MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 00fa8ab37cdc20fee6d8989dee3ba58c82b952f953d869f8312c3b0b2d599006. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
LummaStealer
Vendor detections: 19
| SHA256 hash: | 00fa8ab37cdc20fee6d8989dee3ba58c82b952f953d869f8312c3b0b2d599006 |
|---|---|
| SHA3-384 hash: | f8b33d377eface781bed47be5a87561187000553dc4ec19391af3a73bee1296d16c7b32d1b615ae9820e57eac49048de |
| SHA1 hash: | 561a8a3e91997818c88089b1464702ce5b72bbee |
| MD5 hash: | f2e77c75ddc679f2e7fabdd8b8ac3f20 |
| humanhash: | rugby-sink-mike-south |
| File name: | 00fa8ab37cdc20fee6d8989dee3ba58c82b952f953d869f8312c3b0b2d599006.exe |
| Download: | download sample |
| Signature | LummaStealer |
| File size: | 12'679'858 bytes |
| First seen: | 2025-09-04 14:17:37 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 7e0a0e8f80bbd1a9c0078e57256f1c3d (5 x GCleaner, 4 x LummaStealer, 3 x CoinMiner) |
| ssdeep | 393216:yNE0+y2PsXV+fdVr96iCww3vvU35phokM4sYg:LpPUVgYRBvvK5Y5 |
| Threatray | 153 similar samples on MalwareBazaar |
| TLSH | T145D63359E3F804FCE0A7B4B08EE54952E6763C498B71E69F07B886661F237609D3E710 |
| TrID | 87.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 5.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.4% (.EXE) Win64 Executable (generic) (10522/11/4) 1.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 0.6% (.EXE) OS/2 Executable (generic) (2029/13) |
| Magika | pebin |
| Reporter |  abuse_ch |
| Tags: | exe LummaStealer |
Intelligence
File Origin
# of uploads :
1
# of downloads :
92
Origin country :
SEVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
00fa8ab37cdc20fee6d8989dee3ba58c82b952f953d869f8312c3b0b2d599006.exe
Verdict:
Malicious activity
Analysis date:
2025-09-04 12:30:36 UTC
Tags:
autoit telegram lumma stealer hijackloader loader
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Detection(s):
Verdict:
Malicious
Score:
99.9%
Tags:
virus spawn nsis sage
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
DNS request
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
action adaptive-context anti-debug anti-vm base64 expand expired-cert explorer fingerprint fingerprint installer keylogger lolbin microsoft_visual_cc overlay overlay packed sfx threat
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-04T01:04:00Z UTC
Last seen:
2025-09-04T01:04:00Z UTC
Hits:
~10
Detections:
BSS:Trojan.Win32.Generic Backdoor.Agent.UDP.C&C Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Autoit.sb HEUR:Trojan.Script.Generic HEUR:Trojan.Script.AUO.gen HEUR:Trojan.Win32.Autoit.gen Trojan.Win32.Autoit.acxie
Verdict:
Suspicious
Result
Threat name:
HijackLoader, LummaC Stealer
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Detected CypherIt Packer
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Writes to foreign memory regions
Yara detected HijackLoader
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Score:
88%
Verdict:
Malware
File Type:
PE
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
.Net AutoIt Executable PDB Path PE (Portable Executable) PE File Layout PE Memory-Mapped (Dump) Win 64 Exe x64
Verdict:
Malicious
Threat:
Family.LUMMA
Threat name:
Win64.Spyware.Lummastealer
Status:
Malicious
First seen:
2025-09-04 10:22:58 UTC
File Type:
PE+ (Exe)
Extracted files:
102
AV detection:
17 of 38 (44.74%)
Threat level:
2/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
unc_loader_058
Similar samples:
+ 143 additional samples on MalwareBazaar
Result
Malware family:
lumma
Score:
10/10
Tags:
family:hijackloader family:lumma defense_evasion discovery loader spyware stealer
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Modifies trusted root certificate store through registry
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://t.me/h456hdsd
https://kennetk.bet/zald
https://mastwin.in/qsaz
https://noggs.ru/yopd
https://georgej.ru/plnb
https://oneflof.ru/tids
https://epitherd.ru/zadw
https://backab.ru/lkdo
https://eigwos.ru/wqex
https://kimmenkiz.ru/zldw
https://kennetk.bet/zald
https://mastwin.in/qsaz
https://noggs.ru/yopd
https://georgej.ru/plnb
https://oneflof.ru/tids
https://epitherd.ru/zadw
https://backab.ru/lkdo
https://eigwos.ru/wqex
https://kimmenkiz.ru/zldw
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
0166edfb23cfc77519c97862a538a69b5d805d6a17d6e235f46927af5c04b3c9
MD5 hash:
9c373c00ac3138233bdf1655c7be8e86
SHA1 hash:
ee38f868e32950d1b8185249edc6ad4e1bc5592f
SH256 hash:
041a69d458e91b09d03356d05b27a14b0a7695317fc1ba971aab202ddb4d1df4
MD5 hash:
c967cf7c09ea4c2192dcb58b9859e59f
SHA1 hash:
4fa0816c785e955aef39d4d2688412e461695e95
SH256 hash:
1fe918979f1653d63bb713d4716910d192cd09f50017a6ecb4ce026ed6285df9
MD5 hash:
cef4b9f680faae322170b961a3421c5b
SHA1 hash:
dd89a2d355df989bbd8648789472bfe9c14afcd5
SH256 hash:
2e88436efd6d5ffab85709fd8b25873cf2739201cd4148c1c515559c38cd785b
MD5 hash:
0985a1b78f15f5e36ad3f5b00c719228
SHA1 hash:
b6e43450df9c3a4274eeb66f64398c067312a7ac
SH256 hash:
3807db7acf1b40c797e4d4c14a12c3806346ae56b25e205e600be3e635c18d4f
MD5 hash:
2e5c29fc652f432b89a1afe187736c4d
SHA1 hash:
96f8480b9339411d5d8c94918e983523b1a55c56
SH256 hash:
4aeeae0ac9f6c1b0b8835067ea3b7fc429f353565f18de7858f4ea5d6f72072e
MD5 hash:
7190cbfad2d7773d3b88ccc25533a651
SHA1 hash:
71fe2bacc14b433d51328ea0810c1a030c80d844
SH256 hash:
5063c17f2b01a17119fbbdd64338368bd9169f832abe719bfbd2b4e65fb599d4
MD5 hash:
b16a09fc1d6ff8cb36aeeecc3d1189d1
SHA1 hash:
5988d71c87e1157166569ee676a92ed528c22502
SH256 hash:
542a22540cdb7df46d957a0208d50507916f7c737bea833931239d56ebe8d68c
MD5 hash:
66f4e530a19ed2f6862b5ce946437875
SHA1 hash:
016bfa4eafb407e43abdcd9582dbca7dcf85d3de
SH256 hash:
68bd9c086d210eb14e78f00988ba88ceaf9056c8f10746ab024990f8512a2296
MD5 hash:
c6553959aecd5bac01c0673cfdf86b68
SHA1 hash:
045585659843f7214c79659a88302996bfb480a2
SH256 hash:
696c10112d8b86a46e5057cbd0bf40728e79c6bb49cda1f2c67fe45d0fc1258d
MD5 hash:
ad8d9a6ea592a6c8a78c67a805cec952
SHA1 hash:
3e9f35013044be456f33e300418453ab12c70df8
SH256 hash:
6c9c0dc7b36afe07dfb07dd373fc757ff25df4793e6384d7a6021471a474f0b9
MD5 hash:
ad0cbb9978fcf60d9e9ca45de6a28d30
SHA1 hash:
65549d9d7ee72de7d0cc356f92ad22eeb8dc18cc
SH256 hash:
6ccbd84715baf2f6eb7ec9141e488011722f613c40e2bdbd431447523e10d642
MD5 hash:
aa5f2e5a6dd62c61cc10160db86e222d
SHA1 hash:
4d27782620cc6a32ea60674ba33a004df82cf388
SH256 hash:
77b69e829bdc26c7b2474be6b8a2382345b2957e23046897e40992a8157a7ba1
MD5 hash:
3e415147ccd7c712618868bdd7a200cd
SHA1 hash:
b332f29915d846519dcb725d39e8c50604d7b414
SH256 hash:
7bb05120006bcac6dc541edf8cd823fc4efbbc3e01f773cb5980b977741773b9
MD5 hash:
355c7bd1b3897f14360ce0b46332ca5e
SHA1 hash:
4817812846073778c0be584737f4ab00d0c6f76e
SH256 hash:
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af
MD5 hash:
08e9796ca20c5fc5076e3ac05fb5709a
SHA1 hash:
07971d52dcbaa1054060073571ced046347177f7
SH256 hash:
81b425428d0d77672d1bb316cf6d80689ff9bfc43eafad56163f623ceecc94e4
MD5 hash:
f437ddd80e9124d49b01d24a3e4f8858
SHA1 hash:
97d637335cd474b7f4bcc461561d12f40ec6fe4f
SH256 hash:
85b1b189ce9e3c6f4d2efdd4cd82b0807f681bea2d28851caaf545990de99000
MD5 hash:
14f407d94c77b1b0039ae2c89b07a2ff
SHA1 hash:
528b91a8a8611da45463fac0a6bd5c58233f8fbc
SH256 hash:
8bb38a7a59fbaa792b3d5f34f94580429588c8c592929cbd307afd5579762abc
MD5 hash:
979c67ba244e5328a1a2e588ff748e86
SHA1 hash:
4c709ce527550eb7534cb6362afdb3623c98254e
SH256 hash:
9ac63682e03d55a5d18405d336634af080dd0003b565d12a39d6d71aaa989f48
MD5 hash:
659e4febc208545a2e23c0c8b881a30d
SHA1 hash:
11b890cc05c1e7c95f59eda4bb8ce8bc12b81591
SH256 hash:
a108a8f20ded00e742a1f818ef00eb425990b6b24a2bcd060dea4d7f06d3f165
MD5 hash:
69df2cce4528c9e38d04a461ba1f992b
SHA1 hash:
bb1d0da76cf696acf2e0f4e03e6d63fbad4325aa
SH256 hash:
bea8c675642cfef9c7e9eb77498c06082487a1ef436ea44768c7d396f054b923
MD5 hash:
a734a5e299ca76dd458300deb551a229
SHA1 hash:
58b4e344b11e549286036a25da3240594440795f
SH256 hash:
c2ad5bd189df04b39be18dec5cd251cf79b066010706ad26d99df7e49fd07762
MD5 hash:
9e82e3b658393bed3f7e4f090df1fbe7
SHA1 hash:
bfff954b8ef192c01af9fb5d9141a21279cb9c31
Detections:
INDICATOR_KB_CERT_62e745e92165213c971f5c490aea12a5
SH256 hash:
c6b4e1d903b3cc83bfaffbe4e82eee634cff8f97f12217caa45b464ddc4e1455
MD5 hash:
9e9c6f83a015029808f5257f7b7e39c6
SHA1 hash:
5674192eb60eb152773fe0d50161f32759e2ea0f
SH256 hash:
c7115159babdaa1f52e478e67b4e612da2332fda4e4036999b29425fe303b6e8
MD5 hash:
bc418a3461c5fdfa1a0d75f7e03d08a7
SHA1 hash:
5cfefa62226f117b7e2fe58961269294eb62b84c
SH256 hash:
d00a0edace14715bf79dbd17b715d8a74a2300f0adb1f3fc137edfb7074c9b0a
MD5 hash:
6ee66dca31c5cce57740d677c85b4ce7
SHA1 hash:
8969db03f98f9548caf8e2d8c7f2f5cd7071f333
SH256 hash:
d10560f3a3fc232ef6b40c65d4933bd0878e27bd5564ca49025976f78e63a6eb
MD5 hash:
0d8c959a7ac1be81415671921d9b0035
SHA1 hash:
71f8e1837332849d55b53c4566b1b7e4afa38226
SH256 hash:
d11093fdc1d5c9213b9b2886ce91db3ded17ef8dae1615a8c7ffbc55b8e3f79b
MD5 hash:
0069fd29263c0dd90314c48bbce852ef
SHA1 hash:
dfb99c850a69e67e85f0a0985659f325bd8f84fc
SH256 hash:
e5ea2c21fb225090f7d0db6c6990d67b1558d8e834e86513bc8ba7a43c4e7b36
MD5 hash:
29001f316ccfc800e2246743df9b15b3
SHA1 hash:
dc734266648d3463c1f8d88c1ce7d900a4e3b26c
SH256 hash:
ebb0cd37e25b2f11e87b7bfc7da7839a22db36b754f5d050d20c532f8a1f77cb
MD5 hash:
c2c059f209c36d3659514016848b4020
SHA1 hash:
193e7292455d43eb268696c1d415aaf62ef518aa
SH256 hash:
f16447b5fc7fe6fb8a6699a3cef1b2b8ba92d408579bcc272d3dd76acd801e2a
MD5 hash:
c5d747f96237b6e9aa85c58745d30c80
SHA1 hash:
c6ad21597265faf25ea8d7f09577f3e6f4f7be10
SH256 hash:
f1eb582e607a1e43cdb1654bfb7cb29ad46f6728b3fb89a14f7727e0e8daab69
MD5 hash:
2bca4e2c047ec969cb3cff277e7fc184
SHA1 hash:
c4b5b00b605e59c6fdcb6731f2e53069506e287a
SH256 hash:
00fa8ab37cdc20fee6d8989dee3ba58c82b952f953d869f8312c3b0b2d599006
MD5 hash:
f2e77c75ddc679f2e7fabdd8b8ac3f20
SHA1 hash:
561a8a3e91997818c88089b1464702ce5b72bbee
Malware family:
CypherIt
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | CP_AllMal_Detector |
|---|---|
| Author: | DiegoAnalytics |
| Description: | CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication |
| Rule name: | CP_Script_Inject_Detector |
|---|---|
| Author: | DiegoAnalytics |
| Description: | Detects attempts to inject code into another process across PE, ELF, Mach-O binaries |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DetectEncryptedVariants |
|---|---|
| Author: | Zinyth |
| Description: | Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded |
| Rule name: | golang_bin_JCorn_CSC846 |
|---|---|
| Author: | Justin Cornwell |
| Description: | CSC-846 Golang detection ruleset |
| Rule name: | pe_detect_tls_callbacks |
|---|
| Rule name: | RIPEMD160_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for RIPEMD-160 constants |
| Rule name: | SelfExtractingRAR |
|---|---|
| Author: | Xavier Mertens |
| Description: | Detects an SFX archive with automatic script execution |
| Rule name: | SHA1_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for SHA1 constants |
| Rule name: | Sus_Obf_Enc_Spoof_Hide_PE |
|---|---|
| Author: | XiAnzheng |
| Description: | Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP) |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.