MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e975b7fb541da40f73616e3839773e2ceb464bed554128c68e1f617253b5d3c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e975b7fb541da40f73616e3839773e2ceb464bed554128c68e1f617253b5d3c0
SHA3-384 hash: ae4f092bc985d04c7040bb97f38709dae77327e60b51e8d0271214639f3078c8e85e6648778736db3e29ca4a51bfab2d
SHA1 hash: f92a4a5f8a049a792cf091b883ea224a49f392fd
MD5 hash: 28c9731d57749ffe361a4f7ec7c07403
humanhash: delta-blue-washington-lemon
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'886'720 bytes
First seen:2025-05-22 06:27:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:U3ROawJXz7HzgXt37JyB0+51B5vfp/C/cCHR2pct2giOnU1:UTwNk937JyNjvdPqtLiOn
Threatray 2 similar samples on MalwareBazaar
TLSH T1FE9533AFCE2A9320C905EB72CEC70F043E6D5A47B7909B68B1C522FB24F991770D6458
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
419
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-05-22 08:13:37 UTC
Tags:
lumma stealer themida loader amadey botnet auto gcleaner arch-exec auto-sch telegram rdp evasion generic netreactor purehvnc miner
Link:
https://app.any.run/tasks/d84f31e7-94cd-4eb9-98b1-db474b8ff8e8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682ec6c0c28c67d666445456
Tags:
phishing autorun spoof
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt packed packed packer_detected xpack
Link:
https://www.filescan.io/uploads/682ec45dfd02ed5e0581d5a1/reports/3b396047-43cd-474f-8918-106bc8f10fbd/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/e975b7fb541da40f73616e3839773e2ceb464bed554128c68e1f617253b5d3c0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e5b7ee09-31b6-4897-9751-fb259c1c4724
Result
Threat name:
ScreenConnect Tool, Amadey, LummaC Steal
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1696620
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Contains functionality to start a terminal service
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1696620 Sample: random.exe Startdate: 22/05/2025 Architecture: WINDOWS Score: 100 108 api.telegram.org 2->108 110 xai830k.com 2->110 112 14 other IPs or domains 2->112 142 Suricata IDS alerts for network traffic 2->142 144 Found malware configuration 2->144 146 Malicious sample detected (through community Yara rule) 2->146 150 19 other signatures 2->150 11 random.exe 1 2->11         started        16 ramez.exe 2->16         started        18 svchost.exe 2->18         started        20 10 other processes 2->20 signatures3 148 Uses the Telegram API (likely for C&C communication) 108->148 process4 dnsIp5 126 185.156.72.2, 49694, 49699, 49704 ITDELUXE-ASRU Russian Federation 11->126 128 cornerdurv.top 104.21.48.1, 443, 49682, 49683 CLOUDFLARENETUS United States 11->128 98 C:\Users\user\...\23IGRC04ANJZ3Q5DQ49LI.exe, PE32 11->98 dropped 176 Detected unpacking (changes PE section rights) 11->176 178 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->178 180 Query firmware table information (likely to detect VMs) 11->180 192 4 other signatures 11->192 22 23IGRC04ANJZ3Q5DQ49LI.exe 4 11->22         started        182 Contains functionality to start a terminal service 16->182 184 Hides threads from debuggers 16->184 186 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->186 188 Changes security center settings (notifications, updates, antivirus, firewall) 18->188 130 127.0.0.1 unknown unknown 20->130 190 Antivirus detection for dropped file 20->190 26 WerFault.exe 20->26         started        28 WerFault.exe 20->28         started        file6 signatures7 process8 file9 94 C:\Users\user\AppData\Local\...\ramez.exe, PE32 22->94 dropped 168 Detected unpacking (changes PE section rights) 22->168 170 Contains functionality to start a terminal service 22->170 172 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 22->172 174 5 other signatures 22->174 30 ramez.exe 44 22->30         started        signatures10 process11 dnsIp12 132 185.156.72.96, 49695, 49696, 49702 ITDELUXE-ASRU Russian Federation 30->132 100 C:\Users\user\AppData\Local\...\BUZxsYD.exe, PE32 30->100 dropped 102 C:\Users\user\AppData\Local\...\BUZxsYD.exe, PE32 30->102 dropped 104 C:\Users\user\AppData\Local\...\ZExZn8V.exe, PE32 30->104 dropped 106 17 other malicious files 30->106 dropped 134 Detected unpacking (changes PE section rights) 30->134 136 Contains functionality to start a terminal service 30->136 138 Tries to detect sandboxes and other dynamic analysis tools (window names) 30->138 140 4 other signatures 30->140 35 oxDU0MW.exe 2 17 30->35         started        40 fPbjy1Q.exe 30->40         started        42 08IyOOF.exe 30->42         started        44 FdBWsdY.exe 30->44         started        file13 signatures14 process15 dnsIp16 114 45.144.212.77, 49714, 7777 HPC-MVM-ASHU Ukraine 35->114 116 xai830k.com 152.89.61.96, 443, 49713, 49721 YURTEH-ASUA Ukraine 35->116 118 api64.ipify.org 104.237.62.213, 443, 49717 WEBNXUS United States 35->118 86 C:\Windows\Win-v41.exe, PE32+ 35->86 dropped 88 C:\Windows\System32\Win-v42.exe, PE32+ 35->88 dropped 90 C:\Users\user\AppData\Local\Temp\TH55A4.tmp, PE32+ 35->90 dropped 92 C:\Users\user\AppData\Local\...