MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2584f132a6e2588475dd0dbcb480d0e84988029d54d8bea33b0410df1734a58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2584f132a6e2588475dd0dbcb480d0e84988029d54d8bea33b0410df1734a58
SHA3-384 hash: 51527be768c10d5fb7cd5bec9c4644e2a31337d08fe4dc02b5749f7acc8678b3e8aa1cc25b7152e74be6596f652ad834
SHA1 hash: e4741a2091c03939fb2c7f8eb2be940b09d42131
MD5 hash: a4442e4267d3d5b639f79f08b52bbb1b
humanhash: carbon-monkey-four-hotel
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'892'352 bytes
First seen:2025-04-19 11:20:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:fbwoAqWRZQ5mDPf47OXC6h0X4eOPy4DK:jTCZ+mDPQ7+C6WPOVDK
TLSH T137953303FEC2ADD9C69A0AB78F4E0719F3B44A68F5582A03860E56251EDF317DC8DC56
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
443
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-04-19 11:43:07 UTC
Tags:
lumma stealer themida amadey loader botnet python auto-startup autoit darkvision remote auto-sch fileshare rdp pyinstaller telegram auto-reg pastebin miner rat asyncrat rhadamanthys auto generic
Link:
https://app.any.run/tasks/b0d97cc2-3ca0-4c5f-9dc1-2a8c00b66e04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/2987/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6803874a2203b3e10cd19a1a
Tags:
autorun emotet cobalt spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt entropy packed packed packer_detected rat virtual xpack
Link:
https://www.filescan.io/uploads/6803873e89fec6b88b9f610f/reports/43bea383-aa6d-4e78-998e-31448ab7dfe3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f2584f132a6e2588475dd0dbcb480d0e84988029d54d8bea33b0410df1734a58
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/87ed46bc-6c2b-4687-8649-e7370b0bb1a6
Result
Threat name:
Koadic, Amadey, CryptOne, DarkVision Rat
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1669142
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Drops PE files to the startup folder
Drops script or batch files to the startup folder
Encrypted powershell cmdline option found
Found malware configuration
Found pyInstaller with non standard icon
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PowerShell case anomaly found
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected CryptOne packer
Yara detected DarkVision Rat
Yara detected Koadic BAT payload
Yara detected LummaC Stealer
Yara detected RHADAMANTHYS Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1669142 Sample: random.exe Startdate: 19/04/2025 Architecture: WINDOWS Score: 100 128 zestmodp.top 2->128 130 twc.trafficmanager.net 2->130 132 30 other IPs or domains 2->132 176 Suricata IDS alerts for network traffic 2->176 178 Found malware configuration 2->178 180 Malicious sample detected (through community Yara rule) 2->180 182 28 other signatures 2->182 11 namez.exe 3 45 2->11         started        16 ZXOvCqs.exe 2->16         started        18 random.exe 1 2->18         started        20 2 other processes 2->20 signatures3 process4 dnsIp5 148 185.215.113.59, 49695, 49696, 49703 WHOLESALECONNECTIONSNL Portugal 11->148 110 C:\Users\user\AppData\Local\...\Hmcm0Oj.exe, PE32 11->110 dropped 112 C:\Users\user\AppData\Local\...\i5Kz53x.exe, PE32+ 11->112 dropped 114 C:\Users\user\AppData\Local\...\qxZ1BFl.exe, PE32 11->114 dropped 124 18 other malicious files 11->124 dropped 224 Contains functionality to start a terminal service 11->224 22 ZXOvCqs.exe 11->22         started        26 qxZ1BFl.exe 11->26         started        28 cmd.exe 1 11->28         started        38 10 other processes 11->38 116 C:\Users\user\AppData\...\unicodedata.pyd, PE32 16->116 dropped 118 C:\Users\user\AppData\Local\...\select.pyd, PE32 16->118 dropped 120 C:\Users\user\AppData\Local\...\python313.dll, PE32 16->120 dropped 126 61 other malicious files 16->126 dropped 30 ZXOvCqs.exe 16->30         started        150 185.215.113.41, 49689, 49697, 49704 WHOLESALECONNECTIONSNL Portugal 18->150 152 clarmodq.top 104.21.85.126, 443, 49682, 49683 CLOUDFLARENETUS United States 18->152 122 C:\Users\...\4R6TJZQ361PDGRSFCIFUCB0JH7Q.exe, PE32 18->122 dropped 226 Detected unpacking (changes PE section rights) 18->226 228 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->228 230 Query firmware table information (likely to detect VMs) 18->230 236 6 other signatures 18->236 32 4R6TJZQ361PDGRSFCIFUCB0JH7Q.exe 4 18->32         started        232 Encrypted powershell cmdline option found 20->232 234 PowerShell case anomaly found 20->234 34 powershell.exe 20->34         started        36 conhost.exe 20->36         started        41 2 other processes 20->41 file6 signatures7 process8 dnsIp9 88 C:\Users\user\AppData\...\unicodedata.pyd, PE32 22->88 dropped 90 C:\Users\user\AppData\Local\...\select.pyd, PE32 22->90 dropped 92 C:\Users\user\AppData\Local\...\python313.dll, PE32 22->92 dropped 102 61 other malicious files 22->102 dropped 192 Drops PE files to the startup folder 22->192 194 Writes many files with high entropy 22->194 196 Found pyInstaller with non standard icon 22->196 43 ZXOvCqs.exe 22->43         started        94 C:\Users\user\AppData\Local\...\Usually.mp4, data 26->94 dropped 96 C:\Users\user\AppData\...\Thumbnails.mp4, data 26->96 dropped 104 38 other malicious files 26->104 dropped 198 Multi AV Scanner detection for dropped file 26->198 46 cmd.exe 26->46         started        200 Suspicious powershell command line found 28->200 202 Suspicious command line found 28->202 204 PowerShell case anomaly found 28->204 48 cmd.exe 1 28->48         started        51 conhost.exe 28->51         started        98 C:\Users\user\AppData\Local\...\namez.exe, PE32 32->98 dropped 206 Contains functionality to start a terminal service 32->206 208 Contains functionality to inject code into remote processes 32->208 53 namez.exe 32->53         started        60 2 other processes 34->60 134 time-a-g.nist.gov 129.6.15.28 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 38->134 136 ntp1.net.berkeley.edu 169.229.128.134 UCBUS United States 38->136 138 7 other IPs or domains 38->138 100 C:\Users\user\AppData\...\svchost015.exe, PE32 38->100 dropped 210 Antivirus detection for dropped file 38->210 212 Detected unpacking (changes PE section rights) 38->212 214 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 38->214 216 15 other signatures 38->216 55 MSBuild.exe 38->55         started        57 MSBuild.exe 38->57         started        62 6 other processes 38->62 file10 signatures11 process12 dnsIp13 106 C:\Users\user\AppData\Roaming\...\ZXOvCqs.exe, PE32 43->106 dropped 64 cmd.exe 43->64         started        66 conhost.exe 46->66         started        154 Suspicious powershell command line found 48->154 156 PowerShell case anomaly found 48->156 68 powershell.exe 25 48->68         started        158 Contains functionality to start a terminal service 53->158 160 Writes many files with high entropy 53->160 162 Query firmware table information (likely to detect VMs) 55->162 164 Tries to harvest and steal ftp login credentials 55->164 166 Tries to harvest and steal browser information (history, passwords, etc) 55->166 168 Tries to steal from password manager 55->168 140 salaccgfa.top 172.67.143.12, 443, 49722, 49724 CLOUDFLARENETUS United States 57->140 170 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 57->170 172 Tries to steal Crypto Currency Wallets 57->172 142 109.110.184.223, 49706, 49709, 49710 SHABDIZhttpwwwshabdiznetcomIR Iran (ISLAMIC Republic Of) 62->142 144 t.me 149.154.167.99 TELEGRAMRU United Kingdom 62->144 146 2 other IPs or domains 62->146 108 C:\Users\user\...\fuckingdllENCR[1].dll, data 62->108 dropped 174 System process connects to network (likely due to code injection or exploit) 62->174 file14 signatures15 process16 file17 72 conhost.exe 64->72         started        82 C:\Users\user\...\ZskZOgxSzfJebDEwQ.exe, PE32+ 68->82 dropped 84 C:\Users\user\AppData\...\VCjEYwFNPKlVq.bat, DOS 68->84 dropped 86 C:\Users\user\AppData\Local\bin.bin, data 68->86 dropped 184 Drops script or batch files to the startup folder 68->184 186 Found suspicious powershell code related to unpacking or dynamic code loading 68->186 188 Writes many files with high entropy 68->188 190 Powershell drops PE file 68->190 74 ZskZOgxSzfJebDEwQ.exe 68->74         started        77 conhost.exe 68->77         started        signatures18 process19 signatures20 218 Writes to foreign memory regions 74->218 220 Allocates memory in foreign processes 74->220 222 Creates a thread in another existing process (thread injection) 74->222 79 iexpress.exe 74->79         started        process21 signatures22 238 Switches to a custom stack to bypass stack traces 79->238
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f2584f132a6e2588475dd0dbcb480d0e84988029d54d8bea33b0410df1734a58
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2584f132a6e2588475dd0dbcb480d0e84988029d54d8bea33b0410df1734a58/
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-04-19 06:46:42 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6jme6ezknysyqr252dn4wsanb2cjrabj2vgyx2rtwbaq34ltjjma._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:asyncrat family:darkvision family:lumma family:rhadamanthys family:stormkitty botnet:8ac6b9 bootkit credential_access defense_evasion discovery evasion execution persistence privilege_escalation pyinstaller rat spyware stealer trojan
Link:
https://tria.ge/reports/250419-nf95raxj18/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Runs net.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Program crash
System Location Discovery: System Language Discovery
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Checks computer location settings
Deletes itself
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Impair Defenses: Safe Mode Boot
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Drops file in Drivers directory
Sets service image path in registry
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
AsyncRat
Asyncrat family
DarkVision Rat
Darkvision family
Detects Rhadamanthys payload
Lumma Stealer, LummaC
Lumma family
Modifies Windows Defender DisableAntiSpyware settings
Modifies Windows Defender Real-time Protection settings
Rhadamanthys
Rhadamanthys family
StormKitty
StormKitty payload
Stormkitty family
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
https://clarmodq.top/qoxo
https://opiratetwrath.run/ytus
https://.changeaie.top/geps
https://quilltayle.live/gksi
https://liftally.top/xasj
https://nighetwhisper.top/lekd
https://4asalaccgfa.top/gsooz
https://zestmodp.top/zeda
https://starofliught.top/wozd
https://jawdedmirror.run/ewqd
https://changeaie.top/geps
https://lonfgshadow.live/xawi
https://3liftally.top/xasj
https://.nighetwhisper.top/lekd
https://salaccgfa.top/gsooz
https://owlflright.digital/qopy
https://nchangeaie.top/geps
https://7salaccgfa.top/gsooz
https://piratetwrath.run/ytus
https://xstarofliught.top/wozd
https://v0salaccgfa.top/gsooz
https://meerkaty.digital/sagf
https://ssalaccgfa.top/gsooz
http://185.215.113.59
82.29.67.160
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6cef4d3d-a44c-48ed-9b36-0ccb53e79187
Unpacked files
SH256 hash:
f2584f132a6e2588475dd0dbcb480d0e84988029d54d8bea33b0410df1734a58
MD5 hash:
a4442e4267d3d5b639f79f08b52bbb1b
SHA1 hash:
e4741a2091c03939fb2c7f8eb2be940b09d42131
Link:
https://www.unpac.me/results/0100f768-60c9-4c14-8f6f-190ee42ab27a/
SH256 hash:
19e8edb46f885c8eeedb2851a325a1fb7b5a8834d6b2a8759f7e8caf915c48da
MD5 hash:
7382b7596f224a580a23df9912aeaade
SHA1 hash:
6a7510f46011e375f7c9d140f559e88ff485b1dc
Link:
https://www.unpac.me/results/0100f768-60c9-4c14-8f6f-190ee42ab27a/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f2584f132a6e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2584f132a6e2588475dd0dbcb480d0e84988029d54d8bea33b0410df1734a58

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe f2584f132a6e2588475dd0dbcb480d0e84988029d54d8bea33b0410df1734a58

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3511779/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/2987/
  
URLhaus
https://urlhaus.abuse.ch/url/3518568/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments