MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 864fadf62d68bbde05a8570856155a01afa6861a02b1381853618a8abeaab995. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 864fadf62d68bbde05a8570856155a01afa6861a02b1381853618a8abeaab995
SHA3-384 hash: cf37ea019e91102fd171f25f4c7111c04a2f723039020cc8dabb99812b92adf1709cfb1c18f595f36b9921ff118ef60c
SHA1 hash: 0ec1acb2fd169a3b165f267f2f97fec5486fac99
MD5 hash: 55005b8e00254a38c146957fefd42aa0
humanhash: potato-vegan-apart-artist
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'924'096 bytes
First seen:2025-06-05 15:37:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:IjEOLHo4QAp1akxYzWtryignqlkQfIYT0+cQT:1FEEhnwkQgoLc
TLSH T1F795336D4BC7C725D71543782B16C314BB10CC4ABACE2B9DA9BC81EF2B42DBA9170535
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
363
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
e1d8c5240f274a7c77de74284c8a5e47.exe
Verdict:
Malicious activity
Analysis date:
2025-06-05 15:32:10 UTC
Tags:
lumma stealer themida loader amadey botnet rdp antivm delphi enigma pentagon auto-reg telegram golang
Link:
https://app.any.run/tasks/e0e02c3c-caa9-450d-91b4-e078f53f740a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7517/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6841bb3a8bd5d68a12e59d8f
Tags:
vmdetect phishing autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Connection attempt to an infection source
DNS request
Connection attempt
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm crypt packed packed packer_detected xpack
Link:
https://www.filescan.io/uploads/6841ba15fd02ed5e059a2746/reports/66372a09-9de6-4685-bbab-edd0c0e9e4b5/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/864fadf62d68bbde05a8570856155a01afa6861a02b1381853618a8abeaab995
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0a5c29d9-abe0-4d0b-8310-4c46f56f1f33
Result
Threat name:
Amadey, LummaC Stealer, ResolverRAT, Vid
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1707367
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Drops VBS files to the startup folder
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: WScript or CScript Dropper
Sigma detected: Xmrig
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses threadpools to delay analysis
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Costura Assembly Loader
Yara detected LummaC Stealer
Yara detected Powershell decode and execute
Yara detected ResolverRAT
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1707367 Sample: random.exe Startdate: 05/06/2025 Architecture: WINDOWS Score: 100 116 fleurdcuyt.digital 2->116 118 51.e2.4t.com 2->118 120 12 other IPs or domains 2->120 142 Sigma detected: Xmrig 2->142 144 Suricata IDS alerts for network traffic 2->144 146 Found malware configuration 2->146 148 26 other signatures 2->148 10 ramez.exe 48 2->10         started        15 random.exe 1 2->15         started        17 wscript.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 dnsIp5 134 185.156.72.61, 49735, 80 ITDELUXE-ASRU Russian Federation 10->134 136 185.156.72.96, 49715, 49716, 49718 ITDELUXE-ASRU Russian Federation 10->136 106 C:\Users\user\AppData\Local\...\08IyOOF.exe, PE32+ 10->106 dropped 108 C:\Users\user\AppData\Local\...\DgO51N6.exe, PE32+ 10->108 dropped 110 C:\Users\user\AppData\Local\...\3Svu0S9.exe, PE32 10->110 dropped 114 22 other malicious files 10->114 dropped 206 Contains functionality to start a terminal service 10->206 208 Hides threads from debuggers 10->208 21 hJ5bmFj.exe 4 10->21         started        25 94mG4Ak.exe 10->25         started        27 8f2lGlV.exe 10->27         started        37 5 other processes 10->37 138 185.156.72.2, 49714, 49717, 49720 ITDELUXE-ASRU Russian Federation 15->138 140 fleurdcuyt.digital 195.82.147.188, 443, 49698, 49701 DREAMTORRENT-CORP-ASRU Russian Federation 15->140 112 C:\Users\user\...behaviorgraphJNOKUX46ME9RWOV0QX.exe, PE32 15->112 dropped 210 Detected unpacking (changes PE section rights) 15->210 212 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->212 214 Query firmware table information (likely to detect VMs) 15->214 222 7 other signatures 15->222 29 GJNOKUX46ME9RWOV0QX.exe 4 15->29         started        216 Windows Scripting host queries suspicious COM object (likely to drop second stage) 17->216 31 SortId.exe 17->31         started        218 Compiles code for process injection (via .Net compiler) 19->218 220 Loading BitLocker PowerShell Module 19->220 33 conhost.exe 19->33         started        35 WmiPrvSE.exe 19->35         started        file6 signatures7 process8 file9 98 C:\Users\user\AppData\Roaming\SortId.exe, PE32+ 21->98 dropped 100 C:\Users\user\AppData\Roaming\...\SortId.vbs, ASCII 21->100 dropped 150 Found many strings related to Crypto-Wallets (likely being stolen) 21->150 152 Drops VBS files to the startup folder 21->152 154 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->154 39 InstallUtil.exe 2 21->39         started        156 Multi AV Scanner detection for dropped file 25->156 168 2 other signatures 25->168 43 MSBuild.exe 25->43         started        45 conhost.exe 25->45         started        170 3 other signatures 27->170 47 8f2lGlV.exe 27->47         started        102 C:\Users\user\AppData\Local\...\ramez.exe, PE32 29->102 dropped 158 Antivirus detection for dropped file 29->158 160 Detected unpacking (changes PE section rights) 29->160 162 Contains functionality to start a terminal service 29->162 172 3 other signatures 29->172 49 ramez.exe 29->49         started        164 Modifies the context of a thread in another process (thread injection) 31->164 51 InstallUtil.exe 31->51         started        104 C:\Users\user\AppData\Local\...\varen.exe, PE32 37->104 dropped 166 Tries to detect sandboxes and other dynamic analysis tools (window names) 37->166 174 3 other signatures 37->174 53 MSBuild.exe 37->53         started        55 varen.exe 37->55         started        57 2 other processes 37->57 signatures10 process11 dnsIp12 124 135.125.240.74, 39001, 49301, 49719 AVAYAUS United States 39->124 126 github.com 140.82.113.4, 443, 49723 GITHUBUS United States 39->126 132 2 other IPs or domains 39->132 176 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 39->176 200 3 other signatures 39->200 59 AddInProcess.exe 39->59         started        62 AddInProcess.exe 39->62         started        64 AddInProcess.exe 39->64         started        73 4 other processes 39->73 178 Query firmware table information (likely to detect VMs) 43->178 180 Tries to harvest and steal ftp login credentials 43->180 182 Tries to harvest and steal browser information (history, passwords, etc) 43->182 184 Tries to steal from password manager 43->184 128 51.e2.4t.com 116.202.3.169, 443, 49758, 49762 HETZNER-ASDE Germany 47->128 130 t.me 149.154.167.99, 443, 49756 TELEGRAMRU United Kingdom 47->130 186 Encrypted powershell cmdline option found 47->186 66 powershell.exe 47->66         started        69 chrome.exe 47->69         started        71 powershell.exe 47->71         started        75 3 other processes 47->75 188 Detected unpacking (changes PE section rights) 49->188 190 Contains functionality to start a terminal service 49->190 192 Hides threads from debuggers 49->192 194 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 53->194 196 Tries to steal Crypto Currency Wallets 53->196 198 Multi AV Scanner detection for dropped file 55->198 signatures13 process14 file15 202 Found strings related to Crypto-Mining 59->202 77 conhost.exe 59->77         started        204 Query firmware table information (likely to detect VMs) 62->204 79 conhost.exe 62->79         started        81 conhost.exe 64->81         started        96 C:\Users\user\AppData\Local\...\3gecsuba.0.cs, Unicode 66->96 dropped 83 conhost.exe 66->83         started        85 chrome.exe 69->85         started        88 conhost.exe 71->88         started        90 conhost.exe 73->90         started        94 2 other processes 73->94 92 conhost.exe 75->92         started        signatures16 process17 dnsIp18 122 www.google.com 142.251.116.99 GOOGLEUS United States 85->122
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/864fadf62d68bbde05a8570856155a01afa6861a02b1381853618a8abeaab995
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/864fadf62d68bbde05a8570856155a01afa6861a02b1381853618a8abeaab995/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/864fadf62d68bbde05a8570856155a01afa6861a02b1381853618a8abeaab995
Threat name:
Win32.Trojan.Symmi
Create hunting rule
Status:
Malicious
First seen:
2025-06-05 15:38:25 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qzh235rnnc554bnik4efmfk2agx2nbq2akytqgctmgfivpvkxgkq._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250605-s3f8eaek9y/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://battlefled.top/gaoi
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://localixbiw.top/zlpa
https://korxddl.top/qidz
https://stochalyqp.xyz/alfp
https://diecam.top/laur/api
https://citellcagt.top/gjtu
https://peppinqikp.xyz/xaow
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/83867482-5569-493f-a3f3-312dcd518e9e
Unpacked files
SH256 hash:
864fadf62d68bbde05a8570856155a01afa6861a02b1381853618a8abeaab995
MD5 hash:
55005b8e00254a38c146957fefd42aa0
SHA1 hash:
0ec1acb2fd169a3b165f267f2f97fec5486fac99
Link:
https://www.unpac.me/results/4621ef5b-3382-4f41-9291-e7f97f1227df/
SH256 hash:
c73feec59b682612b54920339001a6dae2bc9aa7d7efc407d38bc90747fe2bd9
MD5 hash:
eaac920a8062636a17efbd0d040195d9
SHA1 hash:
38d9d5a2d7dfc9db46e534c09f5317ab6482f724
Link:
https://www.unpac.me/results/4621ef5b-3382-4f41-9291-e7f97f1227df/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/864fadf62d68/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/864fadf62d68bbde05a8570856155a01afa6861a02b1381853618a8abeaab995

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 864fadf62d68bbde05a8570856155a01afa6861a02b1381853618a8abeaab995

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3542096/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/7517/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments