MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5551fdfa38b97acefcfb04980299dd491c62676af55f14f57ea11e4fe64d699. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5551fdfa38b97acefcfb04980299dd491c62676af55f14f57ea11e4fe64d699
SHA3-384 hash: ee074063ea0f015978e4dbc60ac56e56ec5cbbe2cbe07c51aba255aaa20745961d8f6d6c3ac9eacc007ad8bf5d8e6d99
SHA1 hash: fd1e1b1ee69bd0a5942c8bdd1f5762c0db060ce4
MD5 hash: bfa1b92e7d23318d2085ab0b4cccbb7a
humanhash: kitten-echo-fifteen-nitrogen
File name:bfa1b92e7d23318d2085ab0b4cccbb7a.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:3'018'752 bytes
First seen:2025-02-27 06:33:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:P/2bh/isGdH8w29VI2Q9rsPKu6cp2EL0qso/m:X2QDdcr9VI20o7zwEL0q7u
Threatray 1 similar samples on MalwareBazaar
TLSH T142D56B91B44CB1CFD8DE2B7494A7CD86995D07FA0B2048C3E96CA47A7D73DC12AB6C24
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
485
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
bfa1b92e7d23318d2085ab0b4cccbb7a.exe
Verdict:
Malicious activity
Analysis date:
2025-02-27 07:07:40 UTC
Tags:
lumma stealer loader amadey themida botnet stealc credentialflusher tofsee telegram gcleaner auto generic winscp tool redline metastealer vidar rdp
Link:
https://app.any.run/tasks/7292f5c8-8f82-4e9b-8fb1-5790b0a93f98

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67c007c6a0fd713c335d2dcd
Tags:
vmdetect phishing
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm crypt obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67c007653c5f644bd93a476b/reports/e66073fc-c074-451c-94c0-0d780c54052d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f5551fdfa38b97acefcfb04980299dd491c62676af55f14f57ea11e4fe64d699
Result
Verdict:
MALICIOUS
Malware family:
LummaC2 Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d63a69be-cc8c-4c60-815c-c1dd55cca78f
Result
Threat name:
ScreenConnect Tool, Amadey, LummaC Steal
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1625416
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates HTA files
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops PE files to the user root directory
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1625416 Sample: HO51qgwMkS.exe Startdate: 27/02/2025 Architecture: WINDOWS Score: 100 186 Found malware configuration 2->186 188 Malicious sample detected (through community Yara rule) 2->188 190 Antivirus detection for URL or domain 2->190 192 29 other signatures 2->192 11 rapes.exe 6 83 2->11         started        16 HO51qgwMkS.exe 14 2->16         started        18 Adobe QT32 Server.exe 2->18         started        20 7 other processes 2->20 process3 dnsIp4 172 176.113.115.6 SELECTELRU Russian Federation 11->172 136 C:\Users\user\AppData\...\10dbd7bfd4.exe, PE32 11->136 dropped 138 C:\Users\user\AppData\...\f3f125141b.exe, PE32 11->138 dropped 140 C:\Users\user\AppData\...\9b3e6ec8c2.exe, PE32 11->140 dropped 150 36 other malicious files 11->150 dropped 254 Contains functionality to start a terminal service 11->254 256 Creates multiple autostart registry keys 11->256 22 lWry6QF.exe 11->22         started        26 abba7692ca.exe 11->26         started        28 cmd.exe 11->28         started        39 2 other processes 11->39 174 176.113.115.7 SELECTELRU Russian Federation 16->174 176 185.7.214.51 DELUNETDE France 16->176 178 188.114.96.3 CLOUDFLARENETUS European Union 16->178 142 C:\Users\...\O01DOC5SHV1S2PCH1GAYV2EV.exe, PE32 16->142 dropped 144 C:\Users\user\...CFL0C3YAA286I397YE.exe, PE32+ 16->144 dropped 146 C:\Users\...\4UZ80U2DAZB3FXQC1NHOM1UFO4.exe, PE32 16->146 dropped 258 Detected unpacking (changes PE section rights) 16->258 260 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->260 262 Query firmware table information (likely to detect VMs) 16->262 274 7 other signatures 16->274 30 O01DOC5SHV1S2PCH1GAYV2EV.exe 30 16->30         started        32 4UZ80U2DAZB3FXQC1NHOM1UFO4.exe 4 16->32         started        34 ECFL0C3YAA286I397YE.exe 14 4 16->34         started        264 Maps a DLL or memory area into another process 18->264 266 Found direct / indirect Syscall (likely to bypass EDR) 18->266 37 cmd.exe 18->37         started        180 107.189.27.66 PONYNETUS United States 20->180 182 104.194.157.122 M247GB United States 20->182 148 C:\Users\user\AppData\...\systemdrive.exe, PE32 20->148 dropped 152 2 other malicious files 20->152 dropped 268 Suspicious powershell command line found 20->268 270 Tries to download and execute files (via powershell) 20->270 272 Creates HTA files 20->272 41 5 other processes 20->41 file5 signatures6 process7 dnsIp8 116 C:\Users\user\AppData\Local\...behaviorgraphxtuum.exe, PE32 22->116 dropped 198 Detected unpacking (changes PE section rights) 22->198 218 5 other signatures 22->218 43 Gxtuum.exe 22->43         started        118 C:\Users\user\AppData\Local\...\Z3BdJdQpx.hta, HTML 26->118 dropped 200 Multi AV Scanner detection for dropped file 26->200 202 Creates HTA files 26->202 55 2 other processes 26->55 46 cmd.exe 28->46         started        49 conhost.exe 28->49         started        120 C:\Users\user\svml_dispmd.dll, PE32 30->120 dropped 122 C:\Users\user\msvcr100.dll, PE32 30->122 dropped 124 C:\Users\user\msvcp100.dll, PE32 30->124 dropped 130 19 other malicious files 30->130 dropped 204 Drops PE files to the user root directory 30->204 51 Adobe QT32 Server.exe 30->51         started        126 C:\Users\user\AppData\Local\...\rapes.exe, PE32 32->126 dropped 206 Contains functionality to start a terminal service 32->206 208 Contains functionality to inject code into remote processes 32->208 53 rapes.exe 32->53         started        164 162.125.66.15 DROPBOXUS United States 34->164 166 162.125.66.18 DROPBOXUS United States 34->166 210 Encrypted powershell cmdline option found 34->210 212 Bypasses PowerShell execution policy 34->212 57 2 other processes 34->57 128 C:\Users\user\AppData\Local\Temp\qgmkb, PE32 37->128 dropped 220 2 other signatures 37->220 59 3 other processes 37->59 168 104.102.49.254 AKAMAI-ASUS United States 39->168 214 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->214 216 Query firmware table information (likely to detect VMs) 39->216 222 3 other signatures 39->222 132 2 other malicious files 41->132 dropped 61 3 other processes 41->61 file9 signatures10 process11 file12 224 Detected unpacking (changes PE section rights) 43->224 226 Tries to detect sandboxes and other dynamic analysis tools (window names) 43->226 228 Tries to evade debugger and weak emulator (self modifying code) 43->228 242 3 other signatures 43->242 154 C:\Temp\D7oycAHfs.hta, HTML 46->154 dropped 230 Creates HTA files 46->230 63 mshta.exe 46->63         started        66 cmd.exe 46->66         started        68 cmd.exe 46->68         started        80 4 other processes 46->80 156 C:\Users\user\AppData\...\svml_dispmd.dll, PE32 51->156 dropped 158 C:\Users\user\AppData\...\msvcr100.dll, PE32 51->158 dropped 160 C:\Users\user\AppData\...\msvcp100.dll, PE32 51->160 dropped 162 19 other malicious files 51->162 dropped 70 Adobe QT32 Server.exe 51->70         started        232 Contains functionality to start a terminal service 53->232 234 Suspicious powershell command line found 55->234 236 Tries to download and execute files (via powershell) 55->236 72 powershell.exe 55->72         started        82 2 other processes 55->82 76 conhost.exe 57->76         started        238 Found direct / indirect Syscall (likely to bypass EDR) 59->238 240 Switches to a custom stack to bypass stack traces 61->240 78 WerFault.exe 61->78         started        signatures13 process14 dnsIp15 276 Suspicious powershell command line found 63->276 278 Tries to download and execute files (via powershell) 63->278 84 powershell.exe 63->84         started        87 powershell.exe 66->87         started        89 powershell.exe 68->89         started        280 Maps a DLL or memory area into another process 70->280 282 Found direct / indirect Syscall (likely to bypass EDR) 70->282 91 cmd.exe 70->91         started        170 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 72->170 134 TempYVFRQETHNSOWXJFLKKSHAO3MBYVRNU9E.EXE, PE32 72->134 dropped 284 Powershell drops PE file 72->284 94 TempYVFRQETHNSOWXJFLKKSHAO3MBYVRNU9E.EXE 72->94         started        96 conhost.exe 72->96         started        98 powershell.exe 80->98         started        file16 signatures17 process18 file19 112 C:\Users\...\483d2fa8a0d53818306efeb32d3.exe, PE32 84->112 dropped 100 483d2fa8a0d53818306efeb32d3.exe 84->100         started        103 conhost.exe 84->103         started        114 C:\Users\user\AppData\Local\Temp\kocu, PE32 91->114 dropped 244 Uses schtasks.exe or at.exe to add and modify task schedules 91->244 246 Writes to foreign memory regions 91->246 248 Found hidden mapped module (file has been removed from disk) 91->248 252 2 other signatures 91->252 105 servicebrowserv5.exe 91->105         started        107 conhost.exe 91->107         started        250 Multi AV Scanner detection for dropped file 94->250 signatures20 process21 signatures22 194 Multi AV Scanner detection for dropped file 100->194 196 Found direct / indirect Syscall (likely to bypass EDR) 105->196 109 WerFault.exe 105->109         started        process23 dnsIp24 184 20.42.65.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 109->184
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f5551fdfa38b97acefcfb04980299dd491c62676af55f14f57ea11e4fe64d699
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f5551fdfa38b97acefcfb04980299dd491c62676af55f14f57ea11e4fe64d699/
Threat name:
Win32.Trojan.Cerbu
Create hunting rule
Status:
Malicious
First seen:
2025-02-27 01:22:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6vkr7x5drol2z36pwbeyakm52si4mjtwv5k7ct2x5ii6j7te22mq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
5fb4a32ac927960d0e1e02deb5bd5fc9dbab2adc5f7ab56bf92e3e90b27df9f1
LummaStealer
error
LummaStealer
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:redline family:vidar botnet:092155 botnet:a4d2cd botnet:ir7am botnet:testproliv credential_access defense_evasion discovery execution infostealer persistence privilege_escalation spyware stealer trojan
Link:
https://tria.ge/reports/250227-hbw5fayvfv/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies Control Panel
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
AutoIT Executable
Boot or Logon Autostart Execution: Authentication Package
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Checks BIOS information in registry
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Sets service image path in registry
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Detect Vidar Stealer
Lumma Stealer, LummaC
Lumma family
RedLine
RedLine payload
Redline family
Vidar
Vidar family
Malware Config
C2 Extraction:
http://176.113.115.6
https://t.me/l793oy
https://steamcommunity.com/profiles/76561199829660832
http://cobolrationumelawrtewarms.com
http://�������� jlgenfekjlfnvtgpegkwr.xyz
https://paleboreei.biz/api
45.155.103.183:1488
Dropper Extraction:
http://185.215.113.16/mine/random.exe
Verdict:
Malicious
Tags:
lumma lumma_stealer c2 stealer
YARA:
n/a
Link:
https://app.threat.zone/submission/3c4e1653-4c05-4a35-b28d-48299500de0d
Unpacked files
SH256 hash:
f5551fdfa38b97acefcfb04980299dd491c62676af55f14f57ea11e4fe64d699
MD5 hash:
bfa1b92e7d23318d2085ab0b4cccbb7a
SHA1 hash:
fd1e1b1ee69bd0a5942c8bdd1f5762c0db060ce4
Link:
https://www.unpac.me/results/b7ab6b17-4ba5-4773-bde1-e13df90a8286/
SH256 hash:
af0758d459177f144eb005bf8aaae16cf919fe87cb4a97fe97fc56cdfcf9906d
MD5 hash:
3ffb0dbee3c3ff8c535ba943a7bcd7f0
SHA1 hash:
61d291715d1678d88ebf65ab51d27a09b6ffa84f
Link:
https://www.unpac.me/results/b7ab6b17-4ba5-4773-bde1-e13df90a8286/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f5551fdfa38b97acefcfb04980299dd491c62676af55f14f57ea11e4fe64d699

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe f5551fdfa38b97acefcfb04980299dd491c62676af55f14f57ea11e4fe64d699

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3452044/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments