MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a09c67b9196a67357dc2676f9cfcac4d0186a3ae5816729b8843ebdc7f0bc0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a09c67b9196a67357dc2676f9cfcac4d0186a3ae5816729b8843ebdc7f0bc0f
SHA3-384 hash: 6935e054374d91c5082a098e39a31d612822a851b016be6bcbf9a2019c6795a03e3dcd7548169377b86e77ce1c742151
SHA1 hash: f0d1860b5014a2d8afb5bf088b13b3a7df9519fd
MD5 hash: 9b8816d8e30983e0c932e9081689313d
humanhash: yankee-twenty-potato-eight
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'904'640 bytes
First seen:2025-01-17 16:44:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:V5jzYlTgha/ooQh5Dp+TRiT2vgLWVnomrDoEJO+MRCLr:fATghagpHp+TtgLWVLrDzJpM8
TLSH T1C8953376DC6230D5F539C5B71A29B73FD91C5B205EF822C127A462261F66EEB300E632
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter aachum
Tags:exe LummaStealer


Avatar
iamaachum
185.215.113.16/luma/random.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-01-17 16:36:50 UTC
Tags:
lumma stealer themida loader stealc
Link:
https://app.any.run/tasks/d32c3170-4677-4114-8803-cf3f097ce6e9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=678a8720aa9c8e7858df31c7
Tags:
autorun lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Connection attempt to an infection source
Behavior that indicates a threat
DNS request
Connection attempt
Sending a custom TCP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected
Link:
https://www.filescan.io/uploads/678a8910b8fb56a392b9a3a4/reports/8acfa556-33a7-43bd-973f-11ba2e13ae49/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/9a09c67b9196a67357dc2676f9cfcac4d0186a3ae5816729b8843ebdc7f0bc0f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LummaC2 Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/15cf30bb-2f61-4de8-bcc5-655c2abb449a
Result
Threat name:
LummaC, Amadey, Babadeda, LummaC Stealer, KeyLogger, LummaC Steale
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1593830
Signature
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Allows apps to access location
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for sample
Maps a DLL or memory area into another process
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Reads the Security eventlog
Reads the System eventlog
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected Babadeda
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1593830 Sample: random.exe Startdate: 17/01/2025 Architecture: WINDOWS Score: 100 161 Found malware configuration 2->161 163 Antivirus detection for URL or domain 2->163 165 Antivirus / Scanner detection for submitted sample 2->165 167 21 other signatures 2->167 8 skotes.exe 2->8         started        13 random.exe 2 2->13         started        15 skotes.exe 2->15         started        17 6 other processes 2->17 process3 dnsIp4 123 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 8->123 125 185.215.113.39 WHOLESALECONNECTIONSNL Portugal 8->125 127 103.185.53.90 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 8->127 71 C:\Users\user\AppData\...\ecf756f829.exe, PE32 8->71 dropped 73 C:\Users\user\AppData\...\2d556fce4b.exe, PE32 8->73 dropped 75 C:\Users\user\AppData\...\c84bd0726b.exe, PE32 8->75 dropped 83 23 other files (22 malicious) 8->83 dropped 219 Creates multiple autostart registry keys 8->219 221 Hides threads from debuggers 8->221 223 Tries to detect sandboxes / dynamic malware analysis system (registry check) 8->223 19 JUbmpeT.exe 8->19         started        23 PEN2ydG.exe 8->23         started        25 jonbDes.exe 8->25         started        27 niadsMI.exe 8->27         started        129 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 13->129 131 104.21.112.1 CLOUDFLARENETUS United States 13->131 77 C:\Users\user\...\R8TCC2HCJWT5WLUH2E.exe, PE32 13->77 dropped 79 C:\...\K875NVEDQ0AZPN3G9A6D20OA0TWEFK0.exe, PE32 13->79 dropped 225 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->225 227 Query firmware table information (likely to detect VMs) 13->227 229 Found many strings related to Crypto-Wallets (likely being stolen) 13->229 237 4 other signatures 13->237 30 R8TCC2HCJWT5WLUH2E.exe 33 13->30         started        32 K875NVEDQ0AZPN3G9A6D20OA0TWEFK0.exe 4 13->32         started        231 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 15->231 133 184.28.90.27 AKAMAI-ASUS United States 17->133 135 127.0.0.1 unknown unknown 17->135 81 C:\Users\user\AppData\...\History-journal, data 17->81 dropped 233 Maps a DLL or memory area into another process 17->233 235 Allows apps to access location 17->235 34 msedge.exe 17->34         started        36 msedge.exe 17->36         started        38 5 other processes 17->38 file5 signatures6 process7 dnsIp8 109 149.154.167.99 TELEGRAMRU United Kingdom 19->109 111 116.203.164.230 HETZNER-ASDE Germany 19->111 169 Multi AV Scanner detection for dropped file 19->169 171 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->171 173 Tries to detect sandboxes and other dynamic analysis tools (window names) 19->173 175 Tries to harvest and steal ftp login credentials 19->175 40 msedge.exe 19->40         started        43 chrome.exe 19->43         started        177 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->177 179 Injects a PE file into a foreign processes 23->179 45 PEN2ydG.exe 23->45         started        113 104.102.49.254 AKAMAI-ASUS United States 25->113 189 2 other signatures 25->189 85 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 27->85 dropped 87 C:\Users\user\AppData\...\AutoIt3_x64.exe, PE32+ 27->87 dropped 89 C:\Users\user\AppData\Local\...\concrt140.dll, PE32+ 27->89 dropped 49 AutoIt3_x64.exe 27->49         started        51 cmd.exe 27->51         started        115 185.215.113.206 WHOLESALECONNECTIONSNL Portugal 30->115 91 C:\Users\user\AppData\...\softokn3[1].dll, PE32 30->91 dropped 93 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 30->93 dropped 95 C:\Users\user\AppData\...\mozglue[1].dll, PE32 30->95 dropped 101 9 other files (1 malicious) 30->101 dropped 181 Detected unpacking (changes PE section rights) 30->181 183 Attempt to bypass Chrome Application-Bound Encryption 30->183 185 Tries to steal Mail credentials (via file / registry access) 30->185 191 5 other signatures 30->191 53 msedge.exe 10 30->53         started        55 chrome.exe 30->55         started        97 C:\Users\user\AppData\Local\...\skotes.exe, PE32 32->97 dropped 187 Tries to evade debugger and weak emulator (self modifying code) 32->187 193 2 other signatures 32->193 57 skotes.exe 32->57         started        117 2.23.227.215 QA-ISPQA European Union 34->117 119 13.107.21.239 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 34->119 121 31 other IPs or domains 34->121 99 C:\Users\user\AppData\Local\...\Cookies, SQLite 34->99 dropped file9 signatures10 process11 dnsIp12 59 msedge.exe 40->59         started        61 chrome.exe 43->61         started        137 185.215.113.40 WHOLESALECONNECTIONSNL Portugal 45->137 139 176.113.115.163 SELECTELRU Russian Federation 45->139 141 188.114.97.3 CLOUDFLARENETUS European Union 45->141 103 C:\Users\user\...\TJLEAAOJVUYNV4TD2CI.exe, PE32 45->103 dropped 105 C:\Users\user\...behaviorgraphAMSI2QNB7HDVGOQKJ3JJ.exe, PE32 45->105 dropped 107 C:\Users\...\B5OVQUKLICQVIIJK3AYOXATMCD80.exe, PE32 45->107 dropped 195 Query firmware table information (likely to detect VMs) 45->195 197 Tries to harvest and steal ftp login credentials 45->197 199 Tries to harvest and steal browser information (history, passwords, etc) 45->199 201 Tries to steal Crypto Currency Wallets 45->201 203 Loading BitLocker PowerShell Module 49->203 205 Reads the Security eventlog 49->205 207 Reads the System eventlog 49->207 64 conhost.exe 51->64         started        209 Monitors registry run keys for changes 53->209 67 msedge.exe 53->67         started        143 192.168.2.6 unknown unknown 55->143 145 239.255.255.250 unknown Reserved 55->145 69 chrome.exe 55->69         started        211 Detected unpacking (changes PE section rights) 57->211 213 Creates HTML files with .exe extension (expired dropper behavior) 57->213 215 Tries to evade debugger and weak emulator (self modifying code) 57->215 217 3 other signatures 57->217 file13 signatures14 process15 dnsIp16 147 142.250.185.110 GOOGLEUS United States 61->147 149 142.250.185.132 GOOGLEUS United States 61->149 155 4 other IPs or domains 61->155 159 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 64->159 151 108.177.15.84 GOOGLEUS United States 69->151 153 142.250.184.202 GOOGLEUS United States 69->153 157 8 other IPs or domains 69->157 signatures17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9a09c67b9196a67357dc2676f9cfcac4d0186a3ae5816729b8843ebdc7f0bc0f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a09c67b9196a67357dc2676f9cfcac4d0186a3ae5816729b8843ebdc7f0bc0f/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-01-17 16:36:50 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tie4m64rs2thgv64ez3ptt6kytibq2r24wawoknyqq7l3r7qxqhq._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion
Link:
https://tria.ge/reports/250117-t9dxaswqcv/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Suspicious
Tags:
c2 stealer lumma_stealer doh lumma
YARA:
n/a
Link:
https://app.threat.zone/submission/a7a049cc-f433-40ed-a52a-caea234a0513
Unpacked files
SH256 hash:
b7d3d818a0f658200dddc24a260079ee80fbc3f2b95b4c8f10d97a665923c335
MD5 hash:
eb83a1ff49597a646c4eb9079aaf6ae4
SHA1 hash:
f8486d164e29810c97b91c01531eaa566156a38e
Link:
https://www.unpac.me/results/3aa48056-40b8-4631-81df-164dbdc3f155/
SH256 hash:
9a09c67b9196a67357dc2676f9cfcac4d0186a3ae5816729b8843ebdc7f0bc0f
MD5 hash:
9b8816d8e30983e0c932e9081689313d
SHA1 hash:
f0d1860b5014a2d8afb5bf088b13b3a7df9519fd
Link:
https://www.unpac.me/results/3aa48056-40b8-4631-81df-164dbdc3f155/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9a09c67b9196/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 9a09c67b9196a67357dc2676f9cfcac4d0186a3ae5816729b8843ebdc7f0bc0f

(this sample)

  
Link
https://tria.ge/250117-tzgkfawlcz/
  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3245480/
  
URLhaus
https://urlhaus.abuse.ch/url/3337943/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments