Drops password protected ZIP file
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Xmrig
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected Quasar RAT
Yara detected RedLine Stealer
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1675401 Sample: random.exe Startdate: 27/04/2025 Architecture: WINDOWS Score: 100 181 brolyx95.duckdns.org 2->181 183 www.youtube.com 2->183 185 71 other IPs or domains 2->185 221 Sigma detected: Xmrig 2->221 223 Suricata IDS alerts for network traffic 2->223 225 Found malware configuration 2->225 229 23 other signatures 2->229 14 random.exe 1 2->14         started        19 msiexec.exe 2->19         started        21 saved.exe 2->21         started        23 11 other processes 2->23 signatures3 227 Uses dynamic DNS services 181->227 process4 dnsIp5 199 clarmodq.top 104.21.85.126, 443, 49683, 49684 CLOUDFLARENETUS United States 14->199 201 185.39.17.162, 49690, 49700, 80 RU-TAGNET-ASRU Russian Federation 14->201 165 C:\Users\user\...\4T7V4R1VZHQW1IE57TB9FE9.exe, PE32 14->165 dropped 209 Detected unpacking (changes PE section rights) 14->209 211 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->211 213 Query firmware table information (likely to detect VMs) 14->213 219 9 other signatures 14->219 25 4T7V4R1VZHQW1IE57TB9FE9.exe 4 14->25         started        167 C:\Windows\Installer\MSI99B7.tmp, PE32+ 19->167 dropped 169 C:\Windows\Installer\MSI9987.tmp, PE32+ 19->169 dropped 171 C:\Windows\Installer\MSI98AB.tmp, PE32+ 19->171 dropped 173 5 other malicious files 19->173 dropped 29 wireguard.exe 19->29         started        31 msiexec.exe 19->31         started        33 msiexec.exe 19->33         started        215 Contains functionality to start a terminal service 21->215 203 127.0.0.1 unknown unknown 23->203 217 Changes security center settings (notifications, updates, antivirus, firewall) 23->217 35 conhost.exe 23->35         started        37 wireguard.exe 23->37         started        file6 signatures7 process8 file9 143 C:\Users\user\AppData\Local\...\saved.exe, PE32 25->143 dropped 263 Multi AV Scanner detection for dropped file 25->263 265 Contains functionality to start a terminal service 25->265 267 Contains functionality to inject code into remote processes 25->267 39 saved.exe 4 50 25->39         started        44 wireguard.exe 29->44         started        signatures10 process11 dnsIp12 189 185.39.17.163, 49696, 49697, 49699 RU-TAGNET-ASRU Russian Federation 39->189 191 94.26.90.80, 49698, 80 ASDETUKhttpwwwheficedcomGB Bulgaria 39->191 193 185.215.113.30 WHOLESALECONNECTIONSNL Portugal 39->193 125 C:\Users\user\AppData\...\a95fa58949.exe, PE32 39->125 dropped 127 C:\Users\user\AppData\...\3584d59a68.exe, PE32 39->127 dropped 129 C:\Users\user\AppData\...\80cf6d9635.exe, PE32 39->129 dropped 131 17 other malicious files 39->131 dropped 245 Multi AV Scanner detection for dropped file 39->245 247 Contains functionality to start a terminal service 39->247 249 Creates multiple autostart registry keys 39->249 46 JLVnvnZ.exe 39->46         started        50 fJY9zTe.exe 39->50         started        52 VisualCode.exe 39->52         started        54 CzdmqAp.exe 39->54         started        file13 signatures14 process15 file16 155 C:\Users\user\AppData\Local\...\sysdrv.exe, PE32+ 46->155 dropped 157 C:\Users\user\AppData\Local\...\crypted.exe, PE32 46->157 dropped 159 C:\Users\user\AppData\...\miner_loop.bat, DOS 46->159 dropped 271 Multi AV Scanner detection for dropped file 46->271 273 Found many strings related to Crypto-Wallets (likely being stolen) 46->273 275 Found strings related to Crypto-Mining 46->275 56 cmd.exe 46->56         started        161 C:\Users\user\AppData\Local\...\fJY9zTe.tmp, PE32 50->161 dropped 60 fJY9zTe.tmp 50->60         started        277 Writes to foreign memory regions 52->277 279 Allocates memory in foreign processes 52->279 281 Injects a PE file into a foreign processes 52->281 62 MSBuild.exe 30 52->62         started        163 C:\Users\user\AppData\Roaming\...\windows.exe, PE32 54->163 dropped 283 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 54->283 285 Hides that the sample has been downloaded from the Internet (zone.identifier) 54->285 65 schtasks.exe 54->65         started        signatures17 process18 dnsIp19 133 C:\Users\user\AppData\Roaming\...\sysdrv.exe, PE32+ 56->133 dropped 135 C:\Users\user\AppData\...\miner_loop.bat, DOS 56->135 dropped 251 Suspicious powershell command line found 56->251 253 Uses schtasks.exe or at.exe to add and modify task schedules 56->253 67 crypted.exe 56->67         started        71 cmd.exe 56->71         started        73 net.exe 56->73         started        84 2 other processes 56->84 137 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 60->137 dropped 75 fJY9zTe.exe 60->75         started        205 t.me 149.154.167.99, 443, 49701 TELEGRAMRU United Kingdom 62->205 207 qr.ap.4t.com 116.202.5.148, 443, 49702 HETZNER-ASDE Germany 62->207 139 C:\Users\user\AppData\...\LiseJackes[1].exe, PE32+ 62->139 dropped 141 C:\ProgramData\fctj5p8y5f.exe, PE32+ 62->141 dropped 255 Attempt to bypass Chrome Application-Bound Encryption 62->255 257 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 62->257 259 Found many strings related to Crypto-Wallets (likely being stolen) 62->259 261 4 other signatures 62->261 78 msedge.exe 62->78         started        80 chrome.exe 62->80         started        82 conhost.exe 65->82         started        file20 signatures21 process22 dnsIp23 187 193.233.237.109 FREE-NET-ASFREEnetEU Russian Federation 67->187 231 Multi AV Scanner detection for dropped file 67->231 233 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 67->233 235 Found many strings related to Crypto-Wallets (likely being stolen) 67->235 243 3 other signatures 67->243 237 Suspicious powershell command line found 71->237 239 Suspicious execution chain found 71->239 86 conhost.exe 71->86         started        88 powershell.exe 71->88         started        90 net1.exe 73->90         started        145 C:\Users\user\AppData\Local\...\fJY9zTe.tmp, PE32 75->145 dropped 92 fJY9zTe.tmp 75->92         started        241 Monitors registry run keys for changes 78->241 96 chrome.exe 80->96         started        file24 signatures25 process26 dnsIp27 147 C:\Windows\wireguard.exe (copy), PE32 92->147 dropped 149 C:\Windows\unins000.exe (copy), PE32 92->149 dropped 151 C:\Windows\is-SBSR1.tmp, PE32 92->151 dropped 153 4 other malicious files 92->153 dropped 269 Drops executables to the windows directory (C:\Windows) and starts them 92->269 99 7z2409-x64.exe 92->99         started        102 cmd.exe 92->102         started        104 cmd.exe 92->104         started        106 wireguard.exe 92->106         started        175 www.google.com 192.178.49.196 GOOGLEUS United States 96->175 177 c-bing-com.ax-0001.ax-msedge.net 96->177 179 ax-0001.ax-msedge.net 96->179 file28 signatures29 process30 dnsIp31 117 C:\Program Files (x86)\7-Zip\Uninstall.exe, PE32 99->117 dropped 119 C:\Program Files (x86)\7-Zip\7zG.exe, PE32+ 99->119 dropped 121 C:\Program Files (x86)\7-Zip\7zFM.exe, PE32+ 99->121 dropped 123 6 other malicious files 99->123 dropped 109 conhost.exe 102->109         started        111 setx.exe 102->111         started        113 conhost.exe 104->113         started        115 timeout.exe 104->115         started        195 wireguard.com 136.144.57.121 PACKETUS United States 106->195 197 e6913.dscx.akamaiedge.net 184.28.253.43 AKAMAI-ASUS United States 106->197 file32 process33
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/85af4ca3283856bbb2354b9adbfc26f212b085cb0323a4396a49eedbad7a6f59
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85af4ca3283856bbb2354b9adbfc26f212b085cb0323a4396a49eedbad7a6f59/
Threat name:
Win32.Trojan.Symmi
Create hunting rule
Status:
Malicious
First seen:
2025-04-27 05:25:33 UTC
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qwxuzizihbllxmrvjonnx7bg6ijlbbolamr2iolkjhxnxll2n5mq._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250427-jrpwqswvg1/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://clarmodq.top/qoxo
https://geographys.run/eirq
https://woodpeckersd.run/glsk
https://tropiscbs.live/iuwxx
https://cartograhphy.top/ixau
https://biosphxere.digital/tqoa
https://topographky.top/xlak
https://climatologfy.top/kbud
https://vigorbridgoe.top/banb
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/954a529c-999d-41de-a339-ee937d412b14
Unpacked files
SH256 hash:
85af4ca3283856bbb2354b9adbfc26f212b085cb0323a4396a49eedbad7a6f59
MD5 hash:
5ec87fb8ecb01cb24598d5e07eff6ddc
SHA1 hash:
beabe9ba0949295a7efc6172231bf97faab1c857
Link:
https://www.unpac.me/results/575e87f1-5ad3-42f8-8eb0-57041ab554ba/
SH256 hash:
74ba11301b54f20cbe33c88a2dff681de8972734e02508db6563347a98ba5a95
MD5 hash:
a738c1bafe20b6692faa1d16a353b9f6
SHA1 hash:
fe25e7a91a0b399e7b099ff655173cb88dfee8d0
Link:
https://www.unpac.me/results/575e87f1-5ad3-42f8-8eb0-57041ab554ba/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/85af4ca32838/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85af4ca3283856bbb2354b9adbfc26f212b085cb0323a4396a49eedbad7a6f59

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 85af4ca3283856bbb2354b9adbfc26f212b085cb0323a4396a49eedbad7a6f59

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/4256/
  
URLhaus
https://urlhaus.abuse.ch/url/3518568/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3511779/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments