MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aee5e91751a25d06f15c226bc70cb0d9c88a54918c432244bc1787d4baab8384. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aee5e91751a25d06f15c226bc70cb0d9c88a54918c432244bc1787d4baab8384
SHA3-384 hash: 946287d194e03d940e8ec9787e332a8a4f69545aaba78c0ae31dd45ce1d5353ae4c243a006abce0dd23a09f27d0f13eb
SHA1 hash: e057f193b1369d7fe7729b59e51c5c2ae1c73fa9
MD5 hash: 12588ad8266f78013bcef17d1a204933
humanhash: butter-fish-cup-video
File name:12588ad8266f78013bcef17d1a204933.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'864'192 bytes
First seen:2025-02-02 06:39:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:uTdpgAQgLVZ3IVigpnTwPBPK7WsJjunsHRT:uTdp+gLV9si0sBPK7tJzRT
TLSH T19285334E1CBC187FD45947FEA6C722587BB8B61059420234E538B87ECBB7B9A0C93D64
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
455
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
12588ad8266f78013bcef17d1a204933.exe
Verdict:
Malicious activity
Analysis date:
2025-02-02 07:03:56 UTC
Tags:
lumma stealer themida loader stealc amadey botnet credentialflusher telegram
Link:
https://app.any.run/tasks/936b0569-e4da-492b-aac7-6479ea6ffbf6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.31270.12338.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679f135ea9881a7a01c5125a
Tags:
vmdetect autorun autoit emotet
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected
Link:
https://www.filescan.io/uploads/679f189406d12bc30bf55544/reports/1f1097d8-5c62-4bfc-948d-a36414276dd9/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/aee5e91751a25d06f15c226bc70cb0d9c88a54918c432244bc1787d4baab8384
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4973cda3-b9e9-4f90-ae50-fa99c430d282
Result
Threat name:
LummaC, Amadey, LummaC Stealer, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1604928
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Sigma detected: Powershell launch regsvr32
Sigma detected: Search for Antivirus process
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
Uses Register-ScheduledTask to add task schedules
Uses schtasks.exe or at.exe to add and modify task schedules
Wscript called in batch mode (surpress errors)
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1604928 Sample: oaBqkImU6R.exe Startdate: 02/02/2025 Architecture: WINDOWS Score: 100 140 UrDtxPvdestkLUKCgdoC.UrDtxPvdestkLUKCgdoC 2->140 142 DGGKjBirXBdcY.DGGKjBirXBdcY 2->142 144 32 other IPs or domains 2->144 186 Suricata IDS alerts for network traffic 2->186 188 Found malware configuration 2->188 190 Antivirus detection for URL or domain 2->190 192 21 other signatures 2->192 15 oaBqkImU6R.exe 1 2->15         started        20 skotes.exe 2->20         started        22 skotes.exe 2->22         started        24 3 other processes 2->24 signatures3 process4 dnsIp5 158 185.215.113.16, 49714, 49715, 80 WHOLESALECONNECTIONSNL Portugal 15->158 160 warlikedbeliev.org 172.67.181.203, 443, 49706, 49707 CLOUDFLARENETUS United States 15->160 96 C:\Users\user\...\PT6MNTDM2CSK3U9W2989W1J.exe, PE32 15->96 dropped 172 Detected unpacking (changes PE section rights) 15->172 174 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->174 176 Query firmware table information (likely to detect VMs) 15->176 184 6 other signatures 15->184 26 PT6MNTDM2CSK3U9W2989W1J.exe 4 15->26         started        178 Hides threads from debuggers 20->178 180 Tries to detect sandboxes / dynamic malware analysis system (registry check) 20->180 182 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 20->182 162 127.0.0.1 unknown unknown 24->162 file6 signatures7 process8 file9 106 C:\Users\user\AppData\Local\...\skotes.exe, PE32 26->106 dropped 220 Antivirus detection for dropped file 26->220 222 Detected unpacking (changes PE section rights) 26->222 224 Machine Learning detection for dropped file 26->224 226 5 other signatures 26->226 30 skotes.exe 26 26->30         started        signatures10 process11 dnsIp12 154 185.215.113.43, 61687, 61688, 61689 WHOLESALECONNECTIONSNL Portugal 30->154 156 185.215.113.97, 61695, 61710, 61713 WHOLESALECONNECTIONSNL Portugal 30->156 126 C:\Users\user\AppData\...\e18d636f08.exe, PE32 30->126 dropped 128 C:\Users\user\AppData\...\8b5cf17642.exe, PE32 30->128 dropped 130 C:\Users\user\AppData\...\f10455927a.exe, PE32 30->130 dropped 132 5 other malicious files 30->132 dropped 164 Antivirus detection for dropped file 30->164 166 Detected unpacking (changes PE section rights) 30->166 168 Tries to detect sandboxes and other dynamic analysis tools (window names) 30->168 170 6 other signatures 30->170 35 8b5cf17642.exe 30->35         started        39 f10455927a.exe 30->39         started        42 e18d636f08.exe 30->42         started        44 ffb3ad5f2d.exe 20 30->44         started        file13 signatures14 process15 dnsIp16 98 C:\Users\user\AppData\...\8b5cf17642.tmp, PE32 35->98 dropped 196 Multi AV Scanner detection for dropped file 35->196 46 8b5cf17642.tmp 35->46         started        146 steamcommunity.com 104.102.49.254, 443, 61711 AKAMAI-ASUS United States 39->146 198 Antivirus detection for dropped file 39->198 200 Detected unpacking (changes PE section rights) 39->200 202 Machine Learning detection for dropped file 39->202 204 5 other signatures 39->204 49 cmd.exe 42->49         started        51 cmd.exe 3 44->51         started        file17 signatures18 process19 file20 116 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 46->116 dropped 118 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 46->118 dropped 120 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 46->120 dropped 54 8b5cf17642.exe 46->54         started        122 C:\Users\user\AppData\...\Macromedia.com, PE32 49->122 dropped 57 Macromedia.com 49->57         started        60 conhost.exe 49->60         started        62 tasklist.exe 49->62         started        71 9 other processes 49->71 124 C:\Users\user\AppData\Local\...\Avoiding.com, PE32 51->124 dropped 194 Drops PE files with a suspicious file extension 51->194 64 Avoiding.com 51->64         started        67 conhost.exe 51->67         started        69 tasklist.exe 1 51->69         started        73 9 other processes 51->73 signatures21 process22 dnsIp23 100 C:\Users\user\AppData\...\8b5cf17642.tmp, PE32 54->100 dropped 75 8b5cf17642.tmp 54->75         started        102 C:\Users\user\AppData\...\AchillesGuard.com, PE32 57->102 dropped 104 C:\Users\user\AppData\...\AchillesGuard.js, ASCII 57->104 dropped 206 Drops PE files with a suspicious file extension 57->206 208 Uses schtasks.exe or at.exe to add and modify task schedules 57->208 78 schtasks.exe 57->78         started        134 t.me 149.154.167.99, 443, 61722 TELEGRAMRU United Kingdom 64->134 136 getyour.cyou 116.202.5.153, 443, 61723, 61725 HETZNER-ASDE Germany 64->136 210 Attempt to bypass Chrome Application-Bound Encryption 64->210 212 Tries to harvest and steal browser information (history, passwords, etc) 64->212 80 chrome.exe 64->80         started        file24 signatures25 process26 dnsIp27 108 C:\Users\user\...\uxtheme_2.drv (copy), PE32+ 75->108 dropped 110 C:\Users\user\AppData\Roaming\is-0PAAE.tmp, PE32+ 75->110 dropped 112 C:\Users\user\AppData\...\unins000.exe (copy), PE32 75->112 dropped 114 4 other malicious files 75->114 dropped 83 regsvr32.exe 75->83         started        85 conhost.exe 78->85         started        138 239.255.255.250 unknown Reserved 80->138 87 chrome.exe 80->87         started        file28 process29 dnsIp30 90 regsvr32.exe 83->90         started        148 play.google.com 142.250.185.238, 443, 61758 GOOGLEUS United States 87->148 150 www.google.com 172.217.18.100, 443, 61740, 61741 GOOGLEUS United States 87->150 152 2 other IPs or domains 87->152 process31 signatures32 214 Suspicious powershell command line found 90->214 216 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 90->216 218 Uses Register-ScheduledTask to add task schedules 90->218 93 powershell.exe 90->93         started        process33 signatures34 228 Loading BitLocker PowerShell Module 93->228
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aee5e91751a25d06f15c226bc70cb0d9c88a54918c432244bc1787d4baab8384
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aee5e91751a25d06f15c226bc70cb0d9c88a54918c432244bc1787d4baab8384/
Threat name:
Win32.Trojan.Symmi
Create hunting rule
Status:
Malicious
First seen:
2025-02-02 06:40:21 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v3s6sf2rujoqn4k4ejv4odfq3heiuverrrbserf4c6d5jovlqoca._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion discovery
Link:
https://tria.ge/reports/250202-he96gaznbw/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Malicious
Tags:
lumma_stealer c2 stealer lumma
YARA:
n/a
Link:
https://app.threat.zone/submission/70b4b9d8-d994-4994-aafe-4fcb05742fad
Unpacked files
SH256 hash:
c264e2641505b04ab78a9746d1131a091a3df00ac55c3a8cf8622b1815d3647a
MD5 hash:
78a30302b97976739e498fb87063833d
SHA1 hash:
cade8ce525d89af2c09ae99c4465d6e3cb524ce9
Link:
https://www.unpac.me/results/d2e12f4f-ec22-499d-8b95-c121c9ebe025/
SH256 hash:
aee5e91751a25d06f15c226bc70cb0d9c88a54918c432244bc1787d4baab8384
MD5 hash:
12588ad8266f78013bcef17d1a204933
SHA1 hash:
e057f193b1369d7fe7729b59e51c5c2ae1c73fa9
Link:
https://www.unpac.me/results/d2e12f4f-ec22-499d-8b95-c121c9ebe025/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aee5e91751a2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aee5e91751a25d06f15c226bc70cb0d9c88a54918c432244bc1787d4baab8384

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_lumma_2eabe9054cad5152567f0699947a2c5b
Create hunting rule
Author:dubfib

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe aee5e91751a25d06f15c226bc70cb0d9c88a54918c432244bc1787d4baab8384

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3245480/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments