MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc0593c1a8fa13639aaaaea7b525bd071edb956306b3da3bcbc01454c20fee92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc0593c1a8fa13639aaaaea7b525bd071edb956306b3da3bcbc01454c20fee92
SHA3-384 hash: 3855cc178cd0e30748882f8907432801da8f04be94b327fba9314dd9ed9b653d8437b4513942e4b798ea1953185d9c77
SHA1 hash: 2d5a845c7881f7e64cb78cbfc79727a76cc46b73
MD5 hash: bbdc29e822201e78b17fa856702d28ba
humanhash: river-beer-island-wyoming
File name:fPbjy1Q.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:932'352 bytes
First seen:2025-05-23 07:18:54 UTC
Last seen:2025-05-23 14:12:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3642c4ad9797c59f810541c9ea7d8d9a (23 x LummaStealer, 3 x Stealc, 1 x XWorm)
ssdeep 24576:iYYTObbEackfr4yFghBz1XyTleyomN3Ln:RZckt0BN6xo8
Threatray 72 similar samples on MalwareBazaar
TLSH T19215DF28D29192E6FD3640B946616155B823BE33CA392FFF4394D3339F13AC41B6A719
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
422
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random..exe
Verdict:
Malicious activity
Analysis date:
2025-05-23 00:57:23 UTC
Tags:
loader auto-sch amadey botnet stealer rdp screenconnect rmm-tool telegram uac lumma autoit
Link:
https://app.any.run/tasks/c8d035f7-6c9c-4ce9-a28b-4877008eb0be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.24126.21407.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683022aa4912a6b9dd4c4877
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Forced shutdown of a system process
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/68302171e336a33801dd0c47/reports/b50c6c41-c816-4bf0-bb62-428c4cfa81eb/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/cc0593c1a8fa13639aaaaea7b525bd071edb956306b3da3bcbc01454c20fee92
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ce055fa6-8c31-4634-a675-7df87da972e7
Result
Threat name:
Amadey, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1697495
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Costura Assembly Loader
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1697495 Sample: fPbjy1Q.exe Startdate: 23/05/2025 Architecture: WINDOWS Score: 100 67 www.noticeofpleadings.net 2->67 69 diecam.top 2->69 71 17 other IPs or domains 2->71 131 Suricata IDS alerts for network traffic 2->131 133 Found malware configuration 2->133 135 Malicious sample detected (through community Yara rule) 2->135 137 14 other signatures 2->137 9 saren.exe 28 2->9         started        14 fPbjy1Q.exe 1 2->14         started        signatures3 process4 dnsIp5 77 185.156.72.2, 49732, 80 ITDELUXE-ASRU Russian Federation 9->77 79 github.com 140.82.113.3, 443, 49701, 49704 GITHUBUS United States 9->79 81 objects.githubusercontent.com 185.199.109.133, 443, 49702, 49705 FASTLYUS Netherlands 9->81 59 C:\Users\user\AppData\...\09584a36c2.exe, PE32 9->59 dropped 61 C:\Users\user\AppData\Local\...\Faceit.exe, PE32 9->61 dropped 63 C:\Users\user\AppData\Local\...\alex12312.exe, PE32+ 9->63 dropped 65 7 other malicious files 9->65 dropped 143 Contains functionality to start a terminal service 9->143 16 alex12312.exe 9->16         started        19 legend1.exe 1 9->19         started        21 legend2.exe 1 9->21         started        29 2 other processes 9->29 145 Writes to foreign memory regions 14->145 147 Allocates memory in foreign processes 14->147 149 Injects a PE file into a foreign processes 14->149 23 MSBuild.exe 1 14->23         started        27 conhost.exe 14->27         started        file6 signatures7 process8 dnsIp9 97 Multi AV Scanner detection for dropped file 16->97 99 Writes to foreign memory regions 16->99 101 Allocates memory in foreign processes 16->101 31 MSBuild.exe 16->31         started        35 conhost.exe 16->35         started        103 Injects a PE file into a foreign processes 19->103 37 MSBuild.exe 19->37         started        48 2 other processes 19->48 39 MSBuild.exe 21->39         started        50 2 other processes 21->50 73 77.83.207.69, 49698, 49699, 49700 DINET-ASRU Russian Federation 23->73 75 cornerdurv.top 104.21.80.1, 443, 49687, 49688 CLOUDFLARENETUS United States 23->75 55 C:\Users\...55AWBPBO4EUZXDVVDUY2RHSOXISUY.exe, PE32 23->55 dropped 105 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->105 107 Query firmware table information (likely to detect VMs) 23->107 109 Tries to steal Crypto Currency Wallets 23->109 41 NAWBPBO4EUZXDVVDUY2RHSOXISUY.exe 4 23->41         started        44 WMIADAP.exe 23->44         started        111 Detected unpacking (creates a PE file in dynamic memory) 29->111 113 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 29->113 46 cvtres.exe 29->46         started        file10 signatures11 process12 dnsIp13 83 t.me 149.154.167.99, 443, 49727 TELEGRAMRU United Kingdom 31->83 85 narrathfpt.top 172.67.222.194, 443, 49729, 49731 CLOUDFLARENETUS United States 31->85 115 Query firmware table information (likely to detect VMs) 31->115 117 Tries to harvest and steal ftp login credentials 31->117 119 Tries to harvest and steal browser information (history, passwords, etc) 31->119 121 Tries to steal from password manager 31->121 87 diecam.top 172.67.189.163, 443, 49706, 49709 CLOUDFLARENETUS United States 37->87 123 Tries to steal Crypto Currency Wallets 37->123 89 s-part-0041.t-0009.t-msedge.net 13.107.246.69, 443, 49716, 49720 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 39->89 91 techguidet.digital 40.91.108.115, 443, 49714, 49719 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 39->91 57 C:\Users\user\AppData\Local\...\saren.exe, PE32 41->57 dropped 125 Multi AV Scanner detection for dropped file 41->125 127 Contains functionality to start a terminal service 41->127 129 Contains functionality to inject code into remote processes 41->129 52 saren.exe 41->52         started        93 185.156.72.196, 49757, 49761, 80 ITDELUXE-ASRU Russian Federation 46->93 95 drive.usercontent.google.com 142.250.101.132, 443, 49753 GOOGLEUS United States 46->95 file14 signatures15 process16 signatures17 139 Multi AV Scanner detection for dropped file 52->139 141 Contains functionality to start a terminal service 52->141
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cc0593c1a8fa13639aaaaea7b525bd071edb956306b3da3bcbc01454c20fee92
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc0593c1a8fa13639aaaaea7b525bd071edb956306b3da3bcbc01454c20fee92/
Verdict:
Malicious
Threat:
Win64.Trojan.SnakeKeylogger
Link:
https://tip.neiki.dev/file/cc0593c1a8fa13639aaaaea7b525bd071edb956306b3da3bcbc01454c20fee92
Threat name:
Win64.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2025-05-22 18:22:27 UTC
File Type:
PE+ (Exe)
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zqczhqni7ijwhgvkv2t3kjn5a4pnxflda2z5uo6lyakfjqqp52ja._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
03ca65b58c8c4b8ac0c7a5cf19766b9c42f9eba4a04c7804ae042b5fd79e494e
LummaStealer
1baf394f04ba7c67e5f53c18d6510b81f472af818b5b94f3aec079d7d4688e5b
LummaStealer
43210fa69584be3a162adcedda4cf7e4e61eda835a9955f94080b251f97f71a1
LummaStealer
43e4ff6b88051dcf3e4891b6669f8c76c588ef1951fd27dfa689d1bb09ebc8c4
LummaStealer
56adade75a7578033998ac7d63dfb1b307f560341d2cbec9dbbd9c59e532733a
LummaStealer
884befdda63910477ad977d767636be1668c65dbe887c08dc523ddf5a614d4b5
LummaStealer
97b18507cb1ab250f8d1669ce402d79fdbaefb530cce505aa995c861d8ebd946
LummaStealer
cc0593c1a8fa13639aaaaea7b525bd071edb956306b3da3bcbc01454c20fee92
LummaStealer
error
LummaStealer
+ 62 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:donutloader family:lumma botnet:fd5e37 discovery loader spyware stealer trojan
Link:
https://tria.ge/reports/250523-h5lkssar7v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Executes dropped EXE
Downloads MZ/PE file
Amadey
Amadey family
Detects DonutLoader
DonutLoader
Donutloader family
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://cornerdurv.top/adwq
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://caitraohvi.bet/adks
https://galijd.shop/anbf/api
https://ordntx.top/pxla/api
https://strejqt.bet/mbnj
https://citellcagt.top/gjtu
https://maxmtsq.bet/xzid
https://diecam.top/laur/api
https://localixbiw.top/zlpa
https://korxddl.top/qidz
https://bogtkr.top/zhyk/api
https://clarmodq.top/qoxo
https://zenithcorde.top/auid
https://techguidet.digital/apdo
https://btcgeared.live/lbak
https://buzzarddf.live/ktnt
https://techsyncq.run/riid
https://fishgh.digital/tequ/api
https://parakehjet.run/kewk
https://bearjk.live/benj/api
https://https://t.me/yahservero/api
https://ankyufh.live/qfei
http://77.83.207.69
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0e849fbd-ea55-4a75-a431-0d916bf5f855
Unpacked files
SH256 hash:
cc0593c1a8fa13639aaaaea7b525bd071edb956306b3da3bcbc01454c20fee92
MD5 hash:
bbdc29e822201e78b17fa856702d28ba
SHA1 hash:
2d5a845c7881f7e64cb78cbfc79727a76cc46b73
Link:
https://www.unpac.me/results/8d882395-13ca-4fe9-a1d3-58c8226547fc/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cc0593c1a8fa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc0593c1a8fa13639aaaaea7b525bd071edb956306b3da3bcbc01454c20fee92

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe cc0593c1a8fa13639aaaaea7b525bd071edb956306b3da3bcbc01454c20fee92

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3547829/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW

Comments