MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87922c7e74f51e7d7d965c5ea64d881bdad501b05794376155db64a1c555aec8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87922c7e74f51e7d7d965c5ea64d881bdad501b05794376155db64a1c555aec8
SHA3-384 hash: 439393b468d1ffc8c7d5441587f84e43dbb23cd5bc57ccd029d467f86e0a0d8e95ae0255c0de08cdffa4c9a4547c439f
SHA1 hash: 8e0e9c8e4b7f9ab9cbd1cbcd926bfcf985fb5ce9
MD5 hash: 0914672501ea24f6c1d8613499dd776b
humanhash: orange-monkey-comet-rugby
File name:0914672501ea24f6c1d8613499dd776b.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'878'528 bytes
First seen:2025-04-25 05:53:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:UgWBBEBSBGgYKYzANAvzfwU3Sbo6IbdMJfK:FzSYDANyz4o6JfK
Threatray 11 similar samples on MalwareBazaar
TLSH T13595332BC946A63EF988053E04F77F3322E8DE57648A8F5A1F188534FA17115367CE86
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
425
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
44ee7c31db3505a721ca81bd3557e8fe9a869e758bf2facf19c998483cf98eea.exe
Verdict:
Malicious activity
Analysis date:
2025-04-24 05:08:41 UTC
Tags:
lumma stealer themida loader amadey botnet rdp auto-reg delphi inno installer putty rmm-tool credentialflusher phishing auto-sch gcleaner auto generic python pastebin telegram github rhadamanthys
Link:
https://app.any.run/tasks/8019e0be-8e38-418b-a558-9b92654d95c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/3981/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680b24053d067f84839920df
Tags:
vmdetect autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt entropy packed packed packer_detected rat virtual xpack
Link:
https://www.filescan.io/uploads/680b2388218c4a98ade1563c/reports/bb39c6bb-1a6f-460d-b6d1-586f2481d55b/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/87922c7e74f51e7d7d965c5ea64d881bdad501b05794376155db64a1c555aec8
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fd253d12-a561-4556-a7eb-e082611a901a
Result
Threat name:
Amadey, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1673825
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Disable power options
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Sigma detected: Suspicious Invoke-WebRequest Execution
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1673825 Sample: RWjLVJ9FrG.exe Startdate: 25/04/2025 Architecture: WINDOWS Score: 100 86 www.google.com 2->86 88 raw.githubusercontent.com 2->88 90 11 other IPs or domains 2->90 106 Suricata IDS alerts for network traffic 2->106 108 Found malware configuration 2->108 110 Antivirus detection for URL or domain 2->110 112 24 other signatures 2->112 9 saved.exe 4 46 2->9         started        14 RWjLVJ9FrG.exe 1 2->14         started        16 svchost.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 dnsIp5 92 185.39.17.163, 49729, 49730, 49733 RU-TAGNET-ASRU Russian Federation 9->92 74 C:\Users\user\AppData\...\281c12b425.exe, PE32 9->74 dropped 76 C:\Users\user\AppData\...\ddc34001ff.exe, PE32 9->76 dropped 78 C:\Users\user\AppData\...\2db418e9e5.exe, PE32 9->78 dropped 82 15 other malicious files 9->82 dropped 134 Contains functionality to start a terminal service 9->134 136 Creates multiple autostart registry keys 9->136 20 ajNyRQT.exe 1 2 9->20         started        24 VbLeLbQ.exe 9->24         started        94 185.39.17.162, 49728, 49732, 49734 RU-TAGNET-ASRU Russian Federation 14->94 96 clarmodq.top 172.67.205.184, 443, 49716, 49718 CLOUDFLARENETUS United States 14->96 80 C:\...\YIYUMYBQJ7SXGR4XUXX7BI8KL2YUH.exe, PE32 14->80 dropped 138 Detected unpacking (changes PE section rights) 14->138 140 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->140 142 Query firmware table information (likely to detect VMs) 14->142 148 10 other signatures 14->148 26 YIYUMYBQJ7SXGR4XUXX7BI8KL2YUH.exe 4 14->26         started        144 Changes security center settings (notifications, updates, antivirus, firewall) 16->144 28 MpCmdRun.exe 16->28         started        98 127.0.0.1 unknown unknown 18->98 146 Multi AV Scanner detection for dropped file 18->146 file6 signatures7 process8 file9 70 C:\ProgramData\...\lhhsgwktkatl.exe, PE32+ 20->70 dropped 114 Multi AV Scanner detection for dropped file 20->114 116 Uses powercfg.exe to modify the power settings 20->116 118 Modifies the context of a thread in another process (thread injection) 20->118 120 Modifies power options to not sleep / hibernate 20->120 30 dialer.exe 20->30         started        33 powershell.exe 23 20->33         started        35 cmd.exe 20->35         started        47 13 other processes 20->47 122 Suspicious powershell command line found 24->122 124 Found API chain indicative of debugger detection 24->124 126 Adds a directory exclusion to Windows Defender 24->126 128 Found direct / indirect Syscall (likely to bypass EDR) 24->128 37 cmd.exe 24->37         started        39 powershell.exe 24->39         started        41 conhost.exe 24->41         started        72 C:\Users\user\AppData\Local\...\saved.exe, PE32 26->72 dropped 130 Contains functionality to start a terminal service 26->130 132 Contains functionality to inject code into remote processes 26->132 43 saved.exe 26->43         started        45 conhost.exe 28->45         started        signatures10 process11 signatures12 150 Injects code into the Windows Explorer (explorer.exe) 30->150 152 Writes to foreign memory regions 30->152 154 Allocates memory in foreign processes 30->154 166 3 other signatures 30->166 49 lsass.exe 30->49 injected 66 9 other processes 30->66 156 Loading BitLocker PowerShell Module 33->156 158 Powershell drops PE file 33->158 52 conhost.exe 33->52         started        54 conhost.exe 35->54         started        56 wusa.exe 35->56         started        160 Suspicious powershell command line found 37->160 58 powershell.exe 37->58         started        62 conhost.exe 39->62         started        162 Multi AV Scanner detection for dropped file 43->162 164 Contains functionality to start a terminal service 43->164 64 conhost.exe 47->64         started        68 12 other processes 47->68 process13 dnsIp14 104 Writes to foreign memory regions 49->104 100 github.com 140.82.112.3, 443, 49737 GITHUBUS United States 58->100 102 raw.githubusercontent.com 185.199.111.133, 443, 49741 FASTLYUS Netherlands 58->102 84 C:\Users\user\AppData\...\izftboodeosh.exe, PE32 58->84 dropped file15 signatures16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/87922c7e74f51e7d7d965c5ea64d881bdad501b05794376155db64a1c555aec8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87922c7e74f51e7d7d965c5ea64d881bdad501b05794376155db64a1c555aec8/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-04-24 07:57:11 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q6jcy7tu6uph27mwlrpkmtmidpnnkanqk6kdoykv3nskdrkvv3ea._file
Verdict:
malicious
Label(s):
admintool_putty
Create hunting rule
lummastealer
Create hunting rule
amadey
Create hunting rule
Similar samples:
3a4c78c6e7ff0e5b6a3ccaf96dbc283cffdf37e036d85c27640c5486054c4710
LummaStealer
4f45cc394fec1b0023e42b7e346e1e500ebea31e03c54794ab756c73382216f5
LummaStealer
58a7419810fcd51ee607619cfd09707c75c0dff2c074c36e880f6d69dd51737d
LummaStealer
5d6ad40672e983babdcec63f661fe3090b5b419f61b537223496a24225f07dc3
LummaStealer
87922c7e74f51e7d7d965c5ea64d881bdad501b05794376155db64a1c555aec8
LummaStealer
c984a795a6f2db7ec764fec4adb04f1c4a827d2ee9f54350c08f206fd2da30f9
LummaStealer
ca2bb94ecc2dd930645bb85f11ea8f00586c72e0ea0a38cd7a3bddfd5e498e1d
LummaStealer
e2cee0f3aa497ae6990b9ff45110eaf89a95b31e34383ef8c655bf1a12544d43
LummaStealer
error
LummaStealer
+ 1 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250425-glgbastpz9/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://clarmodq.top/qoxo
https://geographys.run/eirq
https://hemispherexz.top/xapp
https://tropiscbs.live/iuwxx
https://cartograhphy.top/ixau
https://biosphxere.digital/tqoa
https://0topographky.top/xlak
https://climatologfy.top/kbud
https://vigorbridgoe.top/banb
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ecb46ddd-3b2c-4fc6-9e08-ac850757975e
Unpacked files
SH256 hash:
87922c7e74f51e7d7d965c5ea64d881bdad501b05794376155db64a1c555aec8
MD5 hash:
0914672501ea24f6c1d8613499dd776b
SHA1 hash:
8e0e9c8e4b7f9ab9cbd1cbcd926bfcf985fb5ce9
Link:
https://www.unpac.me/results/52ec7a9d-9b67-48e5-a074-581229a7e1ef/
SH256 hash:
af8b89b0062e11f903fdcd8aba3cd69bd92c76d61fc3feffbebda18c6aa852fb
MD5 hash:
92604f2592c721901996a4ea37f76ad6
SHA1 hash:
99af93ae5e9a2175ca4448526b28247859de1223
Link:
https://www.unpac.me/results/52ec7a9d-9b67-48e5-a074-581229a7e1ef/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/87922c7e74f5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/87922c7e74f51e7d7d965c5ea64d881bdad501b05794376155db64a1c555aec8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 87922c7e74f51e7d7d965c5ea64d881bdad501b05794376155db64a1c555aec8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3511779/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3518568/
Cape
Cape
https://www.capesandbox.com/analysis/3981/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments