MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93c71027c0484c7be95f7285b2fe668b60b3bec52b0f57d0deb01fcdfe111a89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93c71027c0484c7be95f7285b2fe668b60b3bec52b0f57d0deb01fcdfe111a89
SHA3-384 hash: 90b081fc331853dd36e596496661e2ddb8fb9fbc43cf9aa5953fc99a6ec27c025c198118652fbc32c63ac83385d7230c
SHA1 hash: 5fe0f210c6461db77ed5b7e265b85eae57ffa6f1
MD5 hash: fac9214c35af0181c30099c68920f445
humanhash: tennis-timing-asparagus-saturn
File name:Nepomuk.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:573'440 bytes
First seen:2025-04-12 07:24:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fd6361ba72b748c3b6b9430ee151fe92 (1 x LummaStealer, 1 x GOBackdoor)
ssdeep 12288:gVL+IwnXn0S7X/fmB/TyXG3tXIODpvGtW55i5YO8:gVL+IQXjLWkW3dIO0WLi5b
Threatray 15 similar samples on MalwareBazaar
TLSH T15CC4F2E1315D820DE1E30678C7AD8B5422305E2B5AF26ACAFB4C7F07967EDC05911ABD
TrID 49.9% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.6% (.EXE) OS/2 Executable (generic) (2029/13)
9.5% (.EXE) Generic Win/DOS Executable (2002/3)
9.4% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon c4b2d8d2d2d8a4dc (2 x LummaStealer)
Reporter Rony
Tags:exe lumma LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
488
Origin country :
IN IN
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Nepomuk.exe
Verdict:
Malicious activity
Analysis date:
2025-04-12 07:26:50 UTC
Tags:
lumma stealer github golang
Link:
https://app.any.run/tasks/c4f1f0fb-41cf-4faa-b452-3c3638d36375

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/1969/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.23525.19993.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67fa15dc1dba888a93d15637
Tags:
obfuscate phishing xtreme virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm crypto hacktool keylogger packed packed packer_detected stealer
Link:
https://www.filescan.io/uploads/67fa155aeb7eb0aee043dcd2/reports/b9473a64-5f4b-4e9a-81d2-e87a58da0504/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/93c71027c0484c7be95f7285b2fe668b60b3bec52b0f57d0deb01fcdfe111a89
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d56927da-ea23-4e68-935c-749d2a28dd57
Result
Threat name:
GO Backdoor, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1663719
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contain functionality to detect virtual machines
Contains functionality to detect sleep reduction / modifications
Contains functionality to encrypt and move a file in one function
Contains functionality to log keystrokes
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected GO Backdoor
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1663719 Sample: Nepomuk.exe Startdate: 12/04/2025 Architecture: WINDOWS Score: 100 39 quantyu.bet 2->39 41 soursopsf.run 2->41 43 3 other IPs or domains 2->43 61 Suricata IDS alerts for network traffic 2->61 63 Found malware configuration 2->63 65 Antivirus detection for URL or domain 2->65 67 11 other signatures 2->67 9 Nepomuk.exe 1 2->9         started        14 T68WJ1SM1U30WFLN7XXTLWOX8.exe 2->14         started        16 T68WJ1SM1U30WFLN7XXTLWOX8.exe 2->16         started        signatures3 process4 dnsIp5 49 github.com 140.82.114.3, 443, 49728 GITHUBUS United States 9->49 51 raw.githubusercontent.com 185.199.111.133, 443, 49729 FASTLYUS Netherlands 9->51 53 changeaie.top 104.21.42.7, 443, 49716, 49717 CLOUDFLARENETUS United States 9->53 37 C:\Users\...\T68WJ1SM1U30WFLN7XXTLWOX8.exe, PE32 9->37 dropped 77 Detected unpacking (creates a PE file in dynamic memory) 9->77 79 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->79 81 Query firmware table information (likely to detect VMs) 9->81 85 8 other signatures 9->85 18 T68WJ1SM1U30WFLN7XXTLWOX8.exe 2 9->18         started        55 194.28.226.181, 443, 49738, 49745 SYSTEM-LTD-ASRU Russian Federation 14->55 57 91.212.166.19, 443, 49739, 49746 MOBILY-ASEtihadEtisalatCompanyMobilySA United Kingdom 14->57 59 4 other IPs or domains 14->59 83 Suspicious powershell command line found 14->83 23 powershell.exe 14->23         started        25 powershell.exe 16->25         started        file6 signatures7 process8 dnsIp9 45 185.121.233.152, 28150, 49731 IPCORE-ASES Spain 18->45 47 46.8.232.106, 443, 49730, 49732 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics Russian Federation 18->47 35 C:\Users\user\AppData\...35rEXDJiACHo.exe, PE32 18->35 dropped 69 Multi AV Scanner detection for dropped file 18->69 71 Suspicious powershell command line found 18->71 73 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 18->73 75 Contains functionality to detect sleep reduction / modifications 18->75 27 powershell.exe 1 11 18->27         started        29 conhost.exe 23->29         started        31 conhost.exe 25->31         started        file10 signatures11 process12 process13 33 conhost.exe 27->33         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/93c71027c0484c7be95f7285b2fe668b60b3bec52b0f57d0deb01fcdfe111a89
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93c71027c0484c7be95f7285b2fe668b60b3bec52b0f57d0deb01fcdfe111a89/
Threat name:
Win32.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-04-11 05:22:10 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=spdraj6ajbghx2k7okc3f7tgrnqlhpwffmhvpug6wap437qrdkeq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
3060fb37f6a35e6c8f5593e09752d8090d0127f5339c2c38360c549f765cba0f
LummaStealer
595955c92a53bb0da3854584501ceb7dae9f43842d914d81dae38a02797e4675
LummaStealer
61f93164a2658ba6c1198e4679cc349bc8e100f5538f3b61728ae1d8ba9fa67e
LummaStealer
88ef00996d1a65e840f7610e76962bba27081c1832772dff255d88c68e7843ce
LummaStealer
90b3a30668871e1af9a1b449466589aa7f1096c7ec4a016394565d7d156f4451
LummaStealer
ab8d42ebe660e813c943cacc78d23b80f9ba88392ff32fc3ae07fabaaeb13647
LummaStealer
c67e82a5d7614d4ab31781c392d91de7ed5dc8fa5751c2db8c8cf7382954f13f
LummaStealer
e45a7f9d3fa0175b8fd5bdf068934c53cc2516261b1f0b9a1f4c0ac8520e0857
LummaStealer
error
LummaStealer
+ 5 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/250412-h822yszmv2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
System Location Discovery: System Language Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://quantyu.bet/AOSkwi
https://soursopsf.run/gsoiao
https://changeaie.top/geps
https://easyupgw.live/eosz
https://liftally.top/xasj
https://upmodini.digital/gokk
https://fsalaccgfa.top/gsooz
https://zestmodp.top/zeda
https://.xcelmodo.run/nahd
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bd008dea-0e46-485c-be21-ea77c7a880e3
Unpacked files
SH256 hash:
93c71027c0484c7be95f7285b2fe668b60b3bec52b0f57d0deb01fcdfe111a89
MD5 hash:
fac9214c35af0181c30099c68920f445
SHA1 hash:
5fe0f210c6461db77ed5b7e265b85eae57ffa6f1
Link:
https://www.unpac.me/results/43d62158-b58d-43a6-a041-d40884e9e1e8/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/93c71027c048/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/93c71027c0484c7be95f7285b2fe668b60b3bec52b0f57d0deb01fcdfe111a89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Lumma
Create hunting rule
Author:kevoreilly
Description:Lumma Payload
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:win_lumma_generic
Create hunting rule
Author:dubfib

File information

The table below shows additional information about this malware sample such as delivery method and external references.

LummaStealer

Executable exe 93c71027c0484c7be95f7285b2fe668b60b3bec52b0f57d0deb01fcdfe111a89

(this sample)

GOBackdoor

Executable exe 854d5ac4352c653dbb566a39de26f260181a666c01dc8f26347585bcd129a99d

Cape
Cape
https://www.capesandbox.com/analysis/1969/
  
Dropping
SHA256 854d5ac4352c653dbb566a39de26f260181a666c01dc8f26347585bcd129a99d
  
Dropping
MD5 8ddc00b505740e2be081fcf120a6523a

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::AllocateLocallyUniqueId
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::CopySid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetLengthSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AccessCheck
ADVAPI32.dll::AccessCheckByType
ADVAPI32.dll::AccessCheckByTypeResultList
ADVAPI32.dll::AddAccessAllowedAce
ADVAPI32.dll::AddAccessDeniedAce
ADVAPI32.dll::AdjustTokenPrivileges
SS_APIUses SS APIADVAPI32.dll::CryptVerifySignatureW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::GetProcessDEPPolicy
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleMode
KERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetSystemDirectoryW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LogonUserW
ADVAPI32.dll::LookupAccountNameW
ADVAPI32.dll::LookupAccountSidW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_APICan Encrypt FilesADVAPI32.dll::EncryptFileW
ADVAPI32.dll::FileEncryptionStatusW
ADVAPI32.dll::DecryptFileW
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.dll::CryptAcquireContextW
ADVAPI32.dll::CryptCreateHash
ADVAPI32.dll::CryptDecrypt
ADVAPI32.dll::CryptDeriveKey
ADVAPI32.dll::CryptEncrypt
ADVAPI32.dll::CryptExportKey
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegConnectRegistryW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegLoadAppKeyW
ADVAPI32.dll::RegLoadKeyW
ADVAPI32.dll::RegNotifyChangeKeyValue
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::ChangeServiceConfigW
ADVAPI32.dll::ControlService
ADVAPI32.dll::EnumDependentServicesW
ADVAPI32.dll::OpenSCManagerW
ADVAPI32.dll::OpenServiceW
ADVAPI32.dll::QueryServiceConfigW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::FindWindowW
USER32.dll::LockWorkStation

Comments