MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 525a2f6a266dcf0dd08ef95cbbeb062bb3d04ea07ebd0da0edf17b7be4ba95c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 24 File information Comments

SHA256 hash:	525a2f6a266dcf0dd08ef95cbbeb062bb3d04ea07ebd0da0edf17b7be4ba95c0
SHA3-384 hash:	e0299ab7e8275344edf402031d2742097f7df39b692cb52ba49dfb30ea29cd4ec6816bc8bb50f2f7d5381948040f1c5c
SHA1 hash:	8647c770a351f7332e01ef56a6bf150300e33c34
MD5 hash:	2c983e8a01b18dd7b1650e473f5daf11
humanhash:	shade-massachusetts-twenty-blossom
File name:	svchost.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	655'360 bytes
First seen:	2025-11-23 09:22:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	77eb68348ee30e01ec09fce3582c5f76 (19 x Simda, 2 x njrat, 2 x LummaStealer)
ssdeep	12288:vsjCF2QZiOU+4zX7wM45QygROD22O3ZGdZD7AyyymI:vOC39Uv7V4WnROD22cqD7YI
TLSH	T149D4CF0AFA5381A1E809083714EAF77B1630AE174725CEC7EBC0FB98AC77BD16579506
TrID	52.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 22.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 7.5% (.EXE) Win64 Executable (generic) (10522/11/4) 4.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
Reporter	Hexastrike
Tags:	exe LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

svchost.exe

Verdict:

Malicious activity

Analysis date:

2025-11-23 17:10:10 UTC

Tags:

anti-evasion

Link:

https://app.any.run/tasks/6f9b3083-3a2d-473e-b75f-2a1b5970c464

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Njrat

Link:

https://www.capesandbox.com/analysis/40408/

Detection(s):

Win.Packed.Generic-9795615-0

Win.Packed.Generic-9795616-0

Win.Dropper.njRAT-10015886-0

Win.Dropper.Nanocore-10030076-0

Win.Packed.Zard-10035522-0

Win.Trojan.Generic-6417450-0

Win.Trojan.Generic-6454614-0

Win.Trojan.Generic-6454615-0

Win.Trojan.B-468

Win.Trojan.Bladabindi-6192388-0

Win.Packed.Bladabindi-6917466-0

TwinWave.EvilDoc.PKILLDropboxMacroDirectDownload.20220331.UNOFFICIAL

MiscreantPunch.EvilMacro.PVDISABLE.170819.UNOFFICIAL

TwinWave.EvilDoc.PolicyKillOnlyHappyWhenItRains.20210704.UNOFFICIAL

TwinWave.EvilDoc.HanciInterruptMyDayHandler.20210721.UNOFFICIAL

Win.Trojan.Ratenjay-1

Win.Trojan.Shiz-2273

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6922db83140de26f6c2c90f6

Tags:

emotet njrat

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the Windows subdirectories

Creating a process from a recently created file

DNS request

Connection attempt

Sending a custom TCP request

Moving of the original file

Enabling autorun

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 cmd config-extracted fingerprint installer-heuristic keylogger lolbin lumma lummastealer netsh njrat njrat overlay overlay packed rat reconnaissance

Link:

https://www.filescan.io/uploads/6922d7fa5d3feebe12d81102/reports/c231db30-f68e-4d22-88c9-fe24f69a5d99/overview

Verdict:

Malicious

Labled as:

Trojan.Shiz

Link:

https://www.hybrid-analysis.com/sample/525a2f6a266dcf0dd08ef95cbbeb062bb3d04ea07ebd0da0edf17b7be4ba95c0

Result

Gathering data

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/525a2f6a266dcf0dd08ef95cbbeb062bb3d04ea07ebd0da0edf17b7be4ba95c0

Verdict:

Lumma Stealer

YARA:

9 match(es)

Tags:

.Net Executable Lumma Stealer PE (Portable Executable) PE File Layout Stealer Win 32 Exe x86

Link:

https://app.malva.re/file/2c983e8a01b18dd7b1650e473f5daf11

Detection:

njrat

Link:

https://mwdb.cert.pl/sample/525a2f6a266dcf0dd08ef95cbbeb062bb3d04ea07ebd0da0edf17b7be4ba95c0/

Threat name:

Win32.Trojan.LummaStealer

Status:

Malicious

First seen:

2025-11-21 08:52:41 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

32 of 36 (88.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kjnc62rgnxhq3ueo7folx2ygfoz5atvap26q3ihn6f5xxzf2sxaa._file

Result

Malware family:

njrat

Score:

10/10

Tags:

family:lumma family:njrat discovery persistence stealer trojan

Link:

https://tria.ge/reports/251123-lryvraylan/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Drops file in Windows directory

Modifies WinLogon

Executes dropped EXE

Lumma Stealer, LummaC

Lumma family

Modifies WinLogon for persistence

Njrat family

njRAT/Bladabindi

Malware Config

C2 Extraction:

https://caffegclasiqwp.shop/api
https://stamppreewntnq.shop/api
https://stagedchheiqwo.shop/api
https://millyscroqwp.shop/api
https://evoliutwoqm.shop/api
https://condedqpwqm.shop/api
https://traineiwnqo.shop/api
https://locatedblsoqp.shop/api
https://deteriotraiwo.shop/api

Verdict:

Malicious

Tags:

rat njrat Win.Packed.Generic-9795615-0

YARA:

malware_Njrat_strings Windows_Trojan_Njrat_30f3c220 MAL_Njrat MALWARE_Win_NjRAT JPCERTCC_Njrat

Link:

https://app.threat.zone/submission/1e2885b3-a8b3-4d55-8a6b-2fb63096bd04

Unpacked files

SH256 hash:

525a2f6a266dcf0dd08ef95cbbeb062bb3d04ea07ebd0da0edf17b7be4ba95c0

MD5 hash:

2c983e8a01b18dd7b1650e473f5daf11

SHA1 hash:

8647c770a351f7332e01ef56a6bf150300e33c34

Detections:

win_njrat_g1

win_njrat_w1

win_lumma_auto

LummaStealer

NjRat

Link:

https://www.unpac.me/results/b4828a43-5ce8-4f5d-9bdf-3e0e5197b44f/

SH256 hash:

5ae0be1705c13442a3c6c7147b29c510ba0bc8700efbe7f4cdc16a92f55353a1

MD5 hash:

4d08b3bd3f85cd71c54d69cefed0bed6

SHA1 hash:

a93dc58b7c40a3b2701f91d5daff7146277fc894

Detections:

win_njrat_g1

win_njrat_w1

NjRat

CN_disclosed_20180208_c

Njrat

win_njrat_bytecodes_oct_2023

win_njrat_strings_oct_2023

MALWARE_Win_NjRAT

Link:

https://www.unpac.me/results/b4828a43-5ce8-4f5d-9bdf-3e0e5197b44f/

Parent samples :

06f4279804935c916eeb2599cdae6feab8d58551cfeda1dc912d9a2b9f9ba9a1
5ae0be1705c13442a3c6c7147b29c510ba0bc8700efbe7f4cdc16a92f55353a1
0bd574d0e076982665e2e0f1de667d8e2c42d5aa00f03ef106eaef5a807b298c
0ff2942601a42220b5dc6efd49f1cb98f51fd5028e73574eb76ceba501092536
525a2f6a266dcf0dd08ef95cbbeb062bb3d04ea07ebd0da0edf17b7be4ba95c0
c795c63e16fd180a30d904386dc4b9c3b210d699444a0aa78f4b795e96286fb0

Malware family:

njRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/525a2f6a266d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/525a2f6a266dcf0dd08ef95cbbeb062bb3d04ea07ebd0da0edf17b7be4ba95c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	INDICATOR_SUSPICIOUS_EXE_Enable_OfficeMacro Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing Office macro registry keys. Observed modifying Office configurations via the registy to enable macros

Rule name:	Lumma Create hunting rule
Author:	kevoreilly
Description:	Lumma Payload

Rule name:	maldoc_OLE_file_magic_number Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	malware_Njrat_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect njRAT in memory

Rule name:	MALWARE_Win_NjRAT Create hunting rule
Author:	ditekSHen
Description:	Detects NjRAT / Bladabindi / NjRAT Golden

Rule name:	MAL_njrat Create hunting rule
Author:	SECUINFRA Falcon Team

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect njRAT in memory

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Skystars_LightDefender_Njrat_Rule Create hunting rule
Author:	Skystars LightDefender
Description:	Detects Njrat

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	vbaproject_bin Create hunting rule
Author:	CD_R0M_
Description:	{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

Rule name:	win32_lumma_stealer Create hunting rule
Author:	Reedus0
Description:	Rule for detecting LummaStealer malware

Rule name:	win32_njrat Create hunting rule
Author:	Reedus0
Description:	Rule for detecting njRAT malware

Rule name:	Windows_Trojan_Lumma_4ad749b0 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Njrat_30f3c220 Create hunting rule

Rule name:	Windows_Trojan_Njrat_30f3c220 Create hunting rule
Author:	Elastic Security

Rule name:	win_lumma_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lumma.

Rule name:	win_njrat_w1 Create hunting rule
Author:	Brian Wallace @botnet_hunter <bwall@ballastsecurity.net>
Description:	Identify njRat

Rule name:	yara_template Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/40408/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample