MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7c59aafd519e5290c3180bca5f244f12c84076be98ab5734b9b216daf4c0bf6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7c59aafd519e5290c3180bca5f244f12c84076be98ab5734b9b216daf4c0bf6
SHA3-384 hash: d2fabcc7d26a60d7798de453e19d6f8439c01b533c1d8f3e5f40e7d7289f51229b46cfcfa7f414f01a6bf4b7928c1c7e
SHA1 hash: 07417c784d37abc9adf0a3bf2efc21c5fa23fd46
MD5 hash: e56d269e63ad6e06c7ecf2e96d76f469
humanhash: five-twenty-idaho-mango
File name:e56d269e63ad6e06c7ecf2e96d76f469.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'907'200 bytes
First seen:2025-05-22 05:57:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:8l+O9y0hA/hnEC7b6s/ftmFk3WH3bm6VbTK30Pbw6Y0mBX:EZ9ImC7b8e3q3a6VbTKkSx
Threatray 1 similar samples on MalwareBazaar
TLSH T1849533AA0C93DF3DCB922F7492D6D54F3E8DC7620B7848B6C5AD53B84AECB02A305515
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
400
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
e56d269e63ad6e06c7ecf2e96d76f469.exe
Verdict:
Malicious activity
Analysis date:
2025-05-22 06:51:57 UTC
Tags:
lumma stealer loader themida amadey botnet python evasion telegram screenconnect rmm-tool auto-startup auto-sch remote rdp miner arch-doc gcleaner auto pyinstaller
Link:
https://app.any.run/tasks/a44c6051-4b8e-486a-9e55-63b8e21cf676

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682ebd5ec28c67d6664450a2
Tags:
phishing autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt packed packed packer_detected xpack
Link:
https://www.filescan.io/uploads/682ebd0769bfbf6bbcb8d303/reports/5c7bca9f-85f4-4bda-ab9e-f0637b249f02/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/b7c59aafd519e5290c3180bca5f244f12c84076be98ab5734b9b216daf4c0bf6
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0df801ca-4384-41ef-b82f-9c1004b81424
Result
Threat name:
Amadey, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1696537
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to start a terminal service
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PUA - NSudo Execution
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses cmd line tools excessively to alter registry or file data
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Costura Assembly Loader
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1696537 Sample: VmcaD1vzEK.exe Startdate: 22/05/2025 Architecture: WINDOWS Score: 100 95 api.telegram.org 2->95 97 bullhevrgg.live 2->97 99 7 other IPs or domains 2->99 125 Suricata IDS alerts for network traffic 2->125 127 Found malware configuration 2->127 129 Malicious sample detected (through community Yara rule) 2->129 133 18 other signatures 2->133 13 VmcaD1vzEK.exe 1 2->13         started        18 ramez.exe 2->18         started        20 svchost.exe 2->20         started        22 6 other processes 2->22 signatures3 131 Uses the Telegram API (likely for C&C communication) 95->131 process4 dnsIp5 105 185.156.72.2, 49696, 49704, 80 ITDELUXE-ASRU Russian Federation 13->105 107 cornerdurv.top 104.21.32.1, 443, 49682, 49683 CLOUDFLARENETUS United States 13->107 85 C:\Users\...\M53ZKOGEY3CEDEM3HNI45FDVTJ4K.exe, PE32 13->85 dropped 153 Detected unpacking (changes PE section rights) 13->153 155 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->155 157 Query firmware table information (likely to detect VMs) 13->157 167 7 other signatures 13->167 24 M53ZKOGEY3CEDEM3HNI45FDVTJ4K.exe 4 13->24         started        159 Contains functionality to start a terminal service 18->159 161 Hides threads from debuggers 18->161 163 Tries to detect sandboxes / dynamic malware analysis system (registry check) 18->163 165 Changes security center settings (notifications, updates, antivirus, firewall) 20->165 109 127.0.0.1 unknown unknown 22->109 28 Conhost.exe 22->28         started        file6 signatures7 process8 file9 83 C:\Users\user\AppData\Local\...\ramez.exe, PE32 24->83 dropped 143 Antivirus detection for dropped file 24->143 145 Detected unpacking (changes PE section rights) 24->145 147 Contains functionality to start a terminal service 24->147 149 6 other signatures 24->149 30 ramez.exe 3 51 24->30         started        signatures10 process11 dnsIp12 111 185.156.72.96, 49702, 49703, 80 ITDELUXE-ASRU Russian Federation 30->111 113 counterstrike2cheats.com 172.67.188.15 CLOUDFLARENETUS United States 30->113 87 C:\Users\user\AppData\Local\...\fPbjy1Q.exe, PE32+ 30->87 dropped 89 C:\Users\user\AppData\Local\...\ntSPwd3.exe, PE32+ 30->89 dropped 91 C:\Users\user\AppData\...\9e498ed339.exe, PE32 30->91 dropped 93 18 other malicious files 30->93 dropped 115 Detected unpacking (changes PE section rights) 30->115 117 Contains functionality to start a terminal service 30->117 119 Tries to detect sandboxes and other dynamic analysis tools (window names) 30->119 121 6 other signatures 30->121 35 TGM8VUj.exe 49 30->35         started        38 b1a58f4a89.exe 30->38         started        40 fa3e2ad93f.exe 30->40         started        file13 signatures14 process15 file16 67 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 35->67 dropped 69 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 35->69 dropped 71 C:\Users\user\AppData\Local\...\python313.dll, PE32+ 35->71 dropped 81 26 other malicious files 35->81 dropped 43 TGM8VUj.exe 35->43         started        73 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 38->73 dropped 75 C:\Users\user\AppData\Local\...\cecho.exe, PE32 38->75 dropped 77 C:\Users\user\AppData\Local\...77SudoLG.exe, PE32+ 38->77 dropped 79 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32 38->79 dropped 46 cmd.exe 38->46         started        137 Multi AV Scanner detection for dropped file 40->137 139 Writes to foreign memory regions 40->139 141 Injects a PE file into a foreign processes 40->141 signatures17 process18 dnsIp19 101 ip-api.com 208.95.112.1 TUT-ASUS United States 43->101 103 api.telegram.org 149.154.167.220 TELEGRAMRU United Kingdom 43->103 151 Uses cmd line tools excessively to alter registry or file data 46->151 49 cmd.exe 46->49         started        52 conhost.exe 46->52         started        signatures20 process21 signatures22 123 Uses cmd line tools excessively to alter registry or file data 49->123 54 reg.exe 49->54         started        57 cmd.exe 49->57         started        59 conhost.exe 49->59         started        61 23 other processes 49->61 process23 signatures24 135 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 54->135 63 Conhost.exe 54->63         started        65 tasklist.exe 57->65         started        process25
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b7c59aafd519e5290c3180bca5f244f12c84076be98ab5734b9b216daf4c0bf6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b7c59aafd519e5290c3180bca5f244f12c84076be98ab5734b9b216daf4c0bf6/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-05-22 01:49:01 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w7czvl6vdhsssdbrqc6kl4se6ewiib3l5gflk42ltmqw3l2mbp3a._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
amadey
Create hunting rule
Similar samples:
b7c59aafd519e5290c3180bca5f244f12c84076be98ab5734b9b216daf4c0bf6
LummaStealer
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:donutloader family:lumma botnet:8d33eb defense_evasion discovery execution exploit loader persistence pyinstaller ransomware spyware stealer trojan
Link:
https://tria.ge/reports/250522-gnxfasyny8/
Behaviour
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry key
Opens file in notepad (likely ransom note)
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Launches sc.exe
AutoIT Executable
Enumerates processes with tasklist
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Looks up external IP address via web service
Power Settings
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Modifies file permissions
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Possible privilege escalation attempt
Sets service image path in registry
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Detects DonutLoader
Disables service(s)
DonutLoader
Donutloader family
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://dcornerdurv.top/adwq
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://klocalixbiw.top/zlpa
https://lkorxddl.top/qidz
https://citellcagt.top/gjtu
https://.cornerdurv.top/adwq
https://rnarrathfpt.top/tekq
https://8escczlv.top/bufi
https://localixbiw.top/zlpa
https://3y7korxddl.top/qidz
http://185.156.72.96
Dropper Extraction:
http://185.156.72.2/testmine/random.exe
http://lovematchmagic.com/read.zip
Unpacked files
SH256 hash:
b7c59aafd519e5290c3180bca5f244f12c84076be98ab5734b9b216daf4c0bf6
MD5 hash:
e56d269e63ad6e06c7ecf2e96d76f469
SHA1 hash:
07417c784d37abc9adf0a3bf2efc21c5fa23fd46
Link:
https://www.unpac.me/results/8cbecdd7-8b2c-4b6b-a81f-e1146cb66060/
SH256 hash:
dd96c1eb23088c88bd4329b9e5b1ed920adbbcc53cacbad680b853ae0bc771d2
MD5 hash:
866b4598adccbe07b8b1911509c29480
SHA1 hash:
ca31aa9a282c84ae9bed87c515a3653f4b525163
Link:
https://www.unpac.me/results/8cbecdd7-8b2c-4b6b-a81f-e1146cb66060/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b7c59aafd519/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b7c59aafd519e5290c3180bca5f244f12c84076be98ab5734b9b216daf4c0bf6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe b7c59aafd519e5290c3180bca5f244f12c84076be98ab5734b9b216daf4c0bf6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3542096/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments