MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0e37fe693125cf84c7fc9787aae50447d51f4398e6d7f3af133afd06b8bb9c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0e37fe693125cf84c7fc9787aae50447d51f4398e6d7f3af133afd06b8bb9c5
SHA3-384 hash: a4df340c91b377bcedcd963a2b47072ceddcfa9595449a316e780f58856b9d7c72c68c1726945fae930bb51e4aa2ba18
SHA1 hash: d4343c98de27c1daf0e03af0feffad225fb3f510
MD5 hash: adab0799a68d8350ab004a75c6966fd0
humanhash: mobile-fanta-five-carolina
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:3'060'736 bytes
First seen:2025-05-27 05:46:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:vmNslTFCR2xYyX5yBa7M7vq6lSFR9Ebuf0eh+El2HB:vkslTFC65gB4M73KEbu1hzl2h
TLSH T1A5E54D92F58AB2DFD88A17759517CD816D5D03BA071008D3E97CB4BEBE6BCC026B6C24
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
419
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-05-27 06:23:03 UTC
Tags:
amadey botnet stealer loader gcleaner rdp themida auto generic
Link:
https://app.any.run/tasks/d9838848-ee65-4853-a5cd-57e2a4e15a7f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683553dcacf88f5815e7755d
Tags:
vmdetect autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/683551ef69bfbf6bbcb8fe0f/reports/6d696253-ccf1-4879-b284-334918bf190b/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/d0e37fe693125cf84c7fc9787aae50447d51f4398e6d7f3af133afd06b8bb9c5
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/686f1759-b64d-44f7-b4f1-a4ca83aafdc9
Result
Threat name:
Amadey, LummaC Stealer, Xmrig
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1699538
Signature
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Creates HTA files
Creates multiple autostart registry keys
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Search for Antivirus process
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes many files with high entropy
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Powershell download and execute
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1699538 Sample: random.exe Startdate: 27/05/2025 Architecture: WINDOWS Score: 100 157 server25.mentality.cloud 2->157 159 WRDnltbcJYcpYNfIZnCJsx.WRDnltbcJYcpYNfIZnCJsx 2->159 161 7 other IPs or domains 2->161 207 Suricata IDS alerts for network traffic 2->207 209 Found malware configuration 2->209 211 Malicious sample detected (through community Yara rule) 2->211 213 36 other signatures 2->213 11 random.exe 5 2->11         started        15 WinService.exe 2->15         started        17 ramez.exe 2->17         started        19 9 other processes 2->19 signatures3 process4 dnsIp5 139 C:\Users\user\AppData\Local\...\ramez.exe, PE32 11->139 dropped 141 C:\Users\user\...\ramez.exe:Zone.Identifier, ASCII 11->141 dropped 279 Detected unpacking (changes PE section rights) 11->279 281 Contains functionality to start a terminal service 11->281 283 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 11->283 299 2 other signatures 11->299 22 ramez.exe 2 66 11->22         started        285 Multi AV Scanner detection for dropped file 15->285 287 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->287 289 Suspicious powershell command line found 15->289 301 2 other signatures 15->301 27 powershell.exe 15->27         started        29 reg.exe 15->29         started        303 3 other signatures 17->303 163 127.0.0.1 unknown unknown 19->163 291 Changes security center settings (notifications, updates, antivirus, firewall) 19->291 293 Tries to download and execute files (via powershell) 19->293 295 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->295 297 Found direct / indirect Syscall (likely to bypass EDR) 19->297 31 cmd.exe 19->31         started        33 powershell.exe 19->33         started        35 cmd.exe 19->35         started        file6 signatures7 process8 dnsIp9 171 185.156.72.2, 49723, 49726, 49756 ITDELUXE-ASRU Russian Federation 22->171 173 185.156.72.96, 49718, 49721, 49724 ITDELUXE-ASRU Russian Federation 22->173 175 2 other IPs or domains 22->175 129 C:\Users\user\AppData\...\a10030c49e.exe, PE32 22->129 dropped 131 C:\Users\user\AppData\...\28ec4790d8.exe, PE32 22->131 dropped 133 C:\Users\user\AppData\...\55f168c398.exe, PE32 22->133 dropped 135 29 other malicious files 22->135 dropped 243 Multi AV Scanner detection for dropped file 22->243 245 Detected unpacking (changes PE section rights) 22->245 247 Contains functionality to start a terminal service 22->247 251 13 other signatures 22->251 37 DeadTournament.exe 22->37         started        41 fxLhECP.exe 3 22->41         started        44 oxDU0MW.exe 22->44         started        54 3 other processes 22->54 249 Loading BitLocker PowerShell Module 27->249 46 conhost.exe 27->46         started        48 conhost.exe 29->48         started        56 2 other processes 31->56 50 conhost.exe 33->50         started        52 conhost.exe 35->52         started        file10 signatures11 process12 dnsIp13 111 C:\Users\user\AppData\...\Wonderful.mpeg, data 37->111 dropped 125 9 other malicious files 37->125 dropped 217 Multi AV Scanner detection for dropped file 37->217 219 Writes many files with high entropy 37->219 58 cmd.exe 37->58         started        177 188.37.160.41, 49725, 7706 VODAFONE-PTVodafonePortugalPT Portugal 41->177 221 Antivirus detection for dropped file 41->221 223 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 41->223 225 Tries to steal Mail credentials (via file / registry access) 41->225 237 6 other signatures 41->237 62 chrome.exe 41->62         started        65 chrome.exe 41->65 injected 75 2 other processes 41->75 179 xai830k.com 152.89.61.96 YURTEH-ASUA Ukraine 44->179 181 api64.ipify.org 104.237.62.213 WEBNXUS United States 44->181 183 45.144.212.77 HPC-MVM-ASHU Ukraine 44->183 113 C:\Windows\Win-v41.exe, PE32+ 44->113 dropped 115 C:\Windows\System32\Win-v42.exe, PE32+ 44->115 dropped 117 C:\Users\user\AppData\Local\Temp\TH9BDE.tmp, PE32 44->117 dropped 127 2 other malicious files 44->127 dropped 227 Creates multiple autostart registry keys 44->227 229 Modifies the context of a thread in another process (thread injection) 44->229 239 2 other signatures 44->239 67 powershell.exe 44->67         started        185 server25.mentality.cloud 51.38.196.118, 49766, 49778, 49780 OVHFR France 54->185 187 172.86.105.63, 49754, 49771, 8080 PONYNETUS United States 54->187 189 api.ipify.org 104.26.12.205, 49759, 49762, 49774 CLOUDFLARENETUS United States 54->189 119 C:\Users\user\AppData\...\WinService.exe, PE32 54->119 dropped 121 C:\ProgramData\PrivacyGroup\securevpn.exe, PE32+ 54->121 dropped 123 C:\Users\user\AppData\Local\...\cWZvWTUPc.hta, HTML 54->123 dropped 231 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 54->231 233 Suspicious powershell command line found 54->233 235 Uses cmd line tools excessively to alter registry or file data 54->235 241 2 other signatures 54->241 69 mshta.exe 54->69         started        71 powershell.exe 54->71         started        73 reg.exe 54->73         started        77 5 other processes 54->77 file14 signatures15 process16 dnsIp17 137 C:\Users\user\AppData\Local\...\Reviewer.com, PE32 58->137 dropped 253 Uses cmd line tools excessively to alter registry or file data 58->253 255 Drops PE files with a suspicious file extension 58->255 257 Uses schtasks.exe or at.exe to add and modify task schedules 58->257 259 Writes many files with high entropy 58->259 79 Reviewer.com 58->79         started        94 10 other processes 58->94 191 192.168.2.4, 443, 49708, 49711 unknown unknown 62->191 261 Suspicious powershell command line found 62->261 263 Found many strings related to Crypto-Wallets (likely being stolen) 62->263 265 Suspicious execution chain found 62->265 267 Adds a directory exclusion to Windows Defender 62->267 83 chrome.exe 62->83         started        86 conhost.exe 67->86         started        269 Tries to download and execute files (via powershell) 69->269 88 powershell.exe 69->88         started        271 Loading BitLocker PowerShell Module 71->271 273 Powershell drops PE file 71->273 90 conhost.exe 71->90         started        275 Adds extensions / path to Windows Defender exclusion list (Registry) 73->275 96 3 other processes 73->96 193 88.119.165.37, 49772, 8081 IST-ASLT Lithuania 77->193 277 Found direct / indirect Syscall (likely to bypass EDR) 77->277 92 WMIC.exe 77->92         started        98 7 other processes 77->98 file18 signatures19 process20 dnsIp21 143 C:\Users\user\AppData\Local\...\SwiftFish.com, PE32 79->143 dropped 145 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 79->145 dropped 147 C:\Users\user\AppData\Local\...\q, data 79->147 dropped 149 C:\Users\user\AppData\Local\...\SwiftFish.js, ASCII 79->149 dropped 195 Drops PE files with a suspicious file extension 79->195 197 Writes to foreign memory regions 79->197 199 Writes many files with high entropy 79->199 201 Injects a PE file into a foreign processes 79->201 165 clients2.googleusercontent.com 83->165 167 googlehosted.l.googleusercontent.com 142.250.101.132, 443, 49747 GOOGLEUS United States 83->167 169 www.google.com 74.125.137.103, 443, 49731, 49732 GOOGLEUS United States 83->169 203 Found many strings related to Crypto-Wallets (likely being stolen) 83->203 151 TempWAF2ABHB5PTNZX0A5IGZFXXHCEI2IZ2F.EXE, PE32 88->151 dropped 100 TempWAF2ABHB5PTNZX0A5IGZFXXHCEI2IZ2F.EXE 88->100         started        103 conhost.exe 88->103         started        205 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 92->205 153 C:\Users\user\AppData\Local\Temp\581856\z, data 94->153 dropped 155 C:\Users\user\AppData\...\SwiftFish.url, MS 96->155 dropped 105 conhost.exe 96->105         started        107 schtasks.exe 96->107         started        109 conhost.exe 96->109         started        file22 signatures23 process24 signatures25 215 Multi AV Scanner detection for dropped file 100->215
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d0e37fe693125cf84c7fc9787aae50447d51f4398e6d7f3af133afd06b8bb9c5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0e37fe693125cf84c7fc9787aae50447d51f4398e6d7f3af133afd06b8bb9c5/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-05-27 05:47:28 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2drx7zutcjopqtd7zf4hvlsqir6vd5bzrzwx6oxrgox5a24lxhcq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma botnet:8d33eb collection credential_access defense_evasion discovery execution exploit persistence privilege_escalation pyinstaller spyware stealer trojan upx
Link:
https://tria.ge/reports/250527-gg2rfazmy2/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
GoLang User-Agent
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
System Time Discovery
Drops file in Windows directory
Launches sc.exe
AutoIT Executable
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
UPX packed file
Accesses Microsoft Outlook profiles
Adds Run key to start application
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Power Settings
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Modifies file permissions
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Looks for VMWare Tools registry key
Modifies Windows Firewall
Possible privilege escalation attempt
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Amadey
Amadey family
Lumma Stealer, LummaC
Lumma family
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://185.156.72.96
https://greengwjz.top/zdka
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://localixbiw.top/zlpa
https://korxddl.top/qidz
https://harumseeiw.top/tqmn
https://diecam.top/laur/api
https://citellcagt.top/gjtu
https://bogtkr.top/zhyk/api
Dropper Extraction:
http://185.156.72.2/testmine/random.exe
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4356c0f2-eb18-4837-b72b-3224c30452f6
Unpacked files
SH256 hash:
d7de8cbb52340a5144a9d34aeb05d358409c6ae4bfcaa1335a6b74ec654f7e04
MD5 hash:
1b9c78fc63e6ef2428a52d76f015d6d7
SHA1 hash:
6239eefde05cac07ee5438351d65824e95e17ad1
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/4f465a08-106d-4e27-a2bd-346ab3b837b1/
SH256 hash:
d0e37fe693125cf84c7fc9787aae50447d51f4398e6d7f3af133afd06b8bb9c5
MD5 hash:
adab0799a68d8350ab004a75c6966fd0
SHA1 hash:
d4343c98de27c1daf0e03af0feffad225fb3f510
Link:
https://www.unpac.me/results/4f465a08-106d-4e27-a2bd-346ab3b837b1/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d0e37fe69312/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0e37fe693125cf84c7fc9787aae50447d51f4398e6d7f3af133afd06b8bb9c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe d0e37fe693125cf84c7fc9787aae50447d51f4398e6d7f3af133afd06b8bb9c5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3550737/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments