MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2fc387fa598098bea4d5b3358b01db102dcf8d18cea07cfde50d4455e609ed0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c2fc387fa598098bea4d5b3358b01db102dcf8d18cea07cfde50d4455e609ed0
SHA3-384 hash: bf9ad0bac349a81de77ae71a8c96e333f6ba77d344ea968a907c50f5b40263cb3c907d18f651e68cdcd1ed006e90af70
SHA1 hash: e787c70035dbe6a8160926928e93febe2cbbeba2
MD5 hash: e64310c17841e2f3ec344941fa3e61c8
humanhash: single-minnesota-happy-kansas
File name:e64310c17841e2f3ec344941fa3e61c8.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'850'880 bytes
First seen:2025-02-01 15:42:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:eutUcReAwzUfqCMImrOx0iwQjfS4FKlb+N9+rey46RLhdk/ZG8J2jmda:/OrJzQqCMuxxj64slbGUR46Zhq/DJpa
TLSH T10485332256CA1038C94E02F8499B4312AF7CE73846CE7B4DE9581D6F5E77A39DA73C09
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
442
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
e64310c17841e2f3ec344941fa3e61c8.exe
Verdict:
Malicious activity
Analysis date:
2025-02-01 16:04:44 UTC
Tags:
lumma stealer loader stealc amadey botnet cryptbot themida antivm
Link:
https://app.any.run/tasks/01936095-e527-4a19-acd3-f7bab71f4380

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679e4113416a81ccc3c4e2c8
Tags:
vmdetect autorun spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
DNS request
Connection attempt
Sending a custom TCP request
Connection attempt to an infection source
Behavior that indicates a threat
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm packed packed packer_detected
Link:
https://www.filescan.io/uploads/679e411f503cb0637f9baf08/reports/c02df854-94a3-4950-9177-d3766590707a/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/c2fc387fa598098bea4d5b3358b01db102dcf8d18cea07cfde50d4455e609ed0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3ff8d33d-6b74-48d3-bba1-b8febff9b821
Result
Threat name:
LummaC, Amadey, LummaC Stealer, Socks5Sy
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1604525
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files with a suspicious file extension
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Sigma detected: Powershell launch regsvr32
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
Writes many files with high entropy
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Socks5Systemz
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1604525 Sample: AApUa7VQiy.exe Startdate: 01/02/2025 Architecture: WINDOWS Score: 100 158 UrDtxPvdestkLUKCgdoC.UrDtxPvdestkLUKCgdoC 2->158 160 DGGKjBirXBdcY.DGGKjBirXBdcY 2->160 162 37 other IPs or domains 2->162 194 Suricata IDS alerts for network traffic 2->194 196 Found malware configuration 2->196 198 Antivirus detection for URL or domain 2->198 200 27 other signatures 2->200 14 skotes.exe 2 54 2->14         started        19 AApUa7VQiy.exe 2 2->19         started        21 skotes.exe 2->21         started        signatures3 process4 dnsIp5 168 185.215.113.43, 53457, 53464, 53466 WHOLESALECONNECTIONSNL Portugal 14->168 170 185.215.113.97, 53467, 53472, 53477 WHOLESALECONNECTIONSNL Portugal 14->170 172 91.240.118.49, 443, 53465 GLOBALLAYERNL unknown 14->172 142 C:\Users\user\AppData\...\6299d9e5a5.exe, PE32 14->142 dropped 144 C:\Users\user\AppData\...\513076b4b2.exe, PE32 14->144 dropped 146 C:\Users\user\AppData\...\d37c6a3c82.exe, PE32 14->146 dropped 152 25 other malicious files 14->152 dropped 178 Creates multiple autostart registry keys 14->178 180 Hides threads from debuggers 14->180 182 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->182 23 infinity.exe 2 14->23         started        26 f46bdbcca4.exe 14->26         started        29 179187318e.exe 14->29         started        36 3 other processes 14->36 174 185.215.113.16, 49776, 80 WHOLESALECONNECTIONSNL Portugal 19->174 176 warlikedbeliev.org 104.21.18.116, 443, 49707, 49708 CLOUDFLARENETUS United States 19->176 148 C:\...S0PERDCSSGNQK1XTMK282189FFMR8.exe, PE32 19->148 dropped 150 C:\Users\...\BEB973FPO2R62ZWABVOVP8TC.exe, PE32 19->150 dropped 184 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->184 186 Query firmware table information (likely to detect VMs) 19->186 188 Found many strings related to Crypto-Wallets (likely being stolen) 19->188 192 4 other signatures 19->192 31 BEB973FPO2R62ZWABVOVP8TC.exe 4 19->31         started        33 ES0PERDCSSGNQK1XTMK282189FFMR8.exe 13 19->33         started        190 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 21->190 file6 signatures7 process8 dnsIp9 116 C:\Users\user\AppData\Local\...\infinity.tmp, PE32 23->116 dropped 38 infinity.tmp 18 26 23->38         started        118 C:\Users\user\AppData\...\f46bdbcca4.tmp, PE32 26->118 dropped 202 Multi AV Scanner detection for dropped file 26->202 41 f46bdbcca4.tmp 26->41         started        120 C:\Users\user\AppData\Local\Temp\Put, data 29->120 dropped 122 C:\Users\user\AppData\Local\Temp\Japanese, data 29->122 dropped 130 5 other malicious files 29->130 dropped 204 Writes many files with high entropy 29->204 43 cmd.exe 29->43         started        124 C:\Users\user\AppData\Local\...\skotes.exe, PE32 31->124 dropped 206 Detected unpacking (changes PE section rights) 31->206 208 Tries to evade debugger and weak emulator (self modifying code) 31->208 210 Hides threads from debuggers 31->210 46 skotes.exe 31->46         started        154 185.215.113.115, 53302, 80 WHOLESALECONNECTIONSNL Portugal 33->154 212 Tries to detect virtualization through RDTSC time measurements 33->212 214 Tries to detect sandboxes / dynamic malware analysis system (registry check) 33->214 216 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 33->216 156 steamcommunity.com 104.102.49.254, 443, 53481 AKAMAI-ASUS United States 36->156 126 C:\Users\user\AppData\Local\Temp\Soundtrack, data 36->126 dropped 128 C:\Users\user\AppData\Local\Temp\Plumbing, data 36->128 dropped 132 3 other malicious files 36->132 dropped 218 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->218 220 Query firmware table information (likely to detect VMs) 36->220 222 Tries to detect sandboxes and other dynamic analysis tools (window names) 36->222 224 4 other signatures 36->224 48 cmd.exe 36->48         started        file10 signatures11 process12 file13 98 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 38->98 dropped 100 C:\Users\user\AppData\...\unins000.exe (copy), PE32 38->100 dropped 102 C:\Users\user\AppData\Local\...\is-2E87P.tmp, PE32 38->102 dropped 114 21 other files (11 malicious) 38->114 dropped 50 flv2aviconverter24.exe 38->50         started        104 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 41->104 dropped 106 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 41->106 dropped 108 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 41->108 dropped 54 f46bdbcca4.exe 41->54         started        110 C:\Users\user\AppData\Local\...\Avoiding.com, PE32 43->110 dropped 226 Drops PE files with a suspicious file extension 43->226 228 Writes many files with high entropy 43->228 56 cmd.exe 43->56         started        58 conhost.exe 43->58         started        60 tasklist.exe 43->60         started        67 9 other processes 43->67 230 Detected unpacking (changes PE section rights) 46->230 232 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 46->232 234 Tries to evade debugger and weak emulator (self modifying code) 46->234 236 3 other signatures 46->236 112 C:\Users\user\AppData\...\Macromedia.com, PE32 48->112 dropped 62 Macromedia.com 48->62         started        65 cmd.exe 48->65         started        69 10 other processes 48->69 signatures14 process15 dnsIp16 164 176.113.115.96 SELECTELRU Russian Federation 50->164 166 193.176.153.180 AGROSVITUA unknown 50->166 84 C:\ProgramData\Flv2AVIConverter\sqlite3.dll, PE32 50->84 dropped 86 C:\ProgramData\...\Flv2AVIConverter.exe, PE32 50->86 dropped 88 C:\Users\user\AppData\...\f46bdbcca4.tmp, PE32 54->88 dropped 71 f46bdbcca4.tmp 54->71         started        90 C:\Users\user\AppData\Local\Temp\36469\L, data 56->90 dropped 92 C:\Users\user\AppData\...\AchillesGuard.com, PE32 62->92 dropped 94 C:\Users\user\AppData\Local\...\r, data 62->94 dropped 242 Drops PE files with a suspicious file extension 62->242 244 Writes many files with high entropy 62->244 96 C:\Users\user\AppData\Local\Temp\764661\F, data 65->96 dropped file17 signatures18 process19 file20 134 C:\Users\user\...\uxtheme_2.drv (copy), PE32+ 71->134 dropped 136 C:\Users\user\AppData\Roaming\is-M72JG.tmp, PE32+ 71->136 dropped 138 C:\Users\user\AppData\...\unins000.exe (copy), PE32 71->138 dropped 140 4 other files (3 malicious) 71->140 dropped 74 regsvr32.exe 71->74         started        process21 process22 76 regsvr32.exe 74->76         started        signatures23 238 Suspicious powershell command line found 76->238 240 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 76->240 79 powershell.exe 76->79         started        process24 signatures25 246 Loading BitLocker PowerShell Module 79->246 82 conhost.exe 79->82         started        process26
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c2fc387fa598098bea4d5b3358b01db102dcf8d18cea07cfde50d4455e609ed0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c2fc387fa598098bea4d5b3358b01db102dcf8d18cea07cfde50d4455e609ed0/
Threat name:
Win32.Trojan.LummaC
Create hunting rule
Status:
Malicious
First seen:
2025-02-01 11:59:19 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yl6dq75ftaeyx2snlmzvrma5webnz6grrtvapt66kdkekxtat3ia._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery stealer
Link:
https://tria.ge/reports/250201-ta6g9s1ldr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://toppyneedus.biz/api
Verdict:
Malicious
Tags:
stealer stealc lumma lumma_stealer win32_amadey c2
YARA:
n/a
Link:
https://app.threat.zone/submission/038707a6-175c-4b4c-a516-12153cc7a1f2
Unpacked files
SH256 hash:
5de4e9b8895dfb40f3808b06b0a27dd5d603ab313aca1730b57744997d3cd3a5
MD5 hash:
a065c230f13b903ca8cb901eedd23af3
SHA1 hash:
997010e75a4f30c91a8132dd71f5a687de027a65
Link:
https://www.unpac.me/results/4d049240-bbf0-4f07-ab3a-548085d4af13/
SH256 hash:
c2fc387fa598098bea4d5b3358b01db102dcf8d18cea07cfde50d4455e609ed0
MD5 hash:
e64310c17841e2f3ec344941fa3e61c8
SHA1 hash:
e787c70035dbe6a8160926928e93febe2cbbeba2
Link:
https://www.unpac.me/results/4d049240-bbf0-4f07-ab3a-548085d4af13/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c2fc387fa598/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c2fc387fa598098bea4d5b3358b01db102dcf8d18cea07cfde50d4455e609ed0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_lumma_2eabe9054cad5152567f0699947a2c5b
Create hunting rule
Author:dubfib

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe c2fc387fa598098bea4d5b3358b01db102dcf8d18cea07cfde50d4455e609ed0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3245480/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments