MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebe2c37bac602f6d0e7094b863f2f793cba9fa35a0a581d8702f153c2178b9fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebe2c37bac602f6d0e7094b863f2f793cba9fa35a0a581d8702f153c2178b9fa
SHA3-384 hash: 7675a5875c1571111aa5dc08de1e8f1ef4d438259e20ced5525d210bc5f5791013f55d1c7eda6cb6f38893724a01a77f
SHA1 hash: 31c4b31776bdf37c329955bca4732c6ab3b63b83
MD5 hash: 91b7101cb479f1005abcf64c07e6ea1c
humanhash: enemy-oregon-washington-juliet
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'882'624 bytes
First seen:2025-04-17 06:18:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:c4ydgqK890p3UWW5HTrTP1I+ls6YymH2J/:cJdgqK8uVRiHTrJ9Y3H2p
TLSH T18495338D4CACEEF9E82DB7BE20AF07A76773C05948475A6C0C7D493B8E5521D6822817
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
432
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-04-17 08:47:38 UTC
Tags:
lumma stealer themida loader amadey botnet rdp
Link:
https://app.any.run/tasks/ab9e1925-24ee-4e7b-b6e1-de751ccca0c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/2649/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6800a1002203b3e10cd010b6
Tags:
phishing autorun emotet spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypt packed packed packer_detected xpack
Link:
https://www.filescan.io/uploads/68009d65e9c1e257979ba6a1/reports/bd05a6fe-ecff-4d85-92d5-d79d8a2f56cf/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/ebe2c37bac602f6d0e7094b863f2f793cba9fa35a0a581d8702f153c2178b9fa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/09309207-ec30-4c23-8932-abfa75613814
Result
Threat name:
Amadey, DarkVision Rat, LummaC Stealer,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1667176
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Drops PE files to the document folder of the user
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Costura Assembly Loader
Yara detected DarkVision Rat
Yara detected LummaC Stealer
Yara detected UAC Bypass using CMSTP
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1667176 Sample: random.exe Startdate: 17/04/2025 Architecture: WINDOWS Score: 100 118 skippps.com 2->118 120 owlflright.digital 2->120 122 9 other IPs or domains 2->122 184 Suricata IDS alerts for network traffic 2->184 186 Found malware configuration 2->186 188 Malicious sample detected (through community Yara rule) 2->188 190 27 other signatures 2->190 13 random.exe 1 2->13         started        18 futors.exe 12 2->18         started        20 namez.exe 2->20         started        22 5 other processes 2->22 signatures3 process4 dnsIp5 140 185.39.17.162 RU-TAGNET-ASRU Russian Federation 13->140 142 clarmodq.top 104.21.85.126 CLOUDFLARENETUS United States 13->142 108 C:\Users\...\9CXVL10X39PPTO3TKYLHQTV6L9G.exe, PE32 13->108 dropped 228 Detected unpacking (changes PE section rights) 13->228 230 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->230 232 Query firmware table information (likely to detect VMs) 13->232 236 7 other signatures 13->236 24 9CXVL10X39PPTO3TKYLHQTV6L9G.exe 4 13->24         started        144 185.215.113.209 WHOLESALECONNECTIONSNL Portugal 18->144 234 Contains functionality to start a terminal service 18->234 file6 signatures7 process8 file9 94 C:\Users\user\AppData\Local\...\namez.exe, PE32 24->94 dropped 192 Multi AV Scanner detection for dropped file 24->192 194 Contains functionality to start a terminal service 24->194 196 Contains functionality to inject code into remote processes 24->196 28 namez.exe 37 24->28         started        signatures10 process11 dnsIp12 136 185.215.113.59 WHOLESALECONNECTIONSNL Portugal 28->136 138 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 28->138 100 C:\Users\user\AppData\Local\...\07jGt0K.exe, PE32+ 28->100 dropped 102 C:\Users\user\AppData\Local\...\20fwWdg.exe, PE32+ 28->102 dropped 104 C:\Users\user\AppData\Local\...\08MjT3W.exe, PE32+ 28->104 dropped 106 10 other malicious files 28->106 dropped 224 Multi AV Scanner detection for dropped file 28->224 226 Contains functionality to start a terminal service 28->226 33 235T1TS.exe 28->33         started        36 07jGt0K.exe 28->36         started        39 20fwWdg.exe 28->39         started        41 3 other processes 28->41 file13 signatures14 process15 file16 146 Antivirus detection for dropped file 33->146 148 Multi AV Scanner detection for dropped file 33->148 150 Query firmware table information (likely to detect VMs) 33->150 166 4 other signatures 33->166 43 svchost.exe 33->43         started        48 cmd.exe 33->48         started        90 C:\Users\user\Documents\...\000002040029.exe, PE32+ 36->90 dropped 152 Suspicious powershell command line found 36->152 154 Drops PE files to the document folder of the user 36->154 156 Creates multiple autostart registry keys 36->156 50 000002040029.exe 36->50         started        60 2 other processes 36->60 158 Writes to foreign memory regions 39->158 160 Allocates memory in foreign processes 39->160 162 Injects a PE file into a foreign processes 39->162 52 MSBuild.exe 39->52         started        54 MSBuild.exe 39->54         started        92 C:\Users\user\AppData\Local\...\futors.exe, PE32 41->92 dropped 164 Contains functionality to start a terminal service 41->164 56 MSBuild.exe 41->56         started        58 futors.exe 41->58         started        62 6 other processes 41->62 signatures17 process18 dnsIp19 124 82.29.67.160 NTLGB United Kingdom 43->124 126 grabify.link 104.26.9.202 CLOUDFLARENETUS United States 43->126 128 107.174.192.179 AS-COLOCROSSINGUS United States 43->128 96 C:\Users\user\AppData\Local\...\w32tm.exe, PE32+ 43->96 dropped 98 C:\ProgramData\...\tzutil.exe, PE32+ 43->98 dropped 198 Benign windows process drops PE files 43->198 218 2 other signatures 43->218 64 tzutil.exe 43->64         started        69 w32tm.exe 43->69         started        200 Adds a directory exclusion to Windows Defender 48->200 71 powershell.exe 48->71         started        73 conhost.exe 48->73         started        202 Multi AV Scanner detection for dropped file 50->202 204 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 50->204 220 4 other signatures 50->220 75 000002040029.exe 50->75         started        130 changeaie.top 172.67.197.226 CLOUDFLARENETUS United States 52->130 206 Query firmware table information (likely to detect VMs) 52->206 222 2 other signatures 52->222 132 t.me 149.154.167.99 TELEGRAMRU United Kingdom 56->132 134 bardcauft.run 104.21.45.199 CLOUDFLARENETUS United States 56->134 208 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 56->208 210 Tries to steal Crypto Currency Wallets 56->210 212 Antivirus detection for dropped file 58->212 214 Contains functionality to start a terminal service 58->214 216 Loading BitLocker PowerShell Module 60->216 77 conhost.exe 60->77         started        file20 signatures21 process22 dnsIp23 110 104.168.28.10 AS-COLOCROSSINGUS United States 64->110 88 C:\Windows\Temp5hXn_2500.sys, PE32+ 64->88 dropped 168 Multi AV Scanner detection for dropped file 64->168 170 Query firmware table information (likely to detect VMs) 64->170 172 Adds a directory exclusion to Windows Defender 64->172 174 Sample is not signed and drops a device driver 64->174 79 powershell.exe 64->79         started        82 powershell.exe 64->82         started        112 edge.geo.kaspersky.com 4.28.136.57 LEVEL3US United States 69->112 114 127.0.0.1 unknown unknown 69->114 176 Tries to evade analysis by execution special instruction (VM detection) 69->176 178 Found direct / indirect Syscall (likely to bypass EDR) 69->178 180 Loading BitLocker PowerShell Module 71->180 116 skippps.com 196.251.81.64 SONIC-WirelessZA Seychelles 75->116 182 Found strings related to Crypto-Mining 75->182 file24 signatures25 process26 signatures27 238 Loading BitLocker PowerShell Module 79->238 84 conhost.exe 79->84         started        86 conhost.exe 82->86         started        process28
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ebe2c37bac602f6d0e7094b863f2f793cba9fa35a0a581d8702f153c2178b9fa
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ebe2c37bac602f6d0e7094b863f2f793cba9fa35a0a581d8702f153c2178b9fa/
Threat name:
Win32.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-04-16 05:27:47 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5prmg65mmaxw2dtqss4gh4xxspf2t6rvucsydwdqf4ktyilyxh5a._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
lummastealer
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250417-g3b3xayzg1/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://clarmodq.top/qoxo
https://jawdedmirror.run/ewqd
https://changeaie.top/geps
https://4lonfgshadow.live/xawi
https://liftally.top/xasj
https://nighetwhisper.top/lekd
https://salaccgfa.top/gsooz
https://zestmodp.top/zeda
https://owlflright.digital/qopy
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/147e2cd7-10a0-4e4a-9e89-2c6f7fd03d9e
Unpacked files
SH256 hash:
ebe2c37bac602f6d0e7094b863f2f793cba9fa35a0a581d8702f153c2178b9fa
MD5 hash:
91b7101cb479f1005abcf64c07e6ea1c
SHA1 hash:
31c4b31776bdf37c329955bca4732c6ab3b63b83
Link:
https://www.unpac.me/results/8dba1a6c-7057-4992-93c2-8dd26207cb74/
SH256 hash:
3dd4e7eab78953ace508731dd5fe7e6567c28ebe27857f9a4549e46d7eed7b76
MD5 hash:
0617b2de84f982affb6d62c3bd43c378
SHA1 hash:
882afdd7e4eb32e7b9afbe6a6665695d0658688e
Link:
https://www.unpac.me/results/8dba1a6c-7057-4992-93c2-8dd26207cb74/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe ebe2c37bac602f6d0e7094b863f2f793cba9fa35a0a581d8702f153c2178b9fa

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/2649/
  
URLhaus
https://urlhaus.abuse.ch/url/3511779/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments