MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2793aaf5a9a67e134a2aa9690c463617ddf119a9135b384e5fa6ba397b06018. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2793aaf5a9a67e134a2aa9690c463617ddf119a9135b384e5fa6ba397b06018
SHA3-384 hash: e9a060172dde000d8213c0ebc2e51453ada0fc53439e7107d17b24c2568a54a0e013755a9fc46dbf32e6cb69bc258bf8
SHA1 hash: d4b37982e062b78a3e9bdef5bead3e7199b907fe
MD5 hash: c247dc573422c879cb82a0501bf9b99d
humanhash: hamper-yankee-robert-mexico
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'901'568 bytes
First seen:2025-04-25 08:53:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:/jGjcVo09pf770EPRkyw1sonnfrYrA9hYHBO+qvuFcZGYaK:/jA0HpzPRfwConnz9upq3ZraK
Threatray 6 similar samples on MalwareBazaar
TLSH T1EC9533061E56A03BC4CC8F748B0EA31416E70453AFEE8AD69E2B7DFE254F8C93585348
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
439
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
44ee7c31db3505a721ca81bd3557e8fe9a869e758bf2facf19c998483cf98eea.exe
Verdict:
Malicious activity
Analysis date:
2025-04-24 05:08:41 UTC
Tags:
lumma stealer themida loader amadey botnet rdp auto-reg delphi inno installer putty rmm-tool credentialflusher phishing auto-sch gcleaner auto generic python pastebin telegram github rhadamanthys
Link:
https://app.any.run/tasks/8019e0be-8e38-418b-a558-9b92654d95c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4063/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6809c758a37ff28e12990500
Tags:
vmdetect autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt entropy packed packed packer_detected rat virtual xpack
Link:
https://www.filescan.io/uploads/680b4daea8d43a4dd611815b/reports/60f10431-1310-473c-9c14-95fd1295b6ee/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/f2793aaf5a9a67e134a2aa9690c463617ddf119a9135b384e5fa6ba397b06018
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/847e06b6-c6fc-4281-801b-dddff9de20e5
Result
Threat name:
Amadey, Credential Flusher, Healer AV Di
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1673998
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates HTA files
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found API chain indicative of sandbox detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected AntiVM3
Yara detected Credential Flusher
Yara detected Healer AV Disabler
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1673998 Sample: random.exe Startdate: 25/04/2025 Architecture: WINDOWS Score: 100 111 pastebin.com 2->111 113 owlflright.digital 2->113 115 66 other IPs or domains 2->115 129 Suricata IDS alerts for network traffic 2->129 131 Found malware configuration 2->131 133 Antivirus detection for URL or domain 2->133 137 27 other signatures 2->137 10 saved.exe 4 37 2->10         started        15 random.exe 1 2->15         started        17 986e92a60b.exe 2->17         started        19 5 other processes 2->19 signatures3 135 Connects to a pastebin service (likely for C&C) 111->135 process4 dnsIp5 117 185.39.17.163, 49728, 49729, 49731 RU-TAGNET-ASRU Russian Federation 10->117 119 push.services.mozilla.com 10->119 87 C:\Users\user\AppData\...\7a1fc84961.exe, PE32 10->87 dropped 89 C:\Users\user\AppData\...\1061bc0603.exe, PE32 10->89 dropped 91 C:\Users\user\AppData\...\c31adf97dc.exe, PE32 10->91 dropped 97 11 other malicious files 10->97 dropped 181 Contains functionality to start a terminal service 10->181 183 Creates multiple autostart registry keys 10->183 21 986e92a60b.exe 1 10->21         started        25 beee04ac19.exe 10->25         started        27 c31adf97dc.exe 10->27         started        38 2 other processes 10->38 121 185.39.17.162, 49727, 49730, 49732 RU-TAGNET-ASRU Russian Federation 15->121 123 clarmodq.top 172.67.205.184, 443, 49713, 49716 CLOUDFLARENETUS United States 15->123 93 C:\...\F8KR8XEBLN2H4H74C38NARIHSORDITP.exe, PE32 15->93 dropped 185 Detected unpacking (changes PE section rights) 15->185 187 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->187 189 Query firmware table information (likely to detect VMs) 15->189 205 6 other signatures 15->205 29 F8KR8XEBLN2H4H74C38NARIHSORDITP.exe 4 15->29         started        95 C:\Users\user\...\OQCO9SZ09I61X2WLUGH8J.exe, PE32 17->95 dropped 191 Found many strings related to Crypto-Wallets (likely being stolen) 17->191 193 Tries to harvest and steal ftp login credentials 17->193 195 Tries to harvest and steal browser information (history, passwords, etc) 17->195 197 Tries to steal from password manager 17->197 31 chrome.exe 17->31         started        199 Suspicious powershell command line found 19->199 201 Binary is likely a compiled AutoIt script file 19->201 203 Tries to download and execute files (via powershell) 19->203 34 powershell.exe 19->34         started        36 firefox.exe 19->36         started        file6 signatures7 process8 dnsIp9 81 C:\Users\user\...behaviorgraphEXVQI560SODNXQCRUZ.exe, PE32 21->81 dropped 139 Antivirus detection for dropped file 21->139 141 Detected unpacking (changes PE section rights) 21->141 143 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->143 159 8 other signatures 21->159 40 GEXVQI560SODNXQCRUZ.exe 21->40         started        145 Tries to detect sandboxes and other dynamic analysis tools (window names) 25->145 161 4 other signatures 25->161 83 C:\Users\user\AppData\Local\...\KDag0QgJj.hta, HTML 27->83 dropped 147 Binary is likely a compiled AutoIt script file 27->147 149 Creates HTA files 27->149 43 mshta.exe 27->43         started        45 cmd.exe 27->45         started        85 C:\Users\user\AppData\Local\...\saved.exe, PE32 29->85 dropped 151 Multi AV Scanner detection for dropped file 29->151 153 Contains functionality to start a terminal service 29->153 155 Contains functionality to inject code into remote processes 29->155 47 saved.exe 29->47         started        125 192.168.2.4, 443, 49713, 49716 unknown unknown 31->125 49 chrome.exe 31->49         started        52 conhost.exe 34->52         started        127 127.0.0.1 unknown unknown 36->127 54 firefox.exe 36->54         started        157 Found API chain indicative of sandbox detection 38->157 163 3 other signatures 38->163 56 MSBuild.exe 38->56         started        58 7 other processes 38->58 file10 signatures11 process12 dnsIp13 165 Suspicious powershell command line found 43->165 167 Tries to download and execute files (via powershell) 43->167 60 powershell.exe 43->60         started        169 Uses schtasks.exe or at.exe to add and modify task schedules 45->169 64 conhost.exe 45->64         started        66 schtasks.exe 45->66         started        171 Multi AV Scanner detection for dropped file 47->171 173 Contains functionality to start a terminal service 47->173 101 play.google.com 142.250.68.238, 443, 49778 GOOGLEUS United States 49->101 103 www.google.com 142.250.69.4, 443, 49756, 49757 GOOGLEUS United States 49->103 109 4 other IPs or domains 49->109 105 t.me 149.154.167.99, 443, 49733 TELEGRAMRU United Kingdom 56->105 107 climatologfy.top 104.21.96.1, 443, 49734, 49737 CLOUDFLARENETUS United States 56->107 175 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 56->175 177 Query firmware table information (likely to detect VMs) 56->177 179 Tries to steal Crypto Currency Wallets 56->179 68 conhost.exe 58->68         started        70 conhost.exe 58->70         started        72 conhost.exe 58->72         started        74 3 other processes 58->74 signatures14 process15 file16 99 TempH1KUX602LGQBUJELHZPXIPQKGFZ5PMZW.EXE, PE32 60->99 dropped 211 Found many strings related to Crypto-Wallets (likely being stolen) 60->211 213 Powershell drops PE file 60->213 76 TempH1KUX602LGQBUJELHZPXIPQKGFZ5PMZW.EXE 60->76         started        79 conhost.exe 60->79         started        signatures17 process18 signatures19 207 Multi AV Scanner detection for dropped file 76->207 209 Contains functionality to start a terminal service 76->209
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f2793aaf5a9a67e134a2aa9690c463617ddf119a9135b384e5fa6ba397b06018
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2793aaf5a9a67e134a2aa9690c463617ddf119a9135b384e5fa6ba397b06018/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-04-24 05:08:42 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6j4tvl22tjt6cnfcvkljbrddmf656em2se23hbhf7jv2hf5qmama._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
lummastealer
Create hunting rule
Similar samples:
378d6707539f040ea05d9ce7a3accf6a410f8c2c4afc1f0b366211e25072237b
LummaStealer
478b4646887cf4961943568f8aef881f2991e0fffaf5d2592939724c6a8c2d78
LummaStealer
4b0af09e9ed2bcf3ad65397911edc6a6b81f6ff024c3f038778e53e1bd7b692d
LummaStealer
8b0b20727462c5f3d5a4ace630d9690528dcefa79407480db3abde2455f700d8
LummaStealer
error
LummaStealer
f2793aaf5a9a67e134a2aa9690c463617ddf119a9135b384e5fa6ba397b06018
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250425-kt25hsssds/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://clarmodq.top/qoxo
https://geographys.run/eirq
https://hemispherexz.top/xapp
https://tropiscbs.live/iuwxx
https://cartograhphy.top/ixau
https://qfybiosphxere.digital/tqoa
https://topographky.top/xlak
https://eclimatologfy.top/kbud
https://vigorbridgoe.top/banb
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/461abac7-d4cb-4376-a88f-9e533fe53629
Unpacked files
SH256 hash:
f2793aaf5a9a67e134a2aa9690c463617ddf119a9135b384e5fa6ba397b06018
MD5 hash:
c247dc573422c879cb82a0501bf9b99d
SHA1 hash:
d4b37982e062b78a3e9bdef5bead3e7199b907fe
Link:
https://www.unpac.me/results/596c4076-363a-47e2-9089-03fe2f658365/
SH256 hash:
5c8a47d4fea211d71be2e30e98313ab08bd529792a709c22f2e3b5081d2988a5
MD5 hash:
debf85a99457d14bb6a304d5e8b96fa5
SHA1 hash:
7452ea3c5bc127c50d2fa2a8dd1fe9ea30c3920c
Link:
https://www.unpac.me/results/596c4076-363a-47e2-9089-03fe2f658365/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f2793aaf5a9a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2793aaf5a9a67e134a2aa9690c463617ddf119a9135b384e5fa6ba397b06018

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe f2793aaf5a9a67e134a2aa9690c463617ddf119a9135b384e5fa6ba397b06018

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3511779/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3518568/
Cape
Cape
https://www.capesandbox.com/analysis/4063/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments