MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcd9163833b001e137031b04bed6256d7a4660515338c2e09d466eeddc028134. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bcd9163833b001e137031b04bed6256d7a4660515338c2e09d466eeddc028134
SHA3-384 hash: 0b77281277abf8c6969136309e025d99501fa27462a1596147c41c21f9043af0b69a69618dc0e8be8b8f4236c949ff23
SHA1 hash: 31fe313b6c7228a4bdbb32b816e5207a7e8bdd9e
MD5 hash: 9c4cfaafde2b445a7f7ded7fbd85873b
humanhash: cola-asparagus-fillet-diet
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:3'009'024 bytes
First seen:2025-05-25 15:35:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:ekB9ofmHZkdSwhwYuwmZvJLlsjpmuKdOZMB67e:e8oOHZOJmZBLls0ukOZMW
TLSH T109D55C92B90571CFD4DE1BB8A967CD41695D43B94B1848C3A86CE47EBDB7CC022F6C28
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
517
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-05-25 16:00:03 UTC
Tags:
amadey botnet stealer loader rdp themida telegram lumma
Link:
https://app.any.run/tasks/6e38ace8-9bb5-4295-93c6-cd0cb0df378b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68333b8c4912a6b9dd4d5be9
Tags:
shellcode autorun virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/68333921fd02ed5e058708c0/reports/024b9c93-b34c-41da-99ec-59b84c7627b5/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/bcd9163833b001e137031b04bed6256d7a4660515338c2e09d466eeddc028134
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bdc44490-2697-4ca1-92fd-9fa7a26e9405
Result
Threat name:
Amadey, LummaC Stealer, Stealc v2
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1698824
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Creates HTA files
Detected unpacking (changes PE section rights)
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell download and execute file
Sigma detected: Powershell download and load assembly
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses schtasks.exe or at.exe to add and modify task schedules
Uses threadpools to delay analysis
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Generic Downloader
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Powershell download and execute
Yara detected Stealc v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1698824 Sample: random.exe Startdate: 25/05/2025 Architecture: WINDOWS Score: 100 139 incqtq.run 2->139 141 cvzco.run 2->141 143 16 other IPs or domains 2->143 169 Suricata IDS alerts for network traffic 2->169 171 Found malware configuration 2->171 173 Malicious sample detected (through community Yara rule) 2->173 175 31 other signatures 2->175 12 ramez.exe 2 41 2->12         started        17 random.exe 5 2->17         started        19 ramez.exe 2->19         started        21 mshta.exe 2->21         started        signatures3 process4 dnsIp5 155 185.156.72.2, 49706, 49709, 49716 ITDELUXE-ASRU Russian Federation 12->155 157 185.156.72.96, 49704, 49705, 49708 ITDELUXE-ASRU Russian Federation 12->157 159 solsniper.eu 185.208.156.66, 443, 49711, 49753 SIMPLECARRIERCH Switzerland 12->159 121 C:\Users\user\AppData\Local\...\solsniper.exe, PE32+ 12->121 dropped 123 C:\Users\user\AppData\Local\...\pWzkluh.exe, PE32+ 12->123 dropped 125 C:\Users\user\AppData\...\4d3f6150ab.exe, PE32+ 12->125 dropped 131 11 other malicious files 12->131 dropped 249 Contains functionality to start a terminal service 12->249 251 Hides threads from debuggers 12->251 253 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->253 23 4fa7e6dd58.exe 12->23         started        27 cmd.exe 12->27         started        29 pWzkluh.exe 12->29         started        35 7 other processes 12->35 127 C:\Users\user\AppData\Local\...\ramez.exe, PE32 17->127 dropped 129 C:\Users\user\...\ramez.exe:Zone.Identifier, ASCII 17->129 dropped 255 Detected unpacking (changes PE section rights) 17->255 257 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 17->257 259 Tries to evade debugger and weak emulator (self modifying code) 17->259 261 Tries to detect virtualization through RDTSC time measurements 17->261 31 ramez.exe 17->31         started        263 Multi AV Scanner detection for dropped file 19->263 265 Tries to detect sandboxes and other dynamic analysis tools (window names) 19->265 267 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 19->267 269 Suspicious powershell command line found 21->269 271 Tries to download and execute files (via powershell) 21->271 33 powershell.exe 21->33         started        file6 signatures7 process8 dnsIp9 107 C:\Users\user\AppData\Local\...\b6JEnSb2V.hta, HTML 23->107 dropped 199 Multi AV Scanner detection for dropped file 23->199 201 Binary is likely a compiled AutoIt script file 23->201 203 Creates HTA files 23->203 38 mshta.exe 23->38         started        41 cmd.exe 23->41         started        43 cmd.exe 27->43         started        45 conhost.exe 27->45         started        109 C:\Users\user\AppData\...\683331a9e1d3a.vbs, ASCII 29->109 dropped 47 cmd.exe 29->47         started        205 Contains functionality to start a terminal service 31->205 207 Hides threads from debuggers 31->207 209 Tries to detect sandboxes / dynamic malware analysis system (registry check) 31->209 211 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 31->211 213 Suspicious powershell command line found 33->213 215 Found suspicious powershell code related to unpacking or dynamic code loading 33->215 54 2 other processes 33->54 145 45.141.233.187, 49707, 80 ASDETUKhttpwwwheficedcomGB Bulgaria 35->145 217 Antivirus detection for dropped file 35->217 219 Query firmware table information (likely to detect VMs) 35->219 221 Found many strings related to Crypto-Wallets (likely being stolen) 35->221 223 6 other signatures 35->223 49 MSBuild.exe 35->49         started        52 MSBuild.exe 35->52         started        56 7 other processes 35->56 file10 signatures11 process12 dnsIp13 177 Suspicious powershell command line found 38->177 179 Tries to download and execute files (via powershell) 38->179 58 powershell.exe 38->58         started        181 Uses schtasks.exe or at.exe to add and modify task schedules 41->181 72 2 other processes 41->72 183 Wscript starts Powershell (via cmd or directly) 43->183 62 vnch.exe 43->62         started        64 powershell.exe 43->64         started        74 2 other processes 43->74 66 wscript.exe 47->66         started        68 conhost.exe 47->68         started        133 incqtq.run 104.21.32.1, 443, 49746, 49750 CLOUDFLARENETUS United States 49->133 185 Tries to harvest and steal ftp login credentials 49->185 187 Tries to harvest and steal browser information (history, passwords, etc) 49->187 189 Tries to steal Crypto Currency Wallets 49->189 191 Tries to steal from password manager 49->191 135 cvzco.run 104.21.90.227, 443, 49713, 49715 CLOUDFLARENETUS United States 52->135 137 t.me 149.154.167.99, 443, 49712, 49743 TELEGRAMRU United Kingdom 52->137 193 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 52->193 195 Query firmware table information (likely to detect VMs) 52->195 197 Contains functionality to start a terminal service 54->197 70 wscript.exe 56->70         started        77 4 other processes 56->77 signatures14 process15 dnsIp16 111 TempKYRHDWVSBGFXPPAWDR4OXH39EZW8AVDH.EXE, PE32 58->111 dropped 229 Powershell drops PE file 58->229 79 TempKYRHDWVSBGFXPPAWDR4OXH39EZW8AVDH.EXE 58->79         started        82 conhost.exe 58->82         started        231 Writes to foreign memory regions 62->231 233 Allocates memory in foreign processes 62->233 235 Sample uses process hollowing technique 62->235 247 2 other signatures 62->247 84 AddInProcess32.exe 62->84         started        87 conhost.exe 62->87         started        113 C:\winsystem\vnch4\vnch.exe, PE32+ 64->113 dropped 115 C:\winsystem\vnch4\msys-ncursesw6.dll, PE32+ 64->115 dropped 117 C:\winsystem\vnch4\msys-2.0.dll, PE32+ 64->117 dropped 237 Loading BitLocker PowerShell Module 64->237 239 Suspicious powershell command line found 66->239 241 Wscript starts Powershell (via cmd or directly) 66->241 243 Windows Scripting host queries suspicious COM object (likely to drop second stage) 66->243 245 Suspicious execution chain found 66->245 89 powershell.exe 66->89         started        91 powershell.exe 70->91         started        151 getbae-ai.com 172.86.82.131, 443, 49730, 49741 M247GB United States 74->151 153 127.0.0.1 unknown unknown 74->153 119 C:\winsystem\vnch4\vnch4.zip, Zip 74->119 dropped file17 signatures18 process19 dnsIp20 279 Multi AV Scanner detection for dropped file 79->279 281 Contains functionality to start a terminal service 79->281 147 45.141.87.200, 49745, 49760, 56022 CLOUDBACKBONERU Russian Federation 84->147 283 Uses threadpools to delay analysis 84->283 285 Suspicious powershell command line found 89->285 93 powershell.exe 89->93         started        97 conhost.exe 89->97         started        99 powershell.exe 91->99         started        101 conhost.exe 91->101         started        signatures21 process22 dnsIp23 161 ofice365.github.io 185.199.110.153, 443, 49725 FASTLYUS Netherlands 93->161 163 62.60.226.165, 49732, 49758, 80 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 93->163 273 Writes to foreign memory regions 93->273 275 Injects a PE file into a foreign processes 93->275 277 Loading BitLocker PowerShell Module 93->277 103 MSBuild.exe 93->103         started        165 bitbucket.org 104.192.142.24, 443, 49754 AMAZON-AESUS United States 99->165 167 s3-w.us-east-1.amazonaws.com 3.5.3.161, 443, 49755 AMAZON-AESUS United States 99->167 signatures24 process25 dnsIp26 149 bogtkr.top 172.67.220.115, 443, 49734, 49736 CLOUDFLARENETUS United States 103->149 225 Query firmware table information (likely to detect VMs) 103->225 227 Tries to steal Crypto Currency Wallets 103->227 signatures27
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bcd9163833b001e137031b04bed6256d7a4660515338c2e09d466eeddc028134
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bcd9163833b001e137031b04bed6256d7a4660515338c2e09d466eeddc028134/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-05-25 01:07:58 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
30 of 36 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xtmrmobtwaa6cnyddmcl5vrfnv5emycrkm4mfye5izxo3xacqe2a._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:donutloader family:lumma botnet:8d33eb defense_evasion discovery execution exploit loader persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/250525-s2e9qatn17/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
System Time Discovery
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Looks up external IP address via web service
Power Settings
Adds Run key to start application
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Indicator Removal: Clear Windows Event Logs
Modifies file permissions
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Looks for VMWare Tools registry key
Possible privilege escalation attempt
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Amadey
Amadey family
Detects DonutLoader
DonutLoader
Donutloader family
Lumma Stealer, LummaC
Lumma family
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://185.156.72.96
https://bogtkr.top/zhyk/api
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://localixbiw.top/zlpa
https://korxddl.top/qidz
https://ordntx.top/pxla/api
https://diecam.top/laur/api
https://citellcagt.top/gjtu
https://https://t.me/gagsdgfh24/api
https://cvzco.run/qiwo/api
https://cornerdurv.top/adwq
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/22ff005b-3df5-477e-ba81-cb86280a3160
Unpacked files
SH256 hash:
bcd9163833b001e137031b04bed6256d7a4660515338c2e09d466eeddc028134
MD5 hash:
9c4cfaafde2b445a7f7ded7fbd85873b
SHA1 hash:
31fe313b6c7228a4bdbb32b816e5207a7e8bdd9e
Link:
https://www.unpac.me/results/5738b0a4-15ce-482b-a5d3-ae9d14aa9651/
SH256 hash:
60efc24cb672aa82aab128a50ef7de9c714060ad34add078ff5f1ae92a87bc33
MD5 hash:
d14f17a8766e3407ee8679ffea8f6e82
SHA1 hash:
9c0d449a6c1fb959b39b2f16587f05fe9ea2efbb
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/5738b0a4-15ce-482b-a5d3-ae9d14aa9651/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bcd9163833b0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bcd9163833b001e137031b04bed6256d7a4660515338c2e09d466eeddc028134

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe bcd9163833b001e137031b04bed6256d7a4660515338c2e09d466eeddc028134

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3550737/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments