MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c940a9b3089423cfefd6cbfc5cb9c8260b4ea490ae7f4858f48688ac2fe0c399. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c940a9b3089423cfefd6cbfc5cb9c8260b4ea490ae7f4858f48688ac2fe0c399
SHA3-384 hash: 9cfc9224589e6e0f89fb51c881e2466e14f41a2dc416c75bfcb8cf910877542242fff7f49bc3b6a7e763cdb512000625
SHA1 hash: 110ff08e9b0e06b9aa3a24f15dfc59ac9f8f9c49
MD5 hash: af1d646a3dde7e01a69cca416ecaf250
humanhash: twenty-angel-pizza-seventeen
File name:af1d646a3dde7e01a69cca416ecaf250.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'877'504 bytes
First seen:2025-02-09 07:18:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:wZ7WAw9KvIw4N/F8O6umoEsQg4GY4wBzA8a/e1NicSYS6m:+7WAajw4N2ODNfQg4/dzUW1NQ6m
TLSH T1739533599EC62834E88E063654EFFAC50F3166BDCC175C873922F2742817EB287B4A5D
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
446
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
af1d646a3dde7e01a69cca416ecaf250.exe
Verdict:
Malicious activity
Analysis date:
2025-02-09 07:22:52 UTC
Tags:
loader lumma stealer stealc amadey botnet themida auto generic
Link:
https://app.any.run/tasks/b43e3001-0c5c-42a4-901b-8bfbb266277e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a857eed010e522d1b82932
Tags:
vmdetect autorun spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/c940a9b3089423cfefd6cbfc5cb9c8260b4ea490ae7f4858f48688ac2fe0c399
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d152fba3-00c7-4f55-b3e7-35d1f5974ede
Result
Threat name:
Amadey, LummaC Stealer, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1610422
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Monitors registry run keys for changes
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1610422 Sample: Q66K8mu6TN.exe Startdate: 09/02/2025 Architecture: WINDOWS Score: 100 62 ignoredshee.com 2->62 78 Suricata IDS alerts for network traffic 2->78 80 Found malware configuration 2->80 82 Antivirus detection for URL or domain 2->82 84 14 other signatures 2->84 9 Q66K8mu6TN.exe 2 2->9         started        14 skotes.exe 2->14         started        16 skotes.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 dnsIp5 74 185.215.113.16, 49714, 80 WHOLESALECONNECTIONSNL Portugal 9->74 76 ignoredshee.com 188.114.96.3, 443, 49706, 49707 CLOUDFLARENETUS European Union 9->76 52 C:\Users\...\B7QNV930U1HMJ3UHG84UZ85Y2.exe, PE32 9->52 dropped 54 C:\Users\...\4VYS0IUOV6IM85I6AVSTYZ48H.exe, PE32 9->54 dropped 100 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->100 102 Query firmware table information (likely to detect VMs) 9->102 104 Found many strings related to Crypto-Wallets (likely being stolen) 9->104 112 5 other signatures 9->112 20 4VYS0IUOV6IM85I6AVSTYZ48H.exe 33 9->20         started        25 B7QNV930U1HMJ3UHG84UZ85Y2.exe 4 9->25         started        106 Hides threads from debuggers 14->106 108 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->108 110 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 14->110 27 msedge.exe 18->27         started        file6 signatures7 process8 dnsIp9 64 185.215.113.115, 49717, 49742, 58733 WHOLESALECONNECTIONSNL Portugal 20->64 66 127.0.0.1 unknown unknown 20->66 42 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 20->42 dropped 44 C:\Users\user\AppData\...\softokn3[1].dll, PE32 20->44 dropped 46 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 20->46 dropped 50 11 other malicious files 20->50 dropped 86 Antivirus detection for dropped file 20->86 88 Detected unpacking (changes PE section rights) 20->88 90 Attempt to bypass Chrome Application-Bound Encryption 20->90 98 9 other signatures 20->98 29 msedge.exe 11 20->29         started        32 chrome.exe 8 20->32         started        48 C:\Users\user\AppData\Local\...\skotes.exe, PE32 25->48 dropped 92 Machine Learning detection for dropped file 25->92 94 Tries to evade debugger and weak emulator (self modifying code) 25->94 96 Hides threads from debuggers 25->96 35 skotes.exe 12 25->35         started        file10 signatures11 process12 dnsIp13 114 Monitors registry run keys for changes 29->114 37 msedge.exe 29->37         started        56 192.168.2.8, 138, 443, 49703 unknown unknown 32->56 58 239.255.255.250 unknown Reserved 32->58 39 chrome.exe 32->39         started        60 185.215.113.43, 49738, 58723, 58725 WHOLESALECONNECTIONSNL Portugal 35->60 116 Antivirus detection for dropped file 35->116 118 Detected unpacking (changes PE section rights) 35->118 120 Tries to detect sandboxes and other dynamic analysis tools (window names) 35->120 122 5 other signatures 35->122 signatures14 process15 dnsIp16 68 play.google.com 142.250.185.78, 443, 49736, 58721 GOOGLEUS United States 39->68 70 www.google.com 172.217.18.4, 443, 49719, 49723 GOOGLEUS United States 39->70 72 2 other IPs or domains 39->72
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c940a9b3089423cfefd6cbfc5cb9c8260b4ea490ae7f4858f48688ac2fe0c399
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c940a9b3089423cfefd6cbfc5cb9c8260b4ea490ae7f4858f48688ac2fe0c399/
Threat name:
Win32.Trojan.LummaC
Create hunting rule
Status:
Malicious
First seen:
2025-02-08 13:06:45 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zfaktmyisqr4736wzp6fzooieyfu5jeqvz7uqwhuq2ekyl7ayomq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:stealc botnet:9c9aa5 botnet:reno defense_evasion discovery spyware stealer trojan
Link:
https://tria.ge/reports/250209-h5neds1kcl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks BIOS information in registry
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Stealc
Stealc family
Malware Config
C2 Extraction:
http://185.215.113.115
http://185.215.113.43
Verdict:
Malicious
Tags:
c2 stealer lumma_stealer lumma
YARA:
n/a
Link:
https://app.threat.zone/submission/7267e4f8-a84b-49a9-8ad2-a9a44b65a781
Unpacked files
SH256 hash:
c940a9b3089423cfefd6cbfc5cb9c8260b4ea490ae7f4858f48688ac2fe0c399
MD5 hash:
af1d646a3dde7e01a69cca416ecaf250
SHA1 hash:
110ff08e9b0e06b9aa3a24f15dfc59ac9f8f9c49
Link:
https://www.unpac.me/results/a28ad8e2-e421-4d98-ac75-eba25ff3b0b4/
SH256 hash:
0612160ac5ffc057f1888fadef24c86c9067cad5af21a6e24a68c5613e793d92
MD5 hash:
536eafd1425abb83ad7825ddd0f560a0
SHA1 hash:
f76276d51b9fcaa5fb0467abc202a7a65ad15e29
Link:
https://www.unpac.me/results/a28ad8e2-e421-4d98-ac75-eba25ff3b0b4/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c940a9b30894/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c940a9b3089423cfefd6cbfc5cb9c8260b4ea490ae7f4858f48688ac2fe0c399

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe c940a9b3089423cfefd6cbfc5cb9c8260b4ea490ae7f4858f48688ac2fe0c399

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3245480/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3337943/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments


Avatar
Kasibe commented on 2025-02-09 13:02:14 UTC

Stealc