MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c75c529c2430f7566262831fbf0d07fd0ad5b845c2ef91bd2b26879d4945f78b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c75c529c2430f7566262831fbf0d07fd0ad5b845c2ef91bd2b26879d4945f78b
SHA3-384 hash: d3d37184904c92ba5f4787670e6157fd5040ff9267d8827fd33390fc6d814f8a56d373ad1c7ba926f62f852fb196a4e0
SHA1 hash: 253db40248af685f2a999c735fe721045865bf5f
MD5 hash: 13fab3168007f271498dc70e2976852a
humanhash: timing-steak-cat-island
File name:13fab3168007f271498dc70e2976852a.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'890'816 bytes
First seen:2025-02-02 08:02:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:vvnQUVfS7QeqrjVoqqAksaDieGGur122Z0d2:wCfS7QeiCsaDzGGuZD
TLSH T12E9533AAF830E065FD6E517269EB7B7E23EC668CB1B4571ACBB1017C61833643760C25
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
530
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
8a3fa3fd739987488a533cf78506d241.exe
Verdict:
Malicious activity
Analysis date:
2025-02-02 06:29:52 UTC
Tags:
amadey botnet stealer loader telegram themida lumma stealc redline lefthook credentialflusher auto generic gcleaner netreactor autoit cryptbot evasion
Link:
https://app.any.run/tasks/b72b2b24-b30e-4375-bb9f-aeea815ec660

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.19254.31545.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679f2695416a81ccc3c4f87a
Tags:
autorun lien spam
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected
Link:
https://www.filescan.io/uploads/679f268dd5f62a1c6292972d/reports/d299cf0e-210e-4181-8e38-7f6addbb4a91/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/c75c529c2430f7566262831fbf0d07fd0ad5b845c2ef91bd2b26879d4945f78b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f6fad4e0-f983-48e2-a2a4-e1f5b0f1d736
Result
Threat name:
Amadey, Cryptbot, LummaC Stealer, RedLin
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1604965
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates HTA files
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Potentially malicious time measurement code found
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected Cryptbot
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Powershell download and execute
Yara detected RedLine Stealer
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1604965 Sample: swFLhNbw9f.exe Startdate: 02/02/2025 Architecture: WINDOWS Score: 100 172 Found malware configuration 2->172 174 Malicious sample detected (through community Yara rule) 2->174 176 Antivirus detection for URL or domain 2->176 178 28 other signatures 2->178 10 skotes.exe 6 64 2->10         started        15 swFLhNbw9f.exe 2 2->15         started        17 6aa488eebe.exe 2->17         started        19 6 other processes 2->19 process3 dnsIp4 152 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 10->152 154 185.215.113.97 WHOLESALECONNECTIONSNL Portugal 10->154 130 C:\Users\user\AppData\...\b1d2e06ee9.exe, PE32 10->130 dropped 132 C:\Users\user\AppData\...\9f2dc37215.exe, PE32 10->132 dropped 134 C:\Users\user\AppData\...\529872e41a.exe, PE32 10->134 dropped 144 20 other malicious files 10->144 dropped 236 Creates multiple autostart registry keys 10->236 238 Hides threads from debuggers 10->238 240 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->240 242 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 10->242 21 a290c7b26c.exe 2 10->21         started        25 6aa488eebe.exe 10->25         started        27 cmd.exe 10->27         started        38 7 other processes 10->38 156 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 15->156 158 172.67.181.203 CLOUDFLARENETUS United States 15->158 136 C:\Users\user\...\7B66RE7ATN8EFMX30ONJEAO.exe, PE32 15->136 dropped 138 C:\Users\user\...\4QU9XJKQJAR6623U6.exe, PE32 15->138 dropped 244 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->244 246 Query firmware table information (likely to detect VMs) 15->246 248 Found many strings related to Crypto-Wallets (likely being stolen) 15->248 260 3 other signatures 15->260 29 7B66RE7ATN8EFMX30ONJEAO.exe 4 15->29         started        31 4QU9XJKQJAR6623U6.exe 13 15->31         started        140 C:\Users\user\AppData\Local\...\TZyDVYXX5.hta, HTML 17->140 dropped 250 Creates HTA files 17->250 34 mshta.exe 17->34         started        36 cmd.exe 17->36         started        142 C:\Users\...\OHDCPSUBR3V6N0ZITTD8BX37.exe, PE32 19->142 dropped 252 Suspicious powershell command line found 19->252 254 Tries to download and execute files (via powershell) 19->254 256 Tries to harvest and steal ftp login credentials 19->256 258 Tries to harvest and steal browser information (history, passwords, etc) 19->258 40 6 other processes 19->40 file5 signatures6 process7 dnsIp8 104 C:\Users\user\AppData\...\a290c7b26c.tmp, PE32 21->104 dropped 210 Multi AV Scanner detection for dropped file 21->210 42 a290c7b26c.tmp 18 26 21->42         started        106 C:\Users\user\AppData\Local\...\02L0XIlLT.hta, HTML 25->106 dropped 212 Binary is likely a compiled AutoIt script file 25->212 214 Creates HTA files 25->214 45 mshta.exe 25->45         started        48 cmd.exe 25->48         started        54 2 other processes 27->54 108 C:\Users\user\AppData\Local\...\skotes.exe, PE32 29->108 dropped 216 Detected unpacking (changes PE section rights) 29->216 218 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 29->218 230 2 other signatures 29->230 50 skotes.exe 29->50         started        164 185.215.113.115 WHOLESALECONNECTIONSNL Portugal 31->164 232 3 other signatures 31->232 220 Suspicious powershell command line found 34->220 222 Tries to download and execute files (via powershell) 34->222 52 powershell.exe 34->52         started        56 2 other processes 36->56 166 94.156.102.240 NETERRA-ASBG Bulgaria 38->166 168 1.1.1.1 CLOUDFLARENETUS Australia 38->168 170 4 other IPs or domains 38->170 110 C:\Users\user\...\RKETU4ZEAB9CAQIOR34EDK.exe, PE32 38->110 dropped 112 C:\Users\user\AppData\Local\...\pw7IAWD76.hta, HTML 38->112 dropped 224 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 38->224 226 Query firmware table information (likely to detect VMs) 38->226 228 Tries to detect sandboxes and other dynamic analysis tools (window names) 38->228 234 3 other signatures 38->234 58 3 other processes 38->58 114 C:\Temp\I6X3VbPtf.hta, HTML 40->114 dropped 60 12 other processes 40->60 file9 signatures10 process11 file12 118 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 42->118 dropped 120 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 42->120 dropped 122 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 42->122 dropped 128 21 other malicious files 42->128 dropped 62 flv2aviconverter.exe 42->62         started        262 Suspicious powershell command line found 45->262 264 Tries to download and execute files (via powershell) 45->264 66 powershell.exe 45->66         started        266 Uses schtasks.exe or at.exe to add and modify task schedules 48->266 77 2 other processes 48->77 268 Detected unpacking (changes PE section rights) 50->268 270 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 50->270 272 Tries to evade debugger and weak emulator (self modifying code) 50->272 124 TempK5HPYWKI4EKLKA3GGYBPQYVULMYMMHVX.EXE, PE32 52->124 dropped 69 TempK5HPYWKI4EKLKA3GGYBPQYVULMYMMHVX.EXE 52->69         started        71 conhost.exe 52->71         started        126 C:\Temp\df7MO3wHW.hta, HTML 54->126 dropped 274 Creates HTA files 54->274 73 mshta.exe 54->73         started        79 6 other processes 54->79 75 conhost.exe 58->75         started        276 Hides threads from debuggers 60->276 278 Tries to detect sandboxes / dynamic malware analysis system (registry check) 60->278 280 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 60->280 81 4 other processes 60->81 signatures13 process14 dnsIp15 160 176.113.115.96 SELECTELRU Russian Federation 62->160 162 89.105.201.183 NOVOSERVE-ASNL Netherlands 62->162 146 C:\ProgramData\Flv2AVIConverter\sqlite3.dll, PE32 62->146 dropped 148 C:\ProgramData\...\Flv2AVIConverter.exe, PE32 62->148 dropped 150 TempRFHBAK6I6EJEFZY7YSSO7VSUBWDM2G8I.EXE, PE32 66->150 dropped 180 Powershell drops PE file 66->180 83 TempRFHBAK6I6EJEFZY7YSSO7VSUBWDM2G8I.EXE 66->83         started        86 conhost.exe 66->86         started        182 Detected unpacking (changes PE section rights) 69->182 184 Tries to evade debugger and weak emulator (self modifying code) 69->184 186 Hides threads from debuggers 69->186 192 2 other signatures 69->192 188 Suspicious powershell command line found 73->188 190 Tries to download and execute files (via powershell) 73->190 88 powershell.exe 73->88         started        91 powershell.exe 79->91         started        93 powershell.exe 79->93         started        95 powershell.exe 79->95         started        97 conhost.exe 81->97         started        file16 signatures17 process18 file19 194 Detected unpacking (changes PE section rights) 83->194 196 Modifies windows update settings 83->196 198 Disables Windows Defender Tamper protection 83->198 200 6 other signatures 83->200 116 C:\Users\...\483d2fa8a0d53818306efeb32d3.exe, PE32 88->116 dropped 99 483d2fa8a0d53818306efeb32d3.exe 88->99         started        102 conhost.exe 88->102         started        signatures20 process21 signatures22 202 Detected unpacking (changes PE section rights) 99->202 204 Tries to evade debugger and weak emulator (self modifying code) 99->204 206 Hides threads from debuggers 99->206 208 2 other signatures 99->208
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c75c529c2430f7566262831fbf0d07fd0ad5b845c2ef91bd2b26879d4945f78b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c75c529c2430f7566262831fbf0d07fd0ad5b845c2ef91bd2b26879d4945f78b/
Threat name:
Win32.Trojan.LummaC
Create hunting rule
Status:
Malicious
First seen:
2025-02-02 07:08:14 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y5offhbegd3vmytcqmp36dih7ufnlocfylxzdpjle2dz2skf66fq._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion discovery
Link:
https://tria.ge/reports/250202-jw7x4svlar/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Malicious
Tags:
lumma_stealer c2 stealer lumma
YARA:
n/a
Link:
https://app.threat.zone/submission/215aaf47-b89f-4cf2-924e-2924e1ce3013
Unpacked files
SH256 hash:
c75c529c2430f7566262831fbf0d07fd0ad5b845c2ef91bd2b26879d4945f78b
MD5 hash:
13fab3168007f271498dc70e2976852a
SHA1 hash:
253db40248af685f2a999c735fe721045865bf5f
Link:
https://www.unpac.me/results/43efcc86-410c-43d1-aeba-8042ec1d1c08/
SH256 hash:
a601665f0301ad1349b838e7098075771dadf5c2494001bae567f0c48c56872a
MD5 hash:
06d8b52d4d317c324375b7c9b57da1f8
SHA1 hash:
fd421e43fe5259f02a2ed149a782dada042ca87c
Link:
https://www.unpac.me/results/43efcc86-410c-43d1-aeba-8042ec1d1c08/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c75c529c2430/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c75c529c2430f7566262831fbf0d07fd0ad5b845c2ef91bd2b26879d4945f78b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_lumma_2eabe9054cad5152567f0699947a2c5b
Create hunting rule
Author:dubfib

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe c75c529c2430f7566262831fbf0d07fd0ad5b845c2ef91bd2b26879d4945f78b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3245480/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments