MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6c21f03be0270478ee2ab5680bfd3854156cf933bcee7c686b47efa5b15a041. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6c21f03be0270478ee2ab5680bfd3854156cf933bcee7c686b47efa5b15a041
SHA3-384 hash: fd85779d715835b6bd19775683ca9eb73d6f599a37171d4db7adb5c3a83fd2e5fbc9d64789a2111f0ddeca2c722eef66
SHA1 hash: c9107cff5128aa743cfdccd1d68652a8f028b3a9
MD5 hash: 297a70aecf50a074df501da973bbba1e
humanhash: march-wisconsin-november-bluebird
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'879'040 bytes
First seen:2025-04-25 16:35:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:RwygSxPjdEi3BGrHRFQwhprlrLI07qQBRE92jqqfy:O5I/MQglYyhB6sxfy
Threatray 9 similar samples on MalwareBazaar
TLSH T1849533685C2AB43CEBE3017B35D623943F95862DB19EE06E05032F415AFBCC37AD2956
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
443
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-04-25 16:50:12 UTC
Tags:
lumma stealer loader amadey botnet auto-reg credentialflusher auto-sch rdp themida
Link:
https://app.any.run/tasks/d00c7147-2aa9-4cbc-a79b-5b86950a8254

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4118/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680bbbcd3d067f8483994bb0
Tags:
phishing autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt entropy packed packed packer_detected rat virtual xpack
Link:
https://www.filescan.io/uploads/680bb9c9a8d43a4dd61199c3/reports/1a4900cf-e6fb-4ee4-8583-c7f61d55762d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d6c21f03be0270478ee2ab5680bfd3854156cf933bcee7c686b47efa5b15a041
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1d1d075e-fad5-4975-b2b9-d30c43510079
Result
Threat name:
Amadey, Credential Flusher, Healer AV Di
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1674290
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates HTA files
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected AntiVM3
Yara detected Credential Flusher
Yara detected Healer AV Disabler
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1674290 Sample: random.exe Startdate: 25/04/2025 Architecture: WINDOWS Score: 100 94 tropiscbs.live 2->94 96 topographky.top 2->96 98 55 other IPs or domains 2->98 128 Suricata IDS alerts for network traffic 2->128 130 Found malware configuration 2->130 132 Antivirus detection for URL or domain 2->132 134 26 other signatures 2->134 10 saved.exe 4 41 2->10         started        15 random.exe 1 2->15         started        17 c96caca773.exe 2->17         started        19 4 other processes 2->19 signatures3 process4 dnsIp5 110 185.39.17.163, 49699, 49701, 49704 RU-TAGNET-ASRU Russian Federation 10->110 82 C:\Users\user\AppData\...\c0fa2f74ab.exe, PE32 10->82 dropped 84 C:\Users\user\AppData\...\684402b0ec.exe, PE32 10->84 dropped 86 C:\Users\user\AppData\...\f48b2abc3b.exe, PE32 10->86 dropped 90 14 other malicious files 10->90 dropped 178 Contains functionality to start a terminal service 10->178 180 Creates multiple autostart registry keys 10->180 21 c96caca773.exe 10->21         started        25 RtRra7v.exe 10->25         started        28 d9c3c3f39d.exe 10->28         started        40 4 other processes 10->40 112 185.39.17.162, 49698, 49702, 49705 RU-TAGNET-ASRU Russian Federation 15->112 114 clarmodq.top 172.67.205.184, 443, 49685, 49688 CLOUDFLARENETUS United States 15->114 88 C:\Users\...\2KEXS22QHZ5P2010Y95B2ENXQ0W.exe, PE32 15->88 dropped 182 Detected unpacking (changes PE section rights) 15->182 184 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->184 186 Query firmware table information (likely to detect VMs) 15->186 200 3 other signatures 15->200 30 2KEXS22QHZ5P2010Y95B2ENXQ0W.exe 4 15->30         started        188 Found many strings related to Crypto-Wallets (likely being stolen) 17->188 190 Tries to steal Crypto Currency Wallets 17->190 192 Hides threads from debuggers 17->192 32 chrome.exe 17->32         started        34 chrome.exe 17->34         started        194 Suspicious powershell command line found 19->194 196 Tries to download and execute files (via powershell) 19->196 198 Tries to detect sandboxes / dynamic malware analysis system (registry check) 19->198 36 firefox.exe 19->36         started        38 powershell.exe 19->38         started        file6 signatures7 process8 dnsIp9 76 C:\Users\user\...\HXCIZ4SB4EBOMAC5CH.exe, PE32 21->76 dropped 136 Antivirus detection for dropped file 21->136 138 Multi AV Scanner detection for dropped file 21->138 140 Detected unpacking (changes PE section rights) 21->140 154 7 other signatures 21->154 42 HXCIZ4SB4EBOMAC5CH.exe 21->42         started        100 tropiscbs.live 172.67.211.127, 443, 49703, 49706 CLOUDFLARENETUS United States 25->100 142 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->142 144 Query firmware table information (likely to detect VMs) 25->144 156 2 other signatures 25->156 158 5 other signatures 28->158 78 C:\Users\user\AppData\Local\...\saved.exe, PE32 30->78 dropped 146 Contains functionality to start a terminal service 30->146 148 Contains functionality to inject code into remote processes 30->148 45 saved.exe 30->45         started        102 192.168.2.6, 443, 49685, 49688 unknown unknown 32->102 47 chrome.exe 32->47         started        50 chrome.exe 34->50         started        104 prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 GOOGLEUS United States 36->104 106 127.0.0.1 unknown unknown 36->106 150 Found many strings related to Crypto-Wallets (likely being stolen) 36->150 52 firefox.exe 36->52         started        54 conhost.exe 38->54         started        108 topographky.top 104.21.14.167, 443, 49711, 49714 CLOUDFLARENETUS United States 40->108 80 C:\Users\user\AppData\Local\...\7cCvUlonk.hta, HTML 40->80 dropped 152 Binary is likely a compiled AutoIt script file 40->152 160 4 other signatures 40->160 56 mshta.exe 40->56         started        58 MSBuild.exe 40->58         started        60 7 other processes 40->60 file10 signatures11 process12 dnsIp13 162 Multi AV Scanner detection for dropped file 45->162 164 Contains functionality to start a terminal service 45->164 116 play.google.com 142.250.68.238 GOOGLEUS United States 47->116 118 plus.l.google.com 47->118 126 2 other IPs or domains 47->126 120 www.google.com 192.178.49.196, 443, 49747, 49748 GOOGLEUS United States 50->120 166 Suspicious powershell command line found 56->166 168 Tries to download and execute files (via powershell) 56->168 62 powershell.exe 56->62         started        122 t.me 149.154.167.99, 443, 49721 TELEGRAMRU United Kingdom 58->122 124 techwaveg.run 104.21.58.253, 443, 49723, 49724 CLOUDFLARENETUS United States 58->124 170 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 58->170 172 Query firmware table information (likely to detect VMs) 58->172 174 Tries to steal Crypto Currency Wallets 58->174 176 Uses schtasks.exe or at.exe to add and modify task schedules 60->176 66 conhost.exe 60->66         started        68 conhost.exe 60->68         started        70 conhost.exe 60->70         started        72 4 other processes 60->72 signatures14 process15 file16 92 TempOQJWIIRNOL1J9WVEXVERRU2PWW5BA6JH.EXE, PE32 62->92 dropped 202 Powershell drops PE file 62->202 74 conhost.exe 62->74         started        signatures17 process18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d6c21f03be0270478ee2ab5680bfd3854156cf933bcee7c686b47efa5b15a041
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6c21f03be0270478ee2ab5680bfd3854156cf933bcee7c686b47efa5b15a041/
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-04-25 16:35:39 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=23bb6a56ajyepdxcvnlibp6tqvavnt4thphoprugwr7puwyvubaq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
09dda49859ea290ea2116c64a4bc04daac8855fa11c791f66e1d7866e20dc700
LummaStealer
0f88b67e239a8a985bbd6e102c464549057c2fe0ac7061fef7e9174c41770dbb
LummaStealer
65a435a3b0ace3d07135bc53e436171dfaaea4004227b28a04906d44c3024f8c
LummaStealer
81af75f048244359a5fc356540fdd2a08f18f71db0996867959f6de4857c035a
LummaStealer
878d263a6bed548242d5ebd9054c8a7ea4ff21258c91d1009811535ab1054128
LummaStealer
8935931cd4868c252ac3a1122103852509d26dc48667275d9868d53470ed5e42
LummaStealer
cad96af2c9735c88ca8b5478db57ed5bf35e8cfc91bc164c59cfbb19e9d6a423
LummaStealer
e4016d038412ccf966bbac6b07615124b005603e70b100684f59077d91ba1849
LummaStealer
error
LummaStealer
f2793aaf5a9a67e134a2aa9690c463617ddf119a9135b384e5fa6ba397b06018
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250425-t3vapsyp17/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://clarmodq.top/qoxo
https://-ageographys.run/eirq
https://woodpeckersd.run/glsk
https://tropiscbs.live/iuwxx
https://cartograhphy.top/ixau
https://rbiosphxere.digital/tqoa
https://topographky.top/xlak
https://climatologfy.top/kbud
https://vigorbridgoe.top/banb
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ad87aa3e-f285-45a7-900e-17e77cb7c274
Unpacked files
SH256 hash:
d6c21f03be0270478ee2ab5680bfd3854156cf933bcee7c686b47efa5b15a041
MD5 hash:
297a70aecf50a074df501da973bbba1e
SHA1 hash:
c9107cff5128aa743cfdccd1d68652a8f028b3a9
Link:
https://www.unpac.me/results/78ed479c-32ea-4c8b-b8a1-834eab0b24b6/
SH256 hash:
3bf01a9925b70f501055bca9d36d36c13b83a4b9e6945d158fe173efb903d329
MD5 hash:
8e7a251e76173bafaa8faae813a36f42
SHA1 hash:
1196665917a45fca2e3432930f2cd84d527e0c9b
Link:
https://www.unpac.me/results/78ed479c-32ea-4c8b-b8a1-834eab0b24b6/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d6c21f03be02/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6c21f03be0270478ee2ab5680bfd3854156cf933bcee7c686b47efa5b15a041

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe d6c21f03be0270478ee2ab5680bfd3854156cf933bcee7c686b47efa5b15a041

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/4118/
  
URLhaus
https://urlhaus.abuse.ch/url/3518568/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3511779/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments