MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee0947c688ad5b9f2d1c802f19430179392b3253fed7473c6f7efccce25c0377. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee0947c688ad5b9f2d1c802f19430179392b3253fed7473c6f7efccce25c0377
SHA3-384 hash: 437c82ea7fca99a93478e2233023bab9c3492ed56db7940c0d85b8d411840dbdc9f65ad3e4fe972cd76104c2ae75e0ed
SHA1 hash: 3084d8dcdc4e1940d58acfd00c5038ad91f46c38
MD5 hash: 2f4ea741f7cf82403c5a8a954bb418b8
humanhash: may-romeo-carolina-venus
File name:250427-p5qcba1sdw.bin
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'209'792 bytes
First seen:2025-04-27 12:58:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:+L75Cco6E2s+QaBjy3t8Oc+C1k7sbXKA+JprkIFpvYi8X4BDUnaDA+:GrVM8OrC1LjKXqIFd8IBDUnac+
Threatray 5 similar samples on MalwareBazaar
TLSH T113A53323E2F84433D8935BB01DF681C31A36BCB25E24C397598E5D592DB2663677233A
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter UNP4CK
Tags:LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-04-27 12:56:24 UTC
Tags:
lumma stealer amadey botnet loader auto-reg credentialflusher rdp auto-sch themida telegram autoit
Link:
https://app.any.run/tasks/cec0c9fd-3e13-45d0-a577-233f81ae329d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4290/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680e2978cc5fb3600cc348d5
Tags:
vmdetect autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Creating a file
Creating a window
Searching for synchronization primitives
Searching for the window
Searching for analyzing tools
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Connection attempt
Sending an HTTP POST request
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
amadey amadey anti-vm CAB entropy explorer fingerprint installer lolbin lolbin masquerade microsoft_visual_cc netsh packed packed packed packer_detected rat rundll32 runonce sfx stealer virtual wmic
Link:
https://www.filescan.io/uploads/680e2a28212716475faf80be/reports/3c0015ea-dd81-4d3d-853c-685c53afd45e/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/ee0947c688ad5b9f2d1c802f19430179392b3253fed7473c6f7efccce25c0377
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f49f8263-33d6-44fc-bd93-20456536497c
Result
Threat name:
Amadey, Credential Flusher, Healer AV Di
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1675451
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates an autostart registry key pointing to binary in C:\Windows
Creates HTA files
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Credential Flusher
Yara detected Healer AV Disabler
Yara detected JasonRAT
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1675451 Sample: 250427-p5qcba1sdw.bin.exe Startdate: 27/04/2025 Architecture: WINDOWS Score: 100 147 Found malware configuration 2->147 149 Malicious sample detected (through community Yara rule) 2->149 151 Antivirus detection for URL or domain 2->151 153 28 other signatures 2->153 9 saved.exe 4 60 2->9         started        14 250427-p5qcba1sdw.bin.exe 1 4 2->14         started        16 af26a64ced.exe 2->16         started        18 11 other processes 2->18 process3 dnsIp4 117 185.39.17.162 RU-TAGNET-ASRU Russian Federation 9->117 119 185.39.17.163 RU-TAGNET-ASRU Russian Federation 9->119 121 94.26.90.80 ASDETUKhttpwwwheficedcomGB Bulgaria 9->121 103 C:\Users\user\AppData\...\8d49012521.exe, PE32 9->103 dropped 105 C:\Users\user\AppData\Local\...\fJY9zTe.exe, PE32 9->105 dropped 107 C:\Users\user\AppData\Local\...\zb7jDew.exe, PE32 9->107 dropped 115 27 other malicious files 9->115 dropped 201 Contains functionality to start a terminal service 9->201 203 Creates multiple autostart registry keys 9->203 20 qRZ5juE.exe 9->20         started        24 af26a64ced.exe 9->24         started        26 3c472a37ab.exe 9->26         started        37 2 other processes 9->37 109 C:\Users\user\AppData\Local\...\2r9891.exe, PE32 14->109 dropped 111 C:\Users\user\AppData\Local\...\1v90E8.exe, PE32 14->111 dropped 28 2r9891.exe 1 14->28         started        31 1v90E8.exe 4 14->31         started        113 C:\Users\user\...\QDRKH0B7UN2G0AE2WTJ.exe, PE32 16->113 dropped 205 Query firmware table information (likely to detect VMs) 16->205 207 Found many strings related to Crypto-Wallets (likely being stolen) 16->207 209 Tries to harvest and steal ftp login credentials 16->209 217 6 other signatures 16->217 33 chrome.exe 16->33         started        35 chrome.exe 16->35         started        123 184.29.183.29 AKAMAI-ASUS United States 18->123 125 127.0.0.1 unknown unknown 18->125 211 Suspicious powershell command line found 18->211 213 Changes security center settings (notifications, updates, antivirus, firewall) 18->213 215 Tries to download and execute files (via powershell) 18->215 39 2 other processes 18->39 file5 signatures6 process7 dnsIp8 89 C:\Users\user\AppData\...\TelegramBuild.exe, PE32+ 20->89 dropped 91 C:\Users\user\...\Kstondb_Belphegor_obf.exe, PE32+ 20->91 dropped 155 Antivirus detection for dropped file 20->155 157 Multi AV Scanner detection for dropped file 20->157 159 Detected unpacking (changes PE section rights) 20->159 175 4 other signatures 20->175 41 TelegramBuild.exe 20->41         started        45 Kstondb_Belphegor_obf.exe 20->45         started        93 C:\Users\user\...\SUOK2ETLQIBSN8LZCFPLS.exe, PE32 24->93 dropped 177 3 other signatures 24->177 48 SUOK2ETLQIBSN8LZCFPLS.exe 24->48         started        161 Tries to detect sandboxes and other dynamic analysis tools (window names) 26->161 179 4 other signatures 26->179 127 172.67.205.184 CLOUDFLARENETUS United States 28->127 95 C:\Users\user\...\AMGJUCOVWK48ULWL77H3.exe, PE32 28->95 dropped 163 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->163 165 Query firmware table information (likely to detect VMs) 28->165 167 Contains functionality to start a terminal service 28->167 50 AMGJUCOVWK48ULWL77H3.exe 28->50         started        97 C:\Users\user\AppData\Local\...\saved.exe, PE32 31->97 dropped 169 Contains functionality to inject code into remote processes 31->169 52 saved.exe 31->52         started        129 192.168.2.4 unknown unknown 33->129 54 chrome.exe 33->54         started        56 chrome.exe 35->56         started        99 C:\Users\user\AppData\Local\...\IGMYMu34V.hta, HTML 37->99 dropped 171 Binary is likely a compiled AutoIt script file 37->171 173 Creates HTA files 37->173 58 8 other processes 37->58 60 2 other processes 39->60 file9 signatures10 process11 dnsIp12 101 C:\Users\user\AppData\Local\...\Cookies.temp, SQLite 41->101 dropped 181 Suspicious powershell command line found 41->181 183 Found many strings related to Crypto-Wallets (likely being stolen) 41->183 185 Tries to harvest and steal browser information (history, passwords, etc) 41->185 62 curl.exe 41->62         started        66 powershell.exe 41->66         started        131 46.247.108.41 FLUIDATAGB United Kingdom 45->131 133 8.8.8.8 GOOGLEUS United States 45->133 187 Creates multiple autostart registry keys 45->187 189 Creates an autostart registry key pointing to binary in C:\Windows 45->189 191 Multi AV Scanner detection for dropped file 52->191 193 Contains functionality to start a terminal service 52->193 195 Creates HTML files with .exe extension (expired dropper behavior) 52->195 135 142.250.141.84 GOOGLEUS United States 54->135 137 142.250.69.3 GOOGLEUS United States 54->137 141 4 other IPs or domains 54->141 139 142.250.69.4 GOOGLEUS United States 56->139 143 3 other IPs or domains 56->143 197 Tries to download and execute files (via powershell) 58->197 199 Uses schtasks.exe or at.exe to add and modify task schedules 58->199 69 powershell.exe 58->69         started        71 conhost.exe 58->71         started        73 conhost.exe 58->73         started        75 5 other processes 58->75 file13 signatures14 process15 dnsIp16 145 149.154.167.220 TELEGRAMRU United Kingdom 62->145 219 Suspicious powershell command line found 62->219 221 Tries to download and execute files (via powershell) 62->221 77 conhost.exe 62->77         started        85 C:\Users\user\...\user_OctalynRetrieved.zip, Zip 66->85 dropped 223 Loading BitLocker PowerShell Module 66->223 79 conhost.exe 66->79         started        87 Temp6U4NK8SBHKQ3VYOLUSPMNLQXFTKZIOXV.EXE, PE32 69->87 dropped 225 Contains functionality to start a terminal service 69->225 227 Powershell drops PE file 69->227 81 conhost.exe 69->81         started        83 Conhost.exe 69->83         started        file17 signatures18 process19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ee0947c688ad5b9f2d1c802f19430179392b3253fed7473c6f7efccce25c0377
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee0947c688ad5b9f2d1c802f19430179392b3253fed7473c6f7efccce25c0377/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2025-04-27 12:56:31 UTC
File Type:
PE (Exe)
Extracted files:
39
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5yeupruivvnz6li4qaxrsqybpe4swmst73luopdpp36mzys4an3q._file
Verdict:
malicious
Label(s):
admintool_putty
Create hunting rule
lummastealer
Create hunting rule
amadey
Create hunting rule
Similar samples:
06a6d58847363dd6ed52ce481e7e95fd5050109ec118a18eff7323320c910dff
LummaStealer
87922c7e74f51e7d7d965c5ea64d881bdad501b05794376155db64a1c555aec8
LummaStealer
cd89f99567dd598809fa2055774b7f18fc3676c6547f0d3083e192f119b2cf14
LummaStealer
ce75f9dede6d4e93549d35b816898113b6befab9ef0aadf8949d4887c2c34bea
LummaStealer
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma botnet:f272e9 defense_evasion discovery persistence spyware stealer trojan
Link:
https://tria.ge/reports/250427-p77z5stnx3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Reads user/profile data of local email clients
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
http://185.39.17.163
https://clarmodq.top/qoxo
https://geographys.run/eirq
https://woodpeckersd.run/glsk
https://mqtropiscbs.live/iuwxx
https://buzzarddf.live/ktnt
https://biosphxere.digital/tqoa
https://parakehjet.run/kewk
https://n-ubearjk.live/benj
Verdict:
Malicious
Tags:
stealer redline stealc
YARA:
win_redline_wextract_hunting_oct_2023
Link:
https://app.threat.zone/submission/c22b9ec6-c821-402f-9f9f-71a3325033d1
Unpacked files
SH256 hash:
ee0947c688ad5b9f2d1c802f19430179392b3253fed7473c6f7efccce25c0377
MD5 hash:
2f4ea741f7cf82403c5a8a954bb418b8
SHA1 hash:
3084d8dcdc4e1940d58acfd00c5038ad91f46c38
Link:
https://www.unpac.me/results/5c42ff9e-1d1d-45a5-948a-27d0dfbe8df7/
SH256 hash:
74a0ea1ddf2f8d6cf55a8de87cb7f600fe70b63f17a6f401037a470e2613a101
MD5 hash:
6befa852724eece69fef4173634640d1
SHA1 hash:
30b01e0de37b16f38680e10b639e79a4768c719d
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/5c42ff9e-1d1d-45a5-948a-27d0dfbe8df7/
SH256 hash:
61cc4d7cd06fe94d72e42da00683e84d9082dec613c02432412d82dd3c864aa2
MD5 hash:
1fb9a874a104e50f4f87845de068958c
SHA1 hash:
254c5cd27da1e8b810de0d11c6f10a3d31fa0ee0
Link:
https://www.unpac.me/results/5c42ff9e-1d1d-45a5-948a-27d0dfbe8df7/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ee0947c688ad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee0947c688ad5b9f2d1c802f19430179392b3253fed7473c6f7efccce25c0377

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/4290/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments