MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7df2d900d037b68ef0e22a1b3885dd94181189106517a576a6cce3556c15c61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7df2d900d037b68ef0e22a1b3885dd94181189106517a576a6cce3556c15c61
SHA3-384 hash: aac82eda51d6295fe22de46fd469cf114a9ebc6bbfa351d818dbad65c7c4ed262027f5b9ffcfac92390da75123acc9ed
SHA1 hash: 4f6f66dfa048e2b1159f293f7201a5bb79c65d80
MD5 hash: bffbbfe4af975a31b952ddc5692a9643
humanhash: table-texas-diet-grey
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'868'288 bytes
First seen:2025-04-10 18:51:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:eZ/DFU1EnbkOKJKWWgN95A/RGPPXCYuZQSo4v:4FqsZKYy58GnX1NS
TLSH T1158533AE4B3C1CA4D517027080F3D3256BB2BF40678B982DBBA56954AC33DF47676CA1
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
424
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-04-10 22:35:11 UTC
Tags:
lumma stealer themida loader amadey botnet rdp
Link:
https://app.any.run/tasks/5e56eb3b-af1c-4689-8cba-ac8a5caa72a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/1714/
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f81aa51dba888a93cf954d
Tags:
phishing autorun mint
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected
Link:
https://www.filescan.io/uploads/67f8135a40adfb5162befb6b/reports/975ed964-0ca1-412b-b526-ea6f4df06009/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/a7df2d900d037b68ef0e22a1b3885dd94181189106517a576a6cce3556c15c61
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6aa2cf59-37ed-43dd-a1e8-a39e8b545cb4
Result
Threat name:
Amadey, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1662453
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Contains functionality to steal Chrome passwords or cookies
Detected unpacking (changes PE section rights)
Found malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1662453 Sample: random.exe Startdate: 10/04/2025 Architecture: WINDOWS Score: 100 47 api.telegram.org 2->47 49 clarmodq.top 2->49 77 Suricata IDS alerts for network traffic 2->77 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 85 15 other signatures 2->85 8 random.exe 1 2->8         started        13 rapes.exe 25 2->13         started        15 rapes.exe 2->15         started        signatures3 83 Uses the Telegram API (likely for C&C communication) 47->83 process4 dnsIp5 51 176.113.115.7, 49694, 49705, 49711 SELECTELRU Russian Federation 8->51 53 clarmodq.top 104.21.85.126, 443, 49685, 49688 CLOUDFLARENETUS United States 8->53 37 C:\...\475B7SQBAAGMQ6B7BQS7FVY16UEW8GC.exe, PE32 8->37 dropped 87 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->87 89 Query firmware table information (likely to detect VMs) 8->89 91 Tries to evade debugger and weak emulator (self modifying code) 8->91 101 2 other signatures 8->101 17 475B7SQBAAGMQ6B7BQS7FVY16UEW8GC.exe 4 8->17         started        21 WerFault.exe 22 16 8->21         started        55 176.113.115.6, 49703, 49704, 49707 SELECTELRU Russian Federation 13->55 39 C:\Users\user\AppData\Local\...\B4Wpwz6.exe, PE32+ 13->39 dropped 41 C:\Users\user\AppData\Local\...\qpcs7x5.exe, PE32 13->41 dropped 43 C:\Users\user\AppData\Local\...\W2qIltP.exe, PE32 13->43 dropped 45 5 other malicious files 13->45 dropped 93 Contains functionality to start a terminal service 13->93 95 Hides threads from debuggers 13->95 97 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->97 23 W2qIltP.exe 13->23         started        25 nlFzRLV.exe 11 13->25         started        28 qpcs7x5.exe 13->28         started        99 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 15->99 file6 signatures7 process8 dnsIp9 33 C:\Users\user\AppData\Local\...\rapes.exe, PE32 17->33 dropped 59 Antivirus detection for dropped file 17->59 61 Detected unpacking (changes PE section rights) 17->61 63 Contains functionality to start a terminal service 17->63 73 5 other signatures 17->73 30 rapes.exe 17->30         started        35 C:\ProgramData\Microsoft\...\Report.wer, Unicode 21->35 dropped 65 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->65 67 Query firmware table information (likely to detect VMs) 23->67 69 Tries to detect sandboxes and other dynamic analysis tools (window names) 23->69 75 3 other signatures 23->75 57 api.telegram.org 149.154.167.220, 443, 49706, 49708 TELEGRAMRU United Kingdom 25->57 71 Contains functionality to steal Chrome passwords or cookies 25->71 file10 signatures11 process12 signatures13 103 Antivirus detection for dropped file 30->103 105 Detected unpacking (changes PE section rights) 30->105 107 Contains functionality to start a terminal service 30->107 109 4 other signatures 30->109
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a7df2d900d037b68ef0e22a1b3885dd94181189106517a576a6cce3556c15c61
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7df2d900d037b68ef0e22a1b3885dd94181189106517a576a6cce3556c15c61/
Threat name:
Win32.Trojan.Symmi
Create hunting rule
Status:
Malicious
First seen:
2025-04-10 13:59:36 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u7ps3eanan5wr3yoekq3hcc53faycgerazixuv3knthdkvwblrqq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
lummastealer
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250410-xh4v7azwet/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://dclarmodq.top/qoxo
https://soursopsf.run/gsoiao
https://changeaie.top/geps
https://3easyupgw.live/eosz
https://mliftally.top/xasj
https://upmodini.digital/gokk
https://salaccgfa.top/gsooz
https://mzestmodp.top/zeda
https://xcelmodo.run/nahd
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9da66e51-e114-4e42-a3c6-7254f9fdc72b
Unpacked files
SH256 hash:
a7df2d900d037b68ef0e22a1b3885dd94181189106517a576a6cce3556c15c61
MD5 hash:
bffbbfe4af975a31b952ddc5692a9643
SHA1 hash:
4f6f66dfa048e2b1159f293f7201a5bb79c65d80
Link:
https://www.unpac.me/results/7a0ae10e-f95d-47f2-a673-0a3d07a4f994/
SH256 hash:
2ed673966109d95eb74ab2431f094dcb2a55220bb95af97afd57bde0453b8939
MD5 hash:
96127dcfc6a87f330fec2c56d69ff921
SHA1 hash:
adb8ae61a1827b4ec00b23b66a9a2b4472c9a896
Link:
https://www.unpac.me/results/7a0ae10e-f95d-47f2-a673-0a3d07a4f994/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a7df2d900d03/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a7df2d900d037b68ef0e22a1b3885dd94181189106517a576a6cce3556c15c61

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe a7df2d900d037b68ef0e22a1b3885dd94181189106517a576a6cce3556c15c61

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3452044/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/1714/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments