MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 030341b8ce7dfcd95d3918808fbc8b6f3b540457c2c02a916afe012c4a4fd76f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 030341b8ce7dfcd95d3918808fbc8b6f3b540457c2c02a916afe012c4a4fd76f
SHA3-384 hash: 3ad785ebd453fb5321b5b1c550b8f55c38182991b9912784c50fb0fa6407b7fd49a055dc7e783b0cd512f7a601c2ab8c
SHA1 hash: 854b6fc46b312c7ad1fe8d47bb24da07dca39bd1
MD5 hash: 3c1b9e4e02d350ad9cc0db8f1d1b8bff
humanhash: kansas-comet-maryland-alpha
File name:3c1b9e4e02d350ad9cc0db8f1d1b8bff.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:3'094'765 bytes
First seen:2025-07-19 13:47:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f6baa5eaa8231d4fe8e922a2e6d240ea (37 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep 49152:b/5RO6VU4Cr4oJlwUgybOpLjEUDNKM7R6AWHM7ySfPi6qRF0ONKOE24xTcNkgEDk:b/5IVzlwNyaaUD0M7knQyqPi6qf0ONKk
Threatray 868 similar samples on MalwareBazaar
TLSH T154E5331377EAC2F6E09229365A319F735AFDFAB25B1598DB87840E011D68AD04B7D0C3
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
30
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e85b66a48c8e7243defdd21a4bb9043b44fc6e386697b7b88c65974dcd9f82a4.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-07-19 03:25:57 UTC
Tags:
delphi gcleaner loader autoit lumma stealer auto generic telegram
Link:
https://app.any.run/tasks/b35add7a-c078-4cf9-a048-4e9c78f3c555

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/15798/
Detection(s):
Win.Malware.7zip-10013374-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=687ba1f584b37dd61eef9605
Tags:
dropper xtreme virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Replacing files
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Behavior that indicates a threat
Unauthorized injection to a recently created process
Query of malicious DNS domain
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context fingerprint installer keylogger microsoft_visual_cc overlay packed packer_detected
Link:
https://www.filescan.io/uploads/687ba1f08a7d628a81b7a11b/reports/30d4b1f8-0e30-4b58-bed2-504d3e004462/overview
Verdict:
Malicious
Labled as:
Malware/7zip
Link:
https://www.hybrid-analysis.com/sample/030341b8ce7dfcd95d3918808fbc8b6f3b540457c2c02a916afe012c4a4fd76f
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8ccd87fa-a405-4f01-9b94-2b5ab2583a42
Result
Threat name:
CoinMiner, LummaC Stealer, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1740112
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Drops password protected ZIP file
Encrypted powershell cmdline option found
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected CoinMiner
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1740112 Sample: shTdK1gcbV.exe Startdate: 19/07/2025 Architecture: WINDOWS Score: 100 103 greqjfu.xyz 2->103 105 annwt.xyz 2->105 107 14 other IPs or domains 2->107 119 Suricata IDS alerts for network traffic 2->119 121 Found malware configuration 2->121 123 Malicious sample detected (through community Yara rule) 2->123 127 12 other signatures 2->127 15 shTdK1gcbV.exe 8 2->15         started        19 MicrosoftApi.exe 2->19         started        22 MicrosoftApi.exe 2->22         started        24 MicrosoftApi.exe 2->24         started        signatures3 125 Performs DNS queries to domains with low reputation 105->125 process4 dnsIp5 99 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 15->99 dropped 101 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 15->101 dropped 115 Contains functionality to register a low level keyboard hook 15->115 26 cmd.exe 2 15->26         started        109 64.188.76.154, 49699, 49700, 49701 AS-CSDVRSUS United States 19->109 file6 signatures7 process8 signatures9 149 Uses schtasks.exe or at.exe to add and modify task schedules 26->149 151 Adds a directory exclusion to Windows Defender 26->151 29 yccc.exe 3 26->29         started        32 7z.exe 2 26->32         started        34 7z.exe 3 26->34         started        36 7 other processes 26->36 process10 file11 93 C:\Users\user\AppData\Local\Temp\ycorig.exe, PE32 29->93 dropped 95 C:\Users\user\AppData\Local\...\Updater.exe, PE32 29->95 dropped 38 Updater.exe 1 29->38         started        41 ycorig.exe 2 29->41         started        97 C:\Users\user\AppData\Local\Temp\...\yccc.exe, PE32 32->97 dropped process12 signatures13 141 Multi AV Scanner detection for dropped file 38->141 143 Encrypted powershell cmdline option found 38->143 43 powershell.exe 15 20 38->43         started        145 Antivirus detection for dropped file 41->145 48 WerFault.exe 19 16 41->48         started        process14 dnsIp15 111 adobe-plugin.info 172.67.151.190, 443, 49695 CLOUDFLARENETUS United States 43->111 89 C:\Users\user\AppData\Local\Temp\ycv.exe, PE32+ 43->89 dropped 91 C:\Users\user\AppData\Local\Temp\yc.exe, PE32+ 43->91 dropped 159 Powershell drops PE file 43->159 50 yc.exe 43->50         started        54 ycv.exe 43->54         started        56 conhost.exe 43->56         started        file16 signatures17 process18 file19 85 C:\Users\user\AppData\...\MicrosoftApi.exe, PE32+ 50->85 dropped 129 Antivirus detection for dropped file 50->129 131 Multi AV Scanner detection for dropped file 50->131 133 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 50->133 58 MicrosoftApi.exe 50->58         started        135 Writes to foreign memory regions 54->135 137 Allocