MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed1f2d955de698f60b8624feb3d07891bf1903411dbccc65e41befce2fac3194. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed1f2d955de698f60b8624feb3d07891bf1903411dbccc65e41befce2fac3194
SHA3-384 hash: c8bc80ad81115b07e598b75d5b932ae36c80c5a31f279a277f9b3084d663e07e530658d6ba3029244ea75c1b63ae3dc3
SHA1 hash: ef7f1a889671f1ce8c49ae863bfa123131d522b7
MD5 hash: 745d5cd64aee1b5c9f396c367c36e89a
humanhash: november-texas-vermont-wisconsin
File name:745d5cd64aee1b5c9f396c367c36e89a.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:3'137'536 bytes
First seen:2025-02-26 08:18:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:CzNfq24YqGcluwrr3HTb79LIaMRmpbrbtRQZciM:CzNi24YqGmuwn3HTf9LE+RQZci
Threatray 1 similar samples on MalwareBazaar
TLSH T1D6E52891A524E2EBDC8D6335592BCD8A695C03A947380DC3D878B47DBDA3CC626F7C24
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
455
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
745d5cd64aee1b5c9f396c367c36e89a.exe
Verdict:
Malicious activity
Analysis date:
2025-02-26 08:47:47 UTC
Tags:
lumma stealer themida loader amadey stealc botnet opendir putty tool tas17 auto generic rdp telegram vidar
Link:
https://app.any.run/tasks/692becce-d2aa-4b96-8dae-83d3bb3f87d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67becf1d28ab76d43a5d383f
Tags:
shellcode virus zusy
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypt obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67bece853afc3763bec75ba7/reports/b1d9d17f-bc6e-44af-ae46-89a39d7dec72/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/ed1f2d955de698f60b8624feb3d07891bf1903411dbccc65e41befce2fac3194
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LummaC2 Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/136f691d-16d8-477a-b436-89801dda59f9
Result
Threat name:
Amadey, LummaC Stealer, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1624411
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1624411 Sample: Anv6Gbh51e.exe Startdate: 26/02/2025 Architecture: WINDOWS Score: 100 87 presentymusse.world 2->87 89 www3.l.google.com 2->89 91 5 other IPs or domains 2->91 111 Suricata IDS alerts for network traffic 2->111 113 Found malware configuration 2->113 115 Antivirus detection for URL or domain 2->115 117 15 other signatures 2->117 11 Anv6Gbh51e.exe 13 2->11         started        16 rapes.exe 23 2->16         started        18 rapes.exe 2->18         started        signatures3 process4 dnsIp5 97 presentymusse.world 104.21.27.210, 443, 49731, 49732 CLOUDFLARENETUS United States 11->97 99 185.215.113.16, 49746, 80 WHOLESALECONNECTIONSNL Portugal 11->99 101 176.113.115.7, 49745, 50041, 80 SELECTELRU Russian Federation 11->101 71 C:\Users\...\XK9L90SC7AOEFMV7ZL8Q53257L.exe, PE32 11->71 dropped 73 C:\Users\user\...73KJ797NQF61QBFM5Y63P3Y.exe, PE32 11->73 dropped 147 Detected unpacking (changes PE section rights) 11->147 149 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->149 151 Query firmware table information (likely to detect VMs) 11->151 155 9 other signatures 11->155 20 XK9L90SC7AOEFMV7ZL8Q53257L.exe 33 11->20         started        25 NKJ797NQF61QBFM5Y63P3Y.exe 4 11->25         started        103 176.113.115.6, 50016, 50027, 80 SELECTELRU Russian Federation 16->103 75 C:\Users\user\AppData\Local\...\Yg1HwMX.exe, PE32 16->75 dropped 77 C:\Users\user\AppData\Local\...\RHPLumH.exe, PE32 16->77 dropped 79 C:\Users\user\AppData\Local\...\0iMSdYX.exe, PE32 16->79 dropped 81 3 other malicious files 16->81 dropped 153 Contains functionality to start a terminal service 16->153 27 0iMSdYX.exe 3 16->27         started        29 Yg1HwMX.exe 16->29         started        31 RHPLumH.exe 16->31         started        file6 signatures7 process8 dnsIp9 93 185.215.113.115, 49754, 49837, 80 WHOLESALECONNECTIONSNL Portugal 20->93 95 127.0.0.1 unknown unknown 20->95 59 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 20->59 dropped 61 C:\Users\user\AppData\...\softokn3[1].dll, PE32 20->61 dropped 63 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 20->63 dropped 69 11 other malicious files 20->69 dropped 131 Antivirus detection for dropped file 20->131 133 Detected unpacking (changes PE section rights) 20->133 135 Attempt to bypass Chrome Application-Bound Encryption 20->135 145 12 other signatures 20->145 33 chrome.exe 20->33         started        65 C:\Users\user\AppData\Local\...\rapes.exe, PE32 25->65 dropped 137 Multi AV Scanner detection for dropped file 25->137 139 Contains functionality to start a terminal service 25->139 141 Contains functionality to inject code into remote processes 25->141 36 rapes.exe 25->36         started        67 C:\Users\user\AppData\Roaming\nahprot.bat, DOS 27->67 dropped 39 cmd.exe 27->39         started        143 Injects a PE file into a foreign processes 29->143 41 Yg1HwMX.exe 29->41         started        43 WerFault.exe 29->43         started        file10 signatures11 process12 dnsIp13 83 192.168.2.4, 443, 49723, 49731 unknown unknown 33->83 85 239.255.255.250 unknown Reserved 33->85 45 chrome.exe 33->45         started        119 Multi AV Scanner detection for dropped file 36->119 121 Contains functionality to start a terminal service 36->121 123 Suspicious powershell command line found 39->123 48 powershell.exe 39->48         started        50 conhost.exe 39->50         started        125 Tries to harvest and steal browser information (history, passwords, etc) 41->125 127 Tries to steal Crypto Currency Wallets 41->127 signatures14 process15 dnsIp16 105 www3.l.google.com 142.250.185.238, 443, 49818 GOOGLEUS United States 45->105 107 www.google.com 216.58.206.36, 443, 49789, 49791 GOOGLEUS United States 45->107 109 3 other IPs or domains 45->109 52 cmd.exe 48->52         started        process17 signatures18 129 Suspicious execution chain found 52->129 55 conhost.exe 52->55         started        57 powershell.exe 52->57         started        process19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ed1f2d955de698f60b8624feb3d07891bf1903411dbccc65e41befce2fac3194
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed1f2d955de698f60b8624feb3d07891bf1903411dbccc65e41befce2fac3194/
Threat name:
Win32.Exploit.Generic
Create hunting rule
Status:
Malicious
First seen:
2025-02-26 03:07:01 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ups3fk542mpmc4get7lhudysg7rsa2bdw6myzpedpx44l5mggka._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
amadey
Create hunting rule
Similar samples:
ed1f2d955de698f60b8624feb3d07891bf1903411dbccc65e41befce2fac3194
LummaStealer
error
LummaStealer
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250226-j7ytks1mt2/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Malicious
Tags:
lumma_stealer c2 lumma stealer
YARA:
n/a
Link:
https://app.threat.zone/submission/2e62da40-1751-4b47-ae07-c5013afdf623
Unpacked files
SH256 hash:
ed1f2d955de698f60b8624feb3d07891bf1903411dbccc65e41befce2fac3194
MD5 hash:
745d5cd64aee1b5c9f396c367c36e89a
SHA1 hash:
ef7f1a889671f1ce8c49ae863bfa123131d522b7
Link:
https://www.unpac.me/results/4c678737-1aef-485d-838e-51ecfc05203f/
SH256 hash:
cafb92ffb2c4f0cee4e45c8a685f0cbec692b7529a14687e0602e3fa844574b2
MD5 hash:
ad9398fe07bf9d930ca73bf6f2c89816
SHA1 hash:
97af802977807a0ca960a95661853e4339659f10
Link:
https://www.unpac.me/results/4c678737-1aef-485d-838e-51ecfc05203f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ed1f2d955de698f60b8624feb3d07891bf1903411dbccc65e41befce2fac3194

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments