MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0388f6f429740ee26c467ec1b5ba20cc98fa3e114ab519bfa5faa4a97b4a966. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0388f6f429740ee26c467ec1b5ba20cc98fa3e114ab519bfa5faa4a97b4a966
SHA3-384 hash: f4b016d47fa24233589145f4c849b89f336795556b2de883bc78d39b77635ab7527da925e6de0d7bc20450746f1c41bc
SHA1 hash: 8d3c145896032091c527b0633cda70d458a413c1
MD5 hash: f5f2f23f604d4722c99641deaf9702c9
humanhash: georgia-may-kilo-oven
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'892'864 bytes
First seen:2025-04-29 06:31:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:TZOIMHHmA/BNqyn4+/BmPolGQHMzOG/gfFpEyGdZ:XMHGKBNqI4+/BdorzOG/gfFSZ
Threatray 795 similar samples on MalwareBazaar
TLSH T12E95332128B81F65CC7E4377A0E30B2C72B7749A1245B314875CAE669D73B79AC3298D
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
433
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-04-29 07:38:55 UTC
Tags:
lumma stealer loader amadey botnet auto rdp
Link:
https://app.any.run/tasks/f5006184-fe05-4f63-bc2d-ff6eacc1bcf6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4916/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68107956cc5fb3600cc4537f
Tags:
vmdetect phishing autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm crypt entropy packed packed packer_detected rat virtual xpack
Link:
https://www.filescan.io/uploads/6810726c212716475fb0722e/reports/9649c4d6-38cc-415a-af39-2f0f8ee4b07a/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/f0388f6f429740ee26c467ec1b5ba20cc98fa3e114ab519bfa5faa4a97b4a966
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/278d4e04-7d2d-4e45-b673-8159b795b233
Result
Threat name:
Amadey, Credential Flusher, Healer AV Di
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1677076
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates HTA files
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected AntiVM3
Yara detected Credential Flusher
Yara detected Healer AV Disabler
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1677076 Sample: random.exe Startdate: 29/04/2025 Architecture: WINDOWS Score: 100 132 Found malware configuration 2->132 134 Antivirus detection for URL or domain 2->134 136 Antivirus detection for dropped file 2->136 138 25 other signatures 2->138 9 saved.exe 8 67 2->9         started        14 random.exe 1 2->14         started        16 bd2dcad23e.exe 2->16         started        18 13 other processes 2->18 process3 dnsIp4 124 185.39.17.163 RU-TAGNET-ASRU Russian Federation 9->124 126 94.26.90.80 ASDETUKhttpwwwheficedcomGB Bulgaria 9->126 90 C:\Users\user\AppData\...\5a663d3264.exe, PE32 9->90 dropped 92 C:\Users\user\AppData\...\b82edda50f.exe, PE32 9->92 dropped 94 C:\Users\user\AppData\...\5a48d8f91b.exe, PE32 9->94 dropped 100 29 other malicious files 9->100 dropped 178 Contains functionality to start a terminal service 9->178 180 Creates multiple autostart registry keys 9->180 20 bd2dcad23e.exe 1 9->20         started        25 0b182023b7.exe 9->25         started        27 90cac6730e.exe 9->27         started        37 2 other processes 9->37 128 185.39.17.162 RU-TAGNET-ASRU Russian Federation 14->128 130 104.21.51.232 CLOUDFLARENETUS United States 14->130 96 C:\Users\user\...\02A8O9ETQ8HMCJ6VETGQ72.exe, PE32 14->96 dropped 182 Detected unpacking (changes PE section rights) 14->182 184 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->184 186 Query firmware table information (likely to detect VMs) 14->186 202 6 other signatures 14->202 29 02A8O9ETQ8HMCJ6VETGQ72.exe 4 14->29         started        98 C:\Users\user\...\UQRW86CPB1B16QE6SIJOC1T.exe, PE32 16->98 dropped 188 Found many strings related to Crypto-Wallets (likely being stolen) 16->188 190 Tries to harvest and steal ftp login credentials 16->190 192 Tries to harvest and steal browser information (history, passwords, etc) 16->192 194 Tries to steal from password manager 16->194 31 chrome.exe 16->31         started        33 chrome.exe 16->33         started        196 Suspicious powershell command line found 18->196 198 Changes security center settings (notifications, updates, antivirus, firewall) 18->198 200 Tries to download and execute files (via powershell) 18->200 35 0b182023b7.exe 18->35         started        39 2 other processes 18->39 file5 signatures6 process7 dnsIp8 116 104.21.62.226 CLOUDFLARENETUS United States 20->116 84 C:\...\0NOZM2VQDGRDCGT77GLSH7Q0P3LGF.exe, PE32 20->84 dropped 140 Antivirus detection for dropped file 20->140 142 Detected unpacking (changes PE section rights) 20->142 144 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->144 158 4 other signatures 20->158 41 0NOZM2VQDGRDCGT77GLSH7Q0P3LGF.exe 20->41         started        146 Tries to detect sandboxes and other dynamic analysis tools (window names) 25->146 160 4 other signatures 25->160 86 C:\Users\user\AppData\Local\...\2KnJjHuA4.hta, HTML 27->86 dropped 148 Creates HTA files 27->148 44 mshta.exe 27->44         started        46 cmd.exe 27->46         started        88 C:\Users\user\AppData\Local\...\saved.exe, PE32 29->88 dropped 150 Multi AV Scanner detection for dropped file 29->150 152 Contains functionality to start a terminal service 29->152 154 Contains functionality to inject code into remote processes 29->154 48 saved.exe 29->48         started        118 192.168.2.6 unknown unknown 31->118 50 chrome.exe 31->50         started        53 chrome.exe 33->53         started        162 3 other signatures 35->162 156 Binary is likely a compiled AutoIt script file 37->156 164 3 other signatures 37->164 55 taskkill.exe 37->55         started        57 5 other processes 37->57 120 35.190.72.216 GOOGLEUS United States 39->120 122 127.0.0.1 unknown unknown 39->122 59 3 other processes 39->59 file9 signatures10 process11 dnsIp12 166 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 44->166 168 Suspicious powershell command line found 44->168 170 Tries to download and execute files (via powershell) 44->170 61 powershell.exe 44->61         started        172 Uses schtasks.exe or at.exe to add and modify task schedules 46->172 65 conhost.exe 46->65         started        67 schtasks.exe 46->67         started        174 Multi AV Scanner detection for dropped file 48->174 176 Contains functionality to start a terminal service 48->176 104 142.250.101.84 GOOGLEUS United States 50->104 106 142.250.217.142 GOOGLEUS United States 50->106 112 5 other IPs or domains 50->112 108 142.250.176.3 GOOGLEUS United States 53->108 110 142.250.68.228 GOOGLEUS United States 53->110 114 4 other IPs or domains 53->114 69 conhost.exe 55->69         started        71 conhost.exe 57->71         started        73 conhost.exe 57->73         started        75 conhost.exe 57->75         started        77 conhost.exe 57->77         started        signatures13 process14 file15 102 TempBWUJDHZRPGVXHY012ZWGB4NDVSUVSDGM.EXE, PE32 61->102 dropped 204 Powershell drops PE file 61->204 79 TempBWUJDHZRPGVXHY012ZWGB4NDVSUVSDGM.EXE 61->79         started        82 conhost.exe 61->82         started        signatures16 process17 signatures18 206 Multi AV Scanner detection for dropped file 79->206
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f0388f6f429740ee26c467ec1b5ba20cc98fa3e114ab519bfa5faa4a97b4a966
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0388f6f429740ee26c467ec1b5ba20cc98fa3e114ab519bfa5faa4a97b4a966/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-04-29 01:27:10 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6a4i632cs5ao4jwem7wbww5cbtey7i7bcsvvdg72l6vevf5uvfta._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
amadey
Create hunting rule
Similar samples:
1791b49625ea67a1035252f25b155627617e3c49053aa14012b6d194e60ccf5b
LummaStealer
45b9245f60a7c54ed0e7ec3979fe3e218d8c5c6088810ecf8c3f8bd95072f0c2
LummaStealer
57ccc2313dbc37566c73b42a74283f967d0502a60d276a90afa1dfbee6a74aff
LummaStealer
96014d18eb7ebf3663603e2e8ac3898ffb81d3fa6b734ffe94f5dbbb6566a5ee
LummaStealer
9b55e6761f819d7e8a26c1361a90de0fca4d9ed59a7bf7acd3ed0fc151d6f359
LummaStealer
ab8b903ee062c93347eb738d00d0dbf707cdbbb8d26cf4dac7691ccbf8a8aff2
LummaStealer
bced8cc13d6bccdb3f54e578f084b0d31fb987022d2c5e582f3ba31bb77370f9
LummaStealer
db0cc4d3e9b995e63953ad4b8b8d3bc67ed19326254bc89d4f23991561360aca
LummaStealer
error
LummaStealer
+ 785 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250429-hanfxaxr16/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://clarmodq.top/qoxo
https://zenithcorde.top/auid
https://techguidet.digital/apdo
https://btcgeared.live/lbak
https://buzzarddf.live/ktnt
https://techsyncq.run/riid
https://parakehjet.run/kewk
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b2ae4318-6afe-4fd2-b961-05f87b69f0dd
Unpacked files
SH256 hash:
f0388f6f429740ee26c467ec1b5ba20cc98fa3e114ab519bfa5faa4a97b4a966
MD5 hash:
f5f2f23f604d4722c99641deaf9702c9
SHA1 hash:
8d3c145896032091c527b0633cda70d458a413c1
Link:
https://www.unpac.me/results/2d67f26e-f405-402a-870d-ecde43ae265f/
SH256 hash:
cfd9c541a38c4bc90e39bdaefc311b2a78421625bf690c2c97fc8d5a08587ff8
MD5 hash:
0efcdd0c97d6bf65d278fb089494888f
SHA1 hash:
e7e8a7c93e60b7b4513127ffcac36c08fc76d089
Link:
https://www.unpac.me/results/2d67f26e-f405-402a-870d-ecde43ae265f/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f0388f6f4297/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f0388f6f429740ee26c467ec1b5ba20cc98fa3e114ab519bfa5faa4a97b4a966

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe f0388f6f429740ee26c467ec1b5ba20cc98fa3e114ab519bfa5faa4a97b4a966

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3518568/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/4916/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments