MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9180506bccc383d2fbd08b71cf8f24f36827bae1fae11fbb62e5c1dbf77cea6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9180506bccc383d2fbd08b71cf8f24f36827bae1fae11fbb62e5c1dbf77cea6
SHA3-384 hash: de40a1e04047715c4de31029a0cbfa07909824d2d4efa529c434a6ca1eb71d61958fc226a21a696006c4cac84474dee0
SHA1 hash: db02588f39cbc3a198b54cad0027b84529812c24
MD5 hash: 4ff7b57bcc3cb7758ceb9054dceda582
humanhash: sink-lactose-edward-lima
File name:v7942.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'742'848 bytes
First seen:2025-04-03 06:55:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a0b72f709ebc465cfce6b6cf21367efe (33 x LummaStealer, 6 x Vidar, 2 x Rhadamanthys)
ssdeep 24576:6BPaEPGQ0kDly0a1bLn4AL2k86kz23hwx:6cyI11fhLjk4hwx
Threatray 19 similar samples on MalwareBazaar
TLSH T140851ABF71973549FE624C30AFECB670CB97287ACE2BEAF14591A0302935092EC56517
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
446
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-04-03 06:43:48 UTC
Tags:
amadey botnet stealer loader lumma auto generic telegram vidar themida rdp credentialflusher
Link:
https://app.any.run/tasks/5ae421a6-f4a1-465b-b7ad-ac4366fdafb6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/250/
Detection(s):
SecuriteInfo.com.Win64.CrypterX-gen.410.30729.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ee3382cfd0a37f830cf787
Tags:
virus crypt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypt lolbin microsoft_visual_cc msbuild packed packed packer_detected
Link:
https://www.filescan.io/uploads/67ee30e4b070fb3f945e101f/reports/23b54a7c-40a1-4b38-b0ce-dcc990365fb0/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/a9180506bccc383d2fbd08b71cf8f24f36827bae1fae11fbb62e5c1dbf77cea6
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4532329b-bf6c-419a-addb-fb6f8d37f4a7
Result
Threat name:
PureCrypter, LummaC Stealer, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1655327
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Creates / moves files in alternative data streams (ADS)
Creates HTML files with .exe extension (expired dropper behavior)
Detected PureCrypter Trojan
Early bird code injection technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1655327 Sample: v7942.exe Startdate: 03/04/2025 Architecture: WINDOWS Score: 100 120 itsrevolutionmagnus.xyz 2->120 122 starcloc.bet 2->122 124 18 other IPs or domains 2->124 164 Suricata IDS alerts for network traffic 2->164 166 Found malware configuration 2->166 168 Malicious sample detected (through community Yara rule) 2->168 172 11 other signatures 2->172 11 v7942.exe 2->11         started        14 VAQ8TA13YIbLCfUQ.exe 2->14         started        17 msedge.exe 68 628 2->17         started        20 VAQ8TA13YIbLCfUQ.exe 2->20         started        signatures3 170 Performs DNS queries to domains with low reputation 120->170 process4 dnsIp5 198 Writes to foreign memory regions 11->198 200 Allocates memory in foreign processes 11->200 202 Injects a PE file into a foreign processes 11->202 22 MSBuild.exe 35 11->22         started        104 C:\Users\user\...\L9NVsWHwRtl3OXAB.exe, PE32 14->104 dropped 27 L9NVsWHwRtl3OXAB.exe 14->27         started        118 239.255.255.250 unknown Reserved 17->118 29 msedge.exe 17->29         started        31 msedge.exe 17->31         started        33 msedge.exe 17->33         started        35 msedge.exe 17->35         started        106 C:\Users\user\...B9f5FLsv0qyrWyK.exe, PE32 20->106 dropped file6 signatures7 process8 dnsIp9 126 t.me 149.154.167.99, 443, 49687 TELEGRAMRU United Kingdom 22->126 128 77.90.153.244, 49867, 49897, 80 RAPIDNET-DEHaunstetterStr19DE Germany 22->128 136 2 other IPs or domains 22->136 94 C:\Users\user\AppData\Local\...\s9471[1].exe, PE32+ 22->94 dropped 96 C:\Users\user\AppData\Local\...\l9543[1].exe, PE32+ 22->96 dropped 98 C:\Users\user\AppData\...\sss81242[1].exe, PE32 22->98 dropped 102 3 other malicious files 22->102 dropped 188 Attempt to bypass Chrome Application-Bound Encryption 22->188 190 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->190 192 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->192 196 6 other signatures 22->196 37 ymg4oh4wt2.exe 22->37         started        41 a16ph4w4wl.exe 22->41         started        43 lx4ozm7yc2.exe 22->43         started        45 3 other processes 22->45 194 Multi AV Scanner detection for dropped file 27->194 130 ax-0003.ax-msedge.net 150.171.27.12, 443, 49757 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->130 132 ax-0001.ax-msedge.net 150.171.28.10, 443, 49753 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->132 138 30 other IPs or domains 29->138 100 C:\Users\user\AppData\Local\...\Cookies, SQLite 29->100 dropped 134 23.44.201.23 AKAMAI-ASN1EU United States 31->134 file10 signatures11 process12 dnsIp13 90 C:\Users\user\...\VAQ8TA13YIbLCfUQ.exe, PE32 37->90 dropped 92 :cat (copy), PE32 37->92 dropped 174 Antivirus detection for dropped file 37->174 176 Multi AV Scanner detection for dropped file 37->176 178 Creates / moves files in alternative data streams (ADS) 37->178 48 VAQ8TA13YIbLCfUQ.exe 37->48         started        180 Writes to foreign memory regions 41->180 182 Allocates memory in foreign processes 41->182 184 Injects a PE file into a foreign processes 41->184 53 MSBuild.exe 41->53         started        55 MSBuild.exe 43->55         started        142 192.168.2.12, 443, 49683, 49687 unknown unknown 45->142 186 Monitors registry run keys for changes 45->186 57 chrome.exe 45->57         started        59 msedge.exe 45->59         started        61 conhost.exe 45->61         started        63 timeout.exe 45->63         started        file14 signatures15 process16 dnsIp17 108 77.90.153.245, 49895, 49896, 49900 RAPIDNET-DEHaunstetterStr19DE Germany 48->108 80 C:\Users\user\...\scTjs5ZK7cx0FEnZ.exe, PE32 48->80 dropped 82 C:\Users\user\...\MH9wyGp1xD17IdMg.exe, PE32+ 48->82 dropped 84 C:\Users\user\AppData\Local\...\l9543[1].exe, PE32+ 48->84 dropped 158 Multi AV Scanner detection for dropped file 48->158 65 MH9wyGp1xD17IdMg.exe 48->65         started        68 scTjs5ZK7cx0FEnZ.exe 48->68         started        86 C:\Users\user\AppData\...\mlRTQuodRV.exe, PE32+ 53->86 dropped 88 C:\Users\user\AppData\...\4CK6YcaB28.exe, PE32+ 53->88 dropped 70 4CK6YcaB28.exe 53->70         started        73 mlRTQuodRV.exe 53->73         started        110 advennture.top 172.67.221.138, 443, 49888, 49890 CLOUDFLARENETUS United States 55->110 160 Query firmware table information (likely to detect VMs) 55->160 162 Tries to steal Crypto Currency Wallets 55->162 112 play.google.com 142.250.65.174, 443, 49727, 49733 GOOGLEUS United States 57->112 114 plus.l.google.com 142.250.80.46, 443, 49724 GOOGLEUS United States 57->114 116 3 other IPs or domains 57->116 file18 signatures19 process20 dnsIp21 144 Writes to foreign memory regions 65->144 146 Allocates memory in foreign processes 65->146 148 Injects a PE file into a foreign processes 65->148 75 MSBuild.exe 65->75         started        140 77.90.153.241, 49891, 49902, 80 RAPIDNET-DEHaunstetterStr19DE Germany 70->140 150 Multi AV Scanner detection for dropped file 70->150 152 Early bird code injection technique detected 70->152 154 Creates HTML files with .exe extension (expired dropper behavior) 70->154 156 4 other signatures 70->156 78 chrome.exe 70->78         started        signatures22 process23 signatures24 204 Query firmware table information (likely to detect VMs) 75->204 206 Tries to harvest and steal ftp login credentials 75->206 208 Tries to harvest and steal browser information (history, passwords, etc) 75->208 210 Tries to steal Crypto Currency Wallets 75->210
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a9180506bccc383d2fbd08b71cf8f24f36827bae1fae11fbb62e5c1dbf77cea6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9180506bccc383d2fbd08b71cf8f24f36827bae1fae11fbb62e5c1dbf77cea6/
Threat name:
Win64.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2025-04-03 01:06:15 UTC
File Type:
PE+ (Exe)
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vemakbv4zq4d2l55bc3rz6hsj43ie65od6xbd65wfzob3p3xz2ta._file
Verdict:
malicious
Label(s):
vidar
Create hunting rule
Similar samples:
28a2bf8b977ff55b312b74ef4a55aa7f9aec71e97f194e0dd1a5f66773a206a4
LummaStealer
4f550eeca883fa772e5cec50c7c357591d8d24f892fa9ee416f2e780a3caf1b7
LummaStealer
585392ec23db6d24697c38aec92e87985a418587d55f6b8b4467d12423205e36
LummaStealer
5ce7687d00cc5cdc0b7575bc68940f7a092a1f559f987f3b6a9b0c837eaa6496
LummaStealer
7d80cbeee889e1489a2e6b2b7398368332b45dfbf1f7cddd0ad507712bf63ecb
LummaStealer
884c8595250427c245264532b41f29334691e9b21b3526e9acb261a5952be10f
LummaStealer
a9180506bccc383d2fbd08b71cf8f24f36827bae1fae11fbb62e5c1dbf77cea6
LummaStealer
ecd78cc25192070a756abd6e80c29d5c84f0e521765549d09932b6d11ac329b1
LummaStealer
error
LummaStealer
+ 9 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:vidar botnet:928af183c2a2807a3c0526e8c0c9369d credential_access discovery persistence spyware stealer
Link:
https://tria.ge/reports/250403-hp11js1ygy/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Uses browser remote debugging
Detect Vidar Stealer
Lumma Stealer, LummaC
Lumma family
Vidar
Vidar family
Malware Config
C2 Extraction:
https://t.me/lw25chm
https://steamcommunity.com/profiles/76561199839170361
https://ironloxp.live/aksdd
https://metalsyo.digital/opsa
https://vironloxp.live/aksdd
https://navstarx.shop/FoaJSi
https://starcloc.bet/GOksAo
https://advennture.top/GKsiio
https://targett.top/dsANGt
https://spacedbv.world/EKdlsk
https://galxnetb.today/GsuIAo
Verdict:
Malicious
Tags:
stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/49ea7b2d-3a55-4497-8263-f486703b7799
Unpacked files
SH256 hash:
a9180506bccc383d2fbd08b71cf8f24f36827bae1fae11fbb62e5c1dbf77cea6
MD5 hash:
4ff7b57bcc3cb7758ceb9054dceda582
SHA1 hash:
db02588f39cbc3a198b54cad0027b84529812c24
Link:
https://www.unpac.me/results/5d142cc3-890c-4100-8d5a-0a9c38570402/
Malware family:
CryptBot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a9180506bccc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9180506bccc383d2fbd08b71cf8f24f36827bae1fae11fbb62e5c1dbf77cea6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe a9180506bccc383d2fbd08b71cf8f24f36827bae1fae11fbb62e5c1dbf77cea6

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/250/
  
URLhaus
https://urlhaus.abuse.ch/url/3478380/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThreadpoolWork
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW

Comments