MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df6e34cf8cc293cdc918c29c268c2b9dbff2fb4586d2e82b11cea26631029273. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df6e34cf8cc293cdc918c29c268c2b9dbff2fb4586d2e82b11cea26631029273
SHA3-384 hash: bb4253a1dd58ed12acee51878e6c088d84f69d766713fae93dd1cfed03ecc53164629b570b77ae85e136c6919c6a3907
SHA1 hash: 0071d1b2d194c76446b52e5e7b15b685ac36f827
MD5 hash: 74a0496d7f492e975e2ae4cdd4c4e899
humanhash: harry-moon-indigo-sixteen
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'922'048 bytes
First seen:2025-04-17 12:13:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:K0HdOr3jYNPeOAzl6f4qdzNfQJ79U8Xr70V1vlzoA4CPTvw9dqwKyRyTLPJ9Jhb2:tMzYdeOUMf4uQFvXr70NoA44cXso0J
TLSH T1A59533A81C76753FDB596C30815F4CADFA35B8994AC3A327906E493929F1A38334F60D
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
436
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-04-17 12:54:48 UTC
Tags:
lumma stealer loader amadey botnet credentialflusher rdp auto-reg themida
Link:
https://app.any.run/tasks/684427ef-12a9-4580-b41f-bc50d5b1a03c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/2700/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6800f60d280f5f89a0d0722e
Tags:
phishing autorun emotet spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypt packed packed packer_detected xpack
Link:
https://www.filescan.io/uploads/6800f09be9c1e257979bef54/reports/bd988db6-c206-444f-bc97-973eebd93960/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/df6e34cf8cc293cdc918c29c268c2b9dbff2fb4586d2e82b11cea26631029273
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5cf4e5e7-070a-49ac-b404-4e510cc4a107
Result
Threat name:
Amadey, CryptOne, LummaC Stealer, Privat
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1667479
Signature
.NET source code contains potential unpacker
AI detected malicious Powershell script
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables the Smart Screen filter
Disables Windows Defender Tamper protection
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Schedule system process
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected CryptOne packer
Yara detected LummaC Stealer
Yara detected PrivateLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1667479 Sample: random.exe Startdate: 17/04/2025 Architecture: WINDOWS Score: 100 169 Found malware configuration 2->169 171 Antivirus detection for URL or domain 2->171 173 Antivirus / Scanner detection for submitted sample 2->173 175 21 other signatures 2->175 9 namez.exe 7 81 2->9         started        14 random.exe 1 2->14         started        16 faa8f4e30b.exe 2->16         started        18 10 other processes 2->18 process3 dnsIp4 137 185.215.113.59 WHOLESALECONNECTIONSNL Portugal 9->137 139 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 9->139 107 C:\Users\user\AppData\Local\...\70DYYFX.exe, PE32+ 9->107 dropped 109 C:\Users\user\AppData\Local\...\amnew.exe, PE32 9->109 dropped 123 39 other malicious files 9->123 dropped 203 Contains functionality to start a terminal service 9->203 205 Creates multiple autostart registry keys 9->205 20 02d6296c75.exe 9->20         started        24 32fa812eca.exe 9->24         started        26 7355a14186.exe 9->26         started        36 6 other processes 9->36 141 185.39.17.162 RU-TAGNET-ASRU Russian Federation 14->141 143 172.67.205.184 CLOUDFLARENETUS United States 14->143 111 C:\Users\...\CUS8RJ5G0T9U7PVC6WRG8F7DX1GJ.exe, PE32 14->111 dropped 207 Detected unpacking (changes PE section rights) 14->207 209 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->209 211 Query firmware table information (likely to detect VMs) 14->211 225 2 other signatures 14->225 28 CUS8RJ5G0T9U7PVC6WRG8F7DX1GJ.exe 4 14->28         started        145 127.0.0.1 unknown unknown 16->145 113 C:\Users\user\...\MLDLQ52OMX3V6JYIQRS4.exe, PE32 16->113 dropped 213 Tries to harvest and steal browser information (history, passwords, etc) 16->213 215 Tries to steal Crypto Currency Wallets 16->215 217 Hides threads from debuggers 16->217 30 chrome.exe 16->30         started        115 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 18->115 dropped 117 C:\Users\user\AppData\Local\...\cecho.exe, PE32 18->117 dropped 119 C:\Users\user\AppData\Local\...119SudoLG.exe, PE32+ 18->119 dropped 121 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32 18->121 dropped 219 Changes security center settings (notifications, updates, antivirus, firewall) 18->219 221 Tries to detect sandboxes / dynamic malware analysis system (registry check) 18->221 223 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->223 32 MpCmdRun.exe 18->32         started        34 conhost.exe 18->34         started        file5 signatures6 process7 dnsIp8 79 C:\Users\user\AppData\...\02d6296c75.tmp, PE32 20->79 dropped 177 Multi AV Scanner detection for dropped file 20->177 39 02d6296c75.tmp 20->39         started        81 C:\Users\user\AppData\...\svchost015.exe, PE32 24->81 dropped 179 Detected unpacking (changes PE section rights) 24->179 181 Writes to foreign memory regions 24->181 183 Allocates memory in foreign processes 24->183 197 4 other signatures 24->197 42 svchost015.exe 24->42         started        185 Tries to evade debugger and weak emulator (self modifying code) 26->185 199 2 other signatures 26->199 45 svchost015.exe 26->45         started        83 C:\Users\user\AppData\Local\...\namez.exe, PE32 28->83 dropped 187 Contains functionality to start a terminal service 28->187 189 Contains functionality to inject code into remote processes 28->189 47 namez.exe 28->47         started        50 chrome.exe 30->50         started        52 conhost.exe 32->52         started        135 45.82.254.120 DEDIPATH-LLCUS Russian Federation 36->135 85 C:\...\K3TT86WTA2U7R7BIQAWYEQZSYJ6JAD.exe, PE32 36->85 dropped 87 C:\Users\user\AppData\Local\Temp\Win.ps1, ASCII 36->87 dropped 191 Attempt to bypass Chrome Application-Bound Encryption 36->191 193 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->193 195 Query firmware table information (likely to detect VMs) 36->195 201 8 other signatures 36->201 54 MSBuild.exe 36->54         started        56 MSBuild.exe 36->56         started        58 5 other processes 36->58 file9 signatures10 process11 dnsIp12 89 C:\Users\user\AppData\...\unins000.exe (copy), PE32 39->89 dropped 91 C:\Users\user\AppData\...\is-T3Q4N.tmp, PE32 39->91 dropped 93 C:\Users\user\AppData\...\is-S1HU7.tmp, PE32 39->93 dropped 101 6 other malicious files 39->101 dropped 60 KMSpico.exe 39->60         started        63 core.exe 39->63         started        147 185.156.73.98 RELDAS-NETRU Russian Federation 42->147 95 C:\Users\user\AppData\Local\Temp\...\YCL.exe, PE32 42->95 dropped 97 C:\Users\user\...\Bunifu_UI_v1.5.3.dll, PE32 42->97 dropped 103 2 other malicious files 42->103 dropped 99 C:\Users\user\AppData\Local\Temp\...\YCL.exe, PE32 45->99 dropped 105 3 other malicious files 45->105 dropped 229 Contains functionality to start a terminal service 47->229 149 108.177.122.138 GOOGLEUS United States 50->149 151 142.250.9.104 GOOGLEUS United States 50->151 157 4 other IPs or domains 50->157 153 149.154.167.99 TELEGRAMRU United Kingdom 54->153 155 104.21.64.1 CLOUDFLARENETUS United States 54->155 231 Query firmware table information (likely to detect VMs) 54->231 233 Tries to harvest and steal ftp login credentials 54->233 235 Tries to steal Crypto Currency Wallets 54->235 237 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 56->237 67 conhost.exe 58->67         started        69 conhost.exe 58->69         started        71 conhost.exe 58->71         started        73 conhost.exe 58->73         started        file13 signatures14 process15 dnsIp16 133 C:\Users\user\AppData\Local\...\KMSpico.tmp, PE32 60->133 dropped 75 KMSpico.tmp 60->75         started        159 104.21.42.7 CLOUDFLARENETUS United States 63->159 161 104.22.68.199 CLOUDFLARENETUS United States 63->161 163 Query firmware table information (likely to detect VMs) 63->163 165 Tries to harvest and steal browser information (history, passwords, etc) 63->165 167 Tries to steal Crypto Currency Wallets 63->167 file17 signatures18 process19 file20 125 C:\Windows\...\Vestris.ResourceLib.dll (copy), PE32 75->125 dropped 127 C:\Windows\System32\is-9JA74.tmp, PE32 75->127 dropped 129 C:\Windows\System32\is-2KGG6.tmp, PE32 75->129 dropped 131 18 other malicious files 75->131 dropped 227 Disables the Smart Screen filter 75->227 signatures21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/df6e34cf8cc293cdc918c29c268c2b9dbff2fb4586d2e82b11cea26631029273
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df6e34cf8cc293cdc918c29c268c2b9dbff2fb4586d2e82b11cea26631029273/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-04-17 12:14:26 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=35xdjt4mykj43siyykocndbltw77f62fq3joqkyrz2rgmmicsjzq._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250417-pegx9aykt7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://clarmodq.top/qoxo
https://piratetwrath.run/ytus
https://changeaie.top/geps
https://quilltayle.live/gksi
https://liftally.top/xasj
https://nighetwhisper.top/lekd
https://salaccgfa.top/gsooz
https://zestmodp.top/zeda
https://starofliught.top/wozd
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/516214b2-31d4-4206-abb4-507c4c5bd5f8
Unpacked files
SH256 hash:
df6e34cf8cc293cdc918c29c268c2b9dbff2fb4586d2e82b11cea26631029273
MD5 hash:
74a0496d7f492e975e2ae4cdd4c4e899
SHA1 hash:
0071d1b2d194c76446b52e5e7b15b685ac36f827
Link:
https://www.unpac.me/results/6639bc86-f231-418f-8fc2-d58fdd764c23/
SH256 hash:
f1490cfd713f48878339d6175fa239b9473fddb1132c52c6a876d65b06b86a1c
MD5 hash:
fb2ca26c859de5ab5b99bd21f4d910f3
SHA1 hash:
db6f07f1406f271cec68e780e1ce3762a7325491
Link:
https://www.unpac.me/results/6639bc86-f231-418f-8fc2-d58fdd764c23/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/df6e34cf8cc2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe df6e34cf8cc293cdc918c29c268c2b9dbff2fb4586d2e82b11cea26631029273

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/2700/
  
URLhaus
https://urlhaus.abuse.ch/url/3511779/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments