MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b98603a11259b4a169d84fc1be0fb42567edba2b4598c60950e0426362b7db48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b98603a11259b4a169d84fc1be0fb42567edba2b4598c60950e0426362b7db48
SHA3-384 hash: ca98a0043e9d1beca1f59f18f4c7a16ead943e734493d7a3f995e0a46863cdfdd25ed299001c5bf0bfaa7d7c4c79cce8
SHA1 hash: b3a54667dd9d1e9004f270209db5ba1ec88088aa
MD5 hash: 8563c493b88a526828a64522063d25b1
humanhash: seventeen-carbon-arkansas-sweet
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'897'984 bytes
First seen:2025-04-29 05:57:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:H0j0AUonJ2HYOUYNI7YT6mnmC3EiJXp2dsH:H04AVQ4Jx0THUgZ2
TLSH T1269533700CA736BFFC58A4B2E2B9384E7BF0E41354669DD63E2ADC4F108B555D32A942
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
438
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-04-29 06:38:53 UTC
Tags:
lumma stealer
Link:
https://app.any.run/tasks/d5de92a1-dcf6-480f-b1ba-78763f189a2b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4896/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68107018cc5fb3600cc44deb
Tags:
vmdetect phishing
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Behavior that indicates a threat
DNS request
Connection attempt
Sending a custom TCP request
Query of malicious DNS domain
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm crypt entropy packed packed packer_detected rat virtual xpack
Link:
https://www.filescan.io/uploads/68106a8046fe05453ca99690/reports/21f06a8c-b6c5-4143-962a-f9bdc4832a24/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/b98603a11259b4a169d84fc1be0fb42567edba2b4598c60950e0426362b7db48
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8a3c3c04-c8d0-439a-a723-1ed9b55f8d78
Result
Threat name:
Amadey, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1676977
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates HTA files
Detected unpacking (changes PE section rights)
Found API chain indicative of sandbox detection
Found malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1676977 Sample: random.exe Startdate: 29/04/2025 Architecture: WINDOWS Score: 100 100 viridisw.top 2->100 102 steamcommunity.com 2->102 104 6 other IPs or domains 2->104 114 Suricata IDS alerts for network traffic 2->114 116 Found malware configuration 2->116 118 Antivirus detection for URL or domain 2->118 120 21 other signatures 2->120 10 random.exe 1 2->10         started        15 saved.exe 1 16 2->15         started        17 1d67ff2eee.exe 2->17         started        19 4 other processes 2->19 signatures3 process4 dnsIp5 106 185.39.17.162, 49711, 49733, 49735 RU-TAGNET-ASRU Russian Federation 10->106 108 viridisw.top 104.21.68.177, 443, 49700, 49701 CLOUDFLARENETUS United States 10->108 110 steamcommunity.com 184.85.65.125, 443, 49699 AKAMAI-ASUS United States 10->110 84 C:\Users\...\AHP9UB9QL7Z996ZY2A98OTWHWJ4.exe, PE32 10->84 dropped 152 Detected unpacking (changes PE section rights) 10->152 154 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->154 156 Query firmware table information (likely to detect VMs) 10->156 168 10 other signatures 10->168 21 AHP9UB9QL7Z996ZY2A98OTWHWJ4.exe 4 10->21         started        112 185.39.17.163, 49719, 49720, 49721 RU-TAGNET-ASRU Russian Federation 15->112 86 C:\Users\user\AppData\...\1d67ff2eee.exe, PE32 15->86 dropped 88 C:\Users\user\AppData\Local\...\random[1].exe, PE32 15->88 dropped 158 Contains functionality to start a terminal service 15->158 25 1d67ff2eee.exe 1 15->25         started        90 C:\Users\user\AppData\Local\...\wXdiSuFpv.hta, HTML 17->90 dropped 160 Binary is likely a compiled AutoIt script file 17->160 162 Creates HTA files 17->162 27 mshta.exe 17->27         started        29 cmd.exe 17->29         started        92 C:\Users\user\AppData\Local\...\rIf6NHdEV.hta, HTML 19->92 dropped 164 Suspicious powershell command line found 19->164 166 Tries to download and execute files (via powershell) 19->166 31 mshta.exe 19->31         started        33 powershell.exe 19->33         started        35 powershell.exe 19->35         started        37 2 other processes 19->37 file6 signatures7 process8 file9 80 C:\Users\user\AppData\Local\...\saved.exe, PE32 21->80 dropped 122 Multi AV Scanner detection for dropped file 21->122 124 Contains functionality to start a terminal service 21->124 126 Contains functionality to inject code into remote processes 21->126 39 saved.exe 21->39         started        82 C:\Users\user\AppData\Local\...\uJLkrRwPu.hta, HTML 25->82 dropped 128 Binary is likely a compiled AutoIt script file 25->128 130 Found API chain indicative of sandbox detection 25->130 132 Creates HTA files 25->132 42 mshta.exe 1 25->42         started        44 cmd.exe 1 25->44         started        134 Suspicious powershell command line found 27->134 136 Tries to download and execute files (via powershell) 27->136 46 powershell.exe 27->46         started        51 2 other processes 29->51 49 powershell.exe 31->49         started        53 2 other processes 33->53 55 2 other processes 35->55 57 4 other processes 37->57 signatures10 process11 file12 138 Multi AV Scanner detection for dropped file 39->138 140 Contains functionality to start a terminal service 39->140 142 Suspicious powershell command line found 42->142 144 Tries to download and execute files (via powershell) 42->144 59 powershell.exe 15 19 42->59         started        146 Uses schtasks.exe or at.exe to add and modify task schedules 44->146 63 conhost.exe 44->63         started        65 schtasks.exe 1 44->65         started        96 TempNP3KLDOYFGCTPUIPM06VSNMSDYSGESCQ.EXE, PE32 46->96 dropped 67 TempNP3KLDOYFGCTPUIPM06VSNMSDYSGESCQ.EXE 46->67         started        69 conhost.exe 46->69         started        98 TempJG3UPR60QYR54QVH6VG7RMJY8WB0KHXU.EXE, PE32 49->98 dropped 71 TempJG3UPR60QYR54QVH6VG7RMJY8WB0KHXU.EXE 49->71         started        73 conhost.exe 49->73         started        signatures13 process14 file15 94 TempL7HKK4KIAJW6QZEZNJP2FQDW48SB2JSY.EXE, PE32 59->94 dropped 170 Contains functionality to start a terminal service 59->170 172 Powershell drops PE file 59->172 75 TempL7HKK4KIAJW6QZEZNJP2FQDW48SB2JSY.EXE 59->75         started        78 conhost.exe 59->78         started        174 Multi AV Scanner detection for dropped file 67->174 signatures16 process17 signatures18 148 Multi AV Scanner detection for dropped file 75->148 150 Contains functionality to start a terminal service 75->150
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b98603a11259b4a169d84fc1be0fb42567edba2b4598c60950e0426362b7db48
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b98603a11259b4a169d84fc1be0fb42567edba2b4598c60950e0426362b7db48/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-04-23 05:04:50 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xgdahiislg2kc2oyj7a34d5uevt63orliwmmmckq4bbggyvx3nea._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
lummastealer
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250429-gpbvzsvvct/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://clarmodq.top/qoxo
https://2-longitudde.digital/wizu
https://hemispherexz.top/xapp
https://equatorf.run/reiq
https://latitudert.live/teui
https://longitudde.digital/wizu
https://climatologfy.top/kbud
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b2b27aa4-f931-4385-809a-7bb0e6570d05
Unpacked files
SH256 hash:
b98603a11259b4a169d84fc1be0fb42567edba2b4598c60950e0426362b7db48
MD5 hash:
8563c493b88a526828a64522063d25b1
SHA1 hash:
b3a54667dd9d1e9004f270209db5ba1ec88088aa
Link:
https://www.unpac.me/results/57f70b0c-4fe3-47e5-8028-01cab941574d/
SH256 hash:
72dbbbcb03a3b79c3f30115d9b80c4e700c933e2fbe78ab8680c2ea9a1a8c1b8
MD5 hash:
4639f6aa23563ef150a8396433dddbc2
SHA1 hash:
c560a3ad50c2100fee89f26e30d0f696b46d0ac5
Link:
https://www.unpac.me/results/57f70b0c-4fe3-47e5-8028-01cab941574d/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b98603a11259/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b98603a11259b4a169d84fc1be0fb42567edba2b4598c60950e0426362b7db48

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe b98603a11259b4a169d84fc1be0fb42567edba2b4598c60950e0426362b7db48

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3519207/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3519135/
Cape
Cape
https://www.capesandbox.com/analysis/4896/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments