MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eca9647a888d9fb1a36bde851f937187b42df93a23c473507d6bb785d153794c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eca9647a888d9fb1a36bde851f937187b42df93a23c473507d6bb785d153794c
SHA3-384 hash: 33bf13e4fcb3527091b617a682459d5228cf809c6c2686efa9d689ceea4a251cb8f4815d404d9a165be2348f9de18abe
SHA1 hash: 5caa46a18717c118fe2d1d62330e22471145b77b
MD5 hash: c8c077a0749e82219ad304ae8c41ed48
humanhash: kentucky-utah-north-moon
File name:c8c077a0749e82219ad304ae8c41ed48.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'887'232 bytes
First seen:2025-06-29 07:08:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:+olvf5srfawjdpxVL5lWH5I1qjSdsybUXZCA2FAtPFTbL+QQwrkrOrEfHJ+IONdV:+olvxqbv5rNbUp4AtVXPQwrkrvB+f
Threatray 202 similar samples on MalwareBazaar
TLSH T1199533CE153E4173D0ECD2399968780D9C5021BDF6A1D7E1EE2A970D37FAA068A47BC1
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
430
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
rl_eca9647a888d9fb1a36bde851f937187b42df93a23c473507d6bb785d153794c
Verdict:
Malicious activity
Analysis date:
2025-06-29 07:18:11 UTC
Tags:
lumma stealer themida loader amadey botnet rdp
Link:
https://app.any.run/tasks/927c6663-c87b-4336-bf64-a10610a70a0f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/11517/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6860e6d537c3436779470d49
Tags:
n/a
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm entropy packed packed packer_detected virtual
Link:
https://www.filescan.io/uploads/6860e71245e80b29f8a44909/reports/180772fb-a2cf-4fea-b71d-e43bb4d24444/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/eca9647a888d9fb1a36bde851f937187b42df93a23c473507d6bb785d153794c
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ca750662-e0ba-4be8-9a84-c4c4b1a29d20
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1724942
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Hides threads from debuggers
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/eca9647a888d9fb1a36bde851f937187b42df93a23c473507d6bb785d153794c
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eca9647a888d9fb1a36bde851f937187b42df93a23c473507d6bb785d153794c/
Threat name:
Win32.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-06-29 07:12:34 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5suwi6uirwp3di3l32cr7e3rq62c36j2epchgud5no3yluktpfga._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
3d7006312157afde3e4e4393d7a6d116cb7b2b8c0d29f8c22565c6a367c2919e
LummaStealer
73f013b373cbfe949b2d645633d6fc1d1c0ba05a96fe8e344b54b7c8cafbae8c
LummaStealer
912bdc21b2b14efd395b9a4308a1015d797708abdb5fe897850b6195c50a40e0
LummaStealer
c1aac9177fbabccd0e0b5cf685e492da88dfb117a1a2842963b8ced99792a6fd
LummaStealer
c714577cc08df82a0894aa58aa968fa3b9761c198581bd99fce150fa488248e3
LummaStealer
cbc22ca48dc37364b0a9c1fbcfc592e1f70cb3633af2efa501fb0b4d95344c07
LummaStealer
ebbd4d40ee39ad9ccccf5288729b2285b0744aca85972055c31d5c0c92f4294f
LummaStealer
eca9647a888d9fb1a36bde851f937187b42df93a23c473507d6bb785d153794c
LummaStealer
error
LummaStealer
+ 192 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250629-hzwtkshp6t/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://ketxsuz.xyz/xpaw
https://pacwpw.xyz/qwpr
https://comkxjs.xyz/taox
https://unurew.xyz/anhd
https://trsuv.xyz/gait
https://sqgzl.xyz/taoa
https://cexpxg.xyz/airq
https://urarfx.xyz/twox
https://liaxn.xyz/nbzh
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/23193c03-3d67-43c2-b0ec-c8be8c739c8a
Unpacked files
SH256 hash:
eca9647a888d9fb1a36bde851f937187b42df93a23c473507d6bb785d153794c
MD5 hash:
c8c077a0749e82219ad304ae8c41ed48
SHA1 hash:
5caa46a18717c118fe2d1d62330e22471145b77b
Link:
https://www.unpac.me/results/c64dca08-e066-4c30-a2e6-8157446f0a01/
SH256 hash:
2899e0eb539bfd612cec57cb613c754b1e7433684a3dfb17ef41111563bb68d2
MD5 hash:
818db32f82f9d8bd83a9537f300aa244
SHA1 hash:
ce279f258b5fa6c99ad03a0e7158aba77d4be9c9
Link:
https://www.unpac.me/results/c64dca08-e066-4c30-a2e6-8157446f0a01/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eca9647a888d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eca9647a888d9fb1a36bde851f937187b42df93a23c473507d6bb785d153794c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe eca9647a888d9fb1a36bde851f937187b42df93a23c473507d6bb785d153794c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3542096/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/11517/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments