MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9911fd0a27e8221ca6be055443e9dda8985e9f79c761efb6ecabaa095567ec71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9911fd0a27e8221ca6be055443e9dda8985e9f79c761efb6ecabaa095567ec71
SHA3-384 hash: d929cdf08ae0e4aba73664c2974d56afb7ce569c9f3c98ceaa284f4f2455ca91cdae39674a39de323495946db358f276
SHA1 hash: a96d3e9cc9dada2e9f207904c8142b97dd06e5b5
MD5 hash: 23482d0db1c18055f4fd4620bb6c49e8
humanhash: missouri-music-three-football
File name:23482d0db1c18055f4fd4620bb6c49e8.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'875'456 bytes
First seen:2025-02-01 15:44:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:TY5zxm9noJyxjTVZy2GZ4lD0DIAq9UXMUldw78:aknoJyxjv7GZA4cAEUcCw78
Threatray 1 similar samples on MalwareBazaar
TLSH T19D9533C58D49DE65E21FE5FFE2569F2CBA6A86CA09FC34C02453C6323511B1E9487F82
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
446
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
23482d0db1c18055f4fd4620bb6c49e8.exe
Verdict:
Malicious activity
Analysis date:
2025-02-01 15:54:12 UTC
Tags:
loader lumma themida stealer stealc amadey botnet cryptbot auto generic credentialflusher telegram redline lefthook autoit gcleaner evasion
Link:
https://app.any.run/tasks/a65b64b3-fd0c-45da-b849-112dbcbcf6d7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679e4179a9881a7a01c4e88d
Tags:
vmdetect autorun spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
DNS request
Connection attempt
Sending a custom TCP request
Connection attempt to an infection source
Behavior that indicates a threat
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected
Link:
https://www.filescan.io/uploads/679e415fd873aab3e75e96bd/reports/dba16794-4ea7-4f1a-ba5a-a5fa3bafb2ae/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/9911fd0a27e8221ca6be055443e9dda8985e9f79c761efb6ecabaa095567ec71
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8b7e1d5e-3732-4c7c-b2bd-72c754aec4f6
Result
Threat name:
LummaC, Amadey, AsyncRAT, KeyLogger, Lum
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1604527
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Compiles code for process injection (via .Net compiler)
Compiles code to access protected / encrypted code
Contains functionality to log keystrokes (.Net Source)
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Sigma detected: Powershell launch regsvr32
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected BrowserPasswordDump
Yara detected Generic Downloader
Yara detected Keylogger Generic
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected Stealc
Yara detected StormKitty Stealer
Yara detected Vidar stealer
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1604527 Sample: DbCMTMgeJo.exe Startdate: 01/02/2025 Architecture: WINDOWS Score: 100 153 thebeautylovelytop.top 2->153 155 getyour.cyou 2->155 157 76 other IPs or domains 2->157 201 Suricata IDS alerts for network traffic 2->201 203 Found malware configuration 2->203 205 Malicious sample detected (through community Yara rule) 2->205 207 37 other signatures 2->207 14 skotes.exe 37 2->14         started        19 DbCMTMgeJo.exe 2 2->19         started        21 svchost.exe 2->21         started        23 svchost.exe 2->23         started        signatures3 process4 dnsIp5 173 185.215.113.43, 54710, 54711, 54715 WHOLESALECONNECTIONSNL Portugal 14->173 175 185.215.113.97, 54712, 54717, 54725 WHOLESALECONNECTIONSNL Portugal 14->175 135 C:\Users\user\AppData\...\db8c172567.exe, PE32 14->135 dropped 137 C:\Users\user\AppData\...\5ec73896e9.exe, PE32 14->137 dropped 139 C:\Users\user\AppData\...\8ec89b23d4.exe, PE32 14->139 dropped 145 11 other malicious files 14->145 dropped 187 Hides threads from debuggers 14->187 189 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->189 191 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 14->191 25 63460ff8c7.exe 14->25         started        29 21aaa725bd.exe 14->29         started        31 5ec73896e9.exe 14->31         started        40 3 other processes 14->40 177 185.215.113.16, 49712, 80 WHOLESALECONNECTIONSNL Portugal 19->177 179 warlikedbeliev.org 172.67.181.203, 443, 49704, 49705 CLOUDFLARENETUS United States 19->179 141 C:\...\UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe, PE32 19->141 dropped 143 C:\Users\...UONBTH0X1WAZ900JF4PYRKDM.exe, PE32 19->143 dropped 193 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->193 195 Query firmware table information (likely to detect VMs) 19->195 197 Found many strings related to Crypto-Wallets (likely being stolen) 19->197 199 3 other signatures 19->199 34 EUONBTH0X1WAZ900JF4PYRKDM.exe 4 19->34         started        36 UYYHR2FFXPC7QWGDTJ69V7UUE7H8M00.exe 13 19->36         started        38 WerFault.exe 21->38         started        file6 signatures7 process8 dnsIp9 105 C:\Users\user\AppData\Local\Temp\Put, data 25->105 dropped 119 6 other malicious files 25->119 dropped 217 Multi AV Scanner detection for dropped file 25->217 219 Writes many files with high entropy 25->219 42 cmd.exe 25->42         started        107 C:\Users\user\AppData\...\21aaa725bd.tmp, PE32 29->107 dropped 46 21aaa725bd.tmp 29->46         started        181 147.45.44.42 FREE-NET-ASFREEnetEU Russian Federation 31->181 109 C:\Users\user\AppData\Local\...\wr4cnd4b.0.cs, Unicode 31->109 dropped 111 C:\Users\user\AppData\...\gaqlxgdr.cmdline, Unicode 31->111 dropped 113 C:\Users\user\AppData\Local\...\gaqlxgdr.0.cs, Unicode 31->113 dropped 221 Writes to foreign memory regions 31->221 223 Allocates memory in foreign processes 31->223 235 2 other signatures 31->235 48 csc.exe 31->48         started        115 C:\Users\user\AppData\Local\...\skotes.exe, PE32 34->115 dropped 225 Antivirus detection for dropped file 34->225 227 Detected unpacking (changes PE section rights) 34->227 229 Machine Learning detection for dropped file 34->229 237 3 other signatures 34->237 50 skotes.exe 34->50         started        183 185.215.113.115, 49750, 80 WHOLESALECONNECTIONSNL Portugal 36->183 239 3 other signatures 36->239 185 steamcommunity.com 104.102.49.254, 443, 54736 AKAMAI-ASUS United States 40->185 117 C:\Users\user\AppData\Local\Temp\Soundtrack, data 40->117 dropped 121 4 other malicious files 40->121 dropped 231 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->231 233 Tries to detect sandboxes and other dynamic analysis tools (window names) 40->233 241 2 other signatures 40->241 52 c153ad0ce0.exe 40->52         started        55 cmd.exe 40->55         started        57 WerFault.exe 40->57         started        file10 signatures11 process12 dnsIp13 123 C:\Users\user\AppData\Local\...\Avoiding.com, PE32 42->123 dropped 245 Drops PE files with a suspicious file extension 42->245 247 Writes many files with high entropy 42->247 59 Avoiding.com 42->59         started        63 cmd.exe 42->63         started        66 conhost.exe 42->66         started        74 9 other processes 42->74 125 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 46->125 dropped 127 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 46->127 dropped 129 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 46->129 dropped 68 21aaa725bd.exe 46->68         started        131 C:\Users\user\AppData\Local\...\gaqlxgdr.dll, PE32 48->131 dropped 76 2 other processes 48->76 249 Detected unpacking (changes PE section rights) 50->249 251 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 50->251 253 Tries to evade debugger and weak emulator (self modifying code) 50->253 263 3 other signatures 50->263 159 toppyneedus.biz 172.67.149.66, 443, 54713, 54714 CLOUDFLARENETUS United States 52->159 255 Query firmware table information (likely to detect VMs) 52->255 257 Tries to harvest and steal ftp login credentials 52->257 259 Tries to harvest and steal browser information (history, passwords, etc) 52->259 261 Tries to steal Crypto Currency Wallets 52->261 133 C:\Users\user\AppData\...\Macromedia.com, PE32 55->133 dropped 70 cmd.exe 55->70         started        72 conhost.exe 55->72         started        78 8 other processes 55->78 file14 signatures15 process16 dnsIp17 167 getyour.cyou 116.202.5.153 HETZNER-ASDE Germany 59->167 169 t.me 149.154.167.99 TELEGRAMRU United Kingdom 59->169 171 127.0.0.1 unknown unknown 59->171 265 Found many strings related to Crypto-Wallets (likely being stolen) 59->265 267 Tries to harvest and steal ftp login credentials 59->267 269 Tries to harvest and steal browser information (history, passwords, etc) 59->269 271 Tries to steal Crypto Currency Wallets 59->271 147 C:\Users\user\AppData\Local\Temp\36469\L, data 63->147 dropped 149 C:\Users\user\AppData\...\21aaa725bd.tmp, PE32 68->149 dropped 80 21aaa725bd.tmp 68->80         started        151 C:\Users\user\AppData\Local\Temp\764661\F, data 70->151 dropped file18 signatures19 process20 file21 95 C:\Users\user\...\uxtheme_2.drv (copy), PE32+ 80->95 dropped 97 C:\Users\user\AppData\Roaming\is-1MO68.tmp, PE32+ 80->97 dropped 99 C:\Users\user\AppData\...\unins000.exe (copy), PE32 80->99 dropped 101 4 other files (3 malicious) 80->101 dropped 83 regsvr32.exe 80->83         started        process22 process23 85 regsvr32.exe 83->85         started        dnsIp24 161 m.adnxs.com 85->161 163 91.212.166.99 MOBILY-ASEtihadEtisalatCompanyMobilySA United Kingdom 85->163 165 3 other IPs or domains 85->165 103 C:\Users\user\AppData\Local\dllhost.exe, PE32+ 85->103 dropped 209 System process connects to network (likely due to code injection or exploit) 85->209 211 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 85->211 213 Suspicious powershell command line found 85->213 215 3 other signatures 85->215 90 powershell.exe 85->90         started        file25 signatures26 process27 signatures28 243 Loading BitLocker PowerShell Module 90->243 93 conhost.exe 90->93         started        process29
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9911fd0a27e8221ca6be055443e9dda8985e9f79c761efb6ecabaa095567ec71
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9911fd0a27e8221ca6be055443e9dda8985e9f79c761efb6ecabaa095567ec71/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-02-01 14:48:24 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tei72crh5arbzjv6avkeh2o5vcmf5h3zy5q67nxmvovasvlh5ryq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
stealc
Create hunting rule
lummastealer
Create hunting rule
Similar samples:
9911fd0a27e8221ca6be055443e9dda8985e9f79c761efb6ecabaa095567ec71
LummaStealer
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery stealer
Link:
https://tria.ge/reports/250201-ta64ss1leq/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://toppyneedus.biz/api
Verdict:
Malicious
Tags:
lumma_stealer stealc lumma stealer c2
YARA:
n/a
Link:
https://app.threat.zone/submission/794bfb7d-77b1-4b1e-af74-63d931923f18
Unpacked files
SH256 hash:
3d83cf52de7cfc71098000ef417bd44bfe7e43361a5d9f0271f9dc64beb4ebc0
MD5 hash:
da3fb8da648db71e2c49f66611546870
SHA1 hash:
d47c82e6cf6c5ea907dec649a0d4d1ec0461f291
Link:
https://www.unpac.me/results/49e1817e-8f71-4099-ac5e-0d2d102db027/
SH256 hash:
9911fd0a27e8221ca6be055443e9dda8985e9f79c761efb6ecabaa095567ec71
MD5 hash:
23482d0db1c18055f4fd4620bb6c49e8
SHA1 hash:
a96d3e9cc9dada2e9f207904c8142b97dd06e5b5
Link:
https://www.unpac.me/results/49e1817e-8f71-4099-ac5e-0d2d102db027/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9911fd0a27e8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9911fd0a27e8221ca6be055443e9dda8985e9f79c761efb6ecabaa095567ec71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_lumma_2eabe9054cad5152567f0699947a2c5b
Create hunting rule
Author:dubfib

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 9911fd0a27e8221ca6be055443e9dda8985e9f79c761efb6ecabaa095567ec71

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3245480/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments