MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a121d88b3095057f1392f0c1a5e71519f638752b19f7701087e49e11a4c19278. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a121d88b3095057f1392f0c1a5e71519f638752b19f7701087e49e11a4c19278
SHA3-384 hash: 225bec922b738a2853aea703b38f9f895a5cc3912a4f851d55845861446b0c816a1cb054658aa16d9165b8aa37453ef7
SHA1 hash: 6ca32f3db167beda33d8b9903a91ff2c1b51aec0
MD5 hash: 6c55d0495023ce5093f71bd6b73ac77b
humanhash: aspen-zebra-california-india
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'895'424 bytes
First seen:2025-06-03 06:27:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:UZPcFVhrYcUGzjuRstHdXNP1S/ojYMZwkpGYDy:+PcdYcHtHE/oBZwkQL
Threatray 2 similar samples on MalwareBazaar
TLSH T1A595335A0EB70B6DDC22197E9CCEE60177693214250F263CBD287D332DBF1A189DCA64
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
407
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-06-02 08:11:15 UTC
Tags:
amadey botnet stealer loader lumma auto-reg telegram asyncrat rat gcleaner pentagon evasion github rdp themida cybergate vidar auto generic
Link:
https://app.any.run/tasks/5bb53ec9-2e6c-49ef-bcc0-d7935ca12b47

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6979/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683e96b48bd5d68a12e43dc8
Tags:
phishing autorun spoof
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Connection attempt to an infection source
DNS request
Connection attempt
Sending an HTTP GET request
Behavior that indicates a threat
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt packed packed packer_detected xpack
Link:
https://www.filescan.io/uploads/683e96258fe97b0b5579ba38/reports/1dd2c2fa-2750-4e66-8745-93c3dc0a6ae2/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/a121d88b3095057f1392f0c1a5e71519f638752b19f7701087e49e11a4c19278
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a6128f1c-179d-428a-af1d-0b7bb9348257
Result
Threat name:
Amadey, AsyncRAT, LummaC Stealer, Quasar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1704589
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected AsyncRAT
Yara detected LummaC Stealer
Yara detected Quasar RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1704589 Sample: random.exe Startdate: 03/06/2025 Architecture: WINDOWS Score: 100 67 witchdbhy.run 2->67 69 tinklertjp.bet 2->69 71 16 other IPs or domains 2->71 87 Suricata IDS alerts for network traffic 2->87 89 Found malware configuration 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 15 other signatures 2->93 10 random.exe 1 2->10         started        15 ramez.exe 1 27 2->15         started        17 d5723d19bf.exe 2->17         started        19 Runtime Broker.exe 2->19         started        signatures3 process4 dnsIp5 79 185.156.72.2, 49736, 49740, 49743 ITDELUXE-ASRU Russian Federation 10->79 81 witchdbhy.run 195.82.147.188, 443, 49714, 49718 DREAMTORRENT-CORP-ASRU Russian Federation 10->81 85 2 other IPs or domains 10->85 57 C:\Users\user\...\WRIFRCZZV61PR0G1Q.exe, PE32 10->57 dropped 129 Detected unpacking (changes PE section rights) 10->129 131 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->131 133 Query firmware table information (likely to detect VMs) 10->133 147 5 other signatures 10->147 21 WRIFRCZZV61PR0G1Q.exe 4 10->21         started        83 185.156.72.96, 49738, 49739, 49741 ITDELUXE-ASRU Russian Federation 15->83 59 C:\Users\user\AppData\Local\...\sGe7ljJ.exe, PE32 15->59 dropped 61 C:\Users\user\AppData\Local\...\OVxH8pV.exe, PE32 15->61 dropped 63 C:\Users\user\AppData\Local\...\OVxH8pV.exe, PE32 15->63 dropped 65 4 other malicious files 15->65 dropped 135 Contains functionality to start a terminal service 15->135 137 Hides threads from debuggers 15->137 139 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->139 25 d5723d19bf.exe 15->25         started        27 OVxH8pV.exe 5 15->27         started        29 sGe7ljJ.exe 15->29         started        31 OVxH8pV.exe 15->31         started        141 Found many strings related to Crypto-Wallets (likely being stolen) 17->141 143 Tries to steal Crypto Currency Wallets 17->143 145 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 17->145 33 chrome.exe 17->33         started        file6 signatures7 process8 file9 51 C:\Users\user\AppData\Local\...\ramez.exe, PE32 21->51 dropped 105 Antivirus detection for dropped file 21->105 107 Contains functionality to start a terminal service 21->107 109 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 21->109 127 5 other signatures 21->127 35 ramez.exe 21->35         started        111 Detected unpacking (changes PE section rights) 25->111 113 Tries to detect sandboxes and other dynamic analysis tools (window names) 25->113 115 Tries to harvest and steal browser information (history, passwords, etc) 25->115 117 Tries to steal Crypto Currency Wallets 25->117 53 C:\Users\user\AppData\...\Runtime Broker.exe, PE32 27->53 dropped 119 Found many strings related to Crypto-Wallets (likely being stolen) 27->119 121 Uses schtasks.exe or at.exe to add and modify task schedules 27->121 123 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->123 38 Runtime Broker.exe 2 27->38         started        41 schtasks.exe 1 27->41         started        55 C:\Users\user\AppData\Local\Temp\Vs.xltx, DOS 29->55 dropped 125 Multi AV Scanner detection for dropped file 29->125 43 chrome.exe 33->43         started        signatures10 process11 dnsIp12 95 Antivirus detection for dropped file 35->95 97 Detected unpacking (changes PE section rights) 35->97 99 Contains functionality to start a terminal service 35->99 103 6 other signatures 35->103 73 46.247.108.161, 49750, 5135 FLUIDATAGB United Kingdom 38->73 75 ipwho.is 108.181.98.179, 443, 49754 ASN852CA Canada 38->75 101 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->101 45 schtasks.exe 38->45         started        47 conhost.exe 41->47         started        77 www.google.com 173.194.208.99, 443, 49762, 49763 GOOGLEUS United States 43->77 signatures13 process14 process15 49 conhost.exe 45->49         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a121d88b3095057f1392f0c1a5e71519f638752b19f7701087e49e11a4c19278
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a121d88b3095057f1392f0c1a5e71519f638752b19f7701087e49e11a4c19278/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/a121d88b3095057f1392f0c1a5e71519f638752b19f7701087e49e11a4c19278
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-06-02 10:57:25 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ueq5rczqsucx6e4s6da2lzyvdh3dq5jldh3xaeeh4spbdjgbsj4a._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
lummastealer
Create hunting rule
Similar samples:
a121d88b3095057f1392f0c1a5e71519f638752b19f7701087e49e11a4c19278
LummaStealer
b790be43ada8b01c7ad315d2c3f19f98cbedef60a90636f51e73441fd6654612
LummaStealer
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250603-g8e2raywdx/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://battlefled.top/gaoi
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://localixbiw.top/zlpa
https://korxddl.top/qidz
https://harumseeiw.top/tqmn
https://diecam.top/laur/api
https://citellcagt.top/gjtu
https://witchdbhy.run/pzal
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1e7244c3-62b3-4e6d-8594-f625e11a6bfc
Unpacked files
SH256 hash:
a121d88b3095057f1392f0c1a5e71519f638752b19f7701087e49e11a4c19278
MD5 hash:
6c55d0495023ce5093f71bd6b73ac77b
SHA1 hash:
6ca32f3db167beda33d8b9903a91ff2c1b51aec0
Link:
https://www.unpac.me/results/26e7b72e-c304-4a6c-bbb3-8ec0d0f270f2/
SH256 hash:
e8dbf71088eacb0c9c3b60c85688ad5235e3eba146d81d85b2c0bbf966cff771
MD5 hash:
5964ad0e093d21f0cb8fce193a75de6f
SHA1 hash:
15c5d354c12208c9c06e06efa418095cc8d64271
Link:
https://www.unpac.me/results/26e7b72e-c304-4a6c-bbb3-8ec0d0f270f2/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a121d88b3095/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a121d88b3095057f1392f0c1a5e71519f638752b19f7701087e49e11a4c19278

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe a121d88b3095057f1392f0c1a5e71519f638752b19f7701087e49e11a4c19278

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3542096/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/6979/

Comments