\Win-v43.exe, PE32+ 35->92 dropped 152 Antivirus detection for dropped file 35->152 154 Multi AV Scanner detection for dropped file 35->154 156 Found strings related to Crypto-Mining 35->156 166 7 other signatures 35->166 46 cmd.exe 35->46         started        49 cmd.exe 35->49         started        51 powershell.exe 35->51         started        63 13 other processes 35->63 158 Writes to foreign memory regions 40->158 160 Allocates memory in foreign processes 40->160 162 Injects a PE file into a foreign processes 40->162 53 MSBuild.exe 40->53         started        65 2 other processes 40->65 57 MSBuild.exe 42->57         started        59 MSBuild.exe 42->59         started        61 conhost.exe 42->61         started        164 Contains functionality to hide user accounts 44->164 file17 signatures18 process19 dnsIp20 194 Uses ping.exe to sleep 46->194 196 Uses ping.exe to check the status of other devices and networks 46->196 67 conhost.exe 46->67         started        69 ReAgentc.exe 46->69         started        71 PING.EXE 49->71         started        74 conhost.exe 49->74         started        198 Loading BitLocker PowerShell Module 51->198 76 conhost.exe 51->76         started        120 77.83.207.69, 49748, 80 DINET-ASRU Russian Federation 53->120 96 C:\Users\user\...\I08O84SK5EUCN09X6B.exe, PE32 53->96 dropped 200 Query firmware table information (likely to detect VMs) 53->200 202 Tries to harvest and steal ftp login credentials 53->202 204 Tries to harvest and steal browser information (history, passwords, etc) 53->204 206 Tries to steal from password manager 53->206 122 narrathfpt.top 172.67.222.194, 443, 49707, 49708 CLOUDFLARENETUS United States 57->122 208 Tries to steal Crypto Currency Wallets 57->208 210 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 59->210 78 conhost.exe 63->78         started        80 conhost.exe 63->80         started        82 conhost.exe 63->82         started        84 13 other processes 63->84 file21 signatures22 process23 dnsIp24 124 8.8.8.8 GOOGLEUS United States 71->124
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e975b7fb541da40f73616e3839773e2ceb464bed554128c68e1f617253b5d3c0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e975b7fb541da40f73616e3839773e2ceb464bed554128c68e1f617253b5d3c0/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-05-22 06:33:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5f23p62udwsa643bny4ds5z6ftvums7nkvasrruod5qxeu5v2paa._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
68df69be1d915aa7cd0a2693f48c3e3d3924d9cf1758c92f5d842ebbd9baaf4e
LummaStealer
e975b7fb541da40f73616e3839773e2ceb464bed554128c68e1f617253b5d3c0
LummaStealer
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:donutloader family:lumma botnet:8d33eb bootkit defense_evasion discovery execution exploit loader persistence pyinstaller spyware stealer trojan
Link:
https://tria.ge/reports/250522-g9glzaaj2s/
Behaviour
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry key
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
Drops file in Windows directory
Launches sc.exe
AutoIT Executable
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Looks up external IP address via web service
Power Settings
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Modifies file permissions
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Looks for VMWare Tools registry key
Possible privilege escalation attempt
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Amadey
Amadey family
Detects DonutLoader
DonutLoader
Donutloader family
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://qcornerdurv.top/adwq
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://localixbiw.top/zlpa
https://korxddl.top/qidz
https://citellcagt.top/gjtu
https://.cornerdurv.top/adwq
https://rnarrathfpt.top/tekq
https://8escczlv.top/bufi
https://3y7korxddl.top/qidz
http://185.156.72.96
Dropper Extraction:
http://185.156.72.2/testmine/random.exe
Unpacked files
SH256 hash:
e975b7fb541da40f73616e3839773e2ceb464bed554128c68e1f617253b5d3c0
MD5 hash:
28c9731d57749ffe361a4f7ec7c07403
SHA1 hash:
f92a4a5f8a049a792cf091b883ea224a49f392fd
Link:
https://www.unpac.me/results/693edd89-191a-4587-ac2a-d514a535ca79/
SH256 hash:
94fc182aae5b14a5d3f7757479413c5423dc928251dbc90d9025f03c01f0ef7b
MD5 hash:
db4f5b0ee49137d52e5b28f3d4f09397
SHA1 hash:
460b452ddb07f3bb7072cf38db191745f26454ed
Link:
https://www.unpac.me/results/693edd89-191a-4587-ac2a-d514a535ca79/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e975b7fb541d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e975b7fb541da40f73616e3839773e2ceb464bed554128c68e1f617253b5d3c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe e975b7fb541da40f73616e3839773e2ceb464bed554128c68e1f617253b5d3c0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3542096/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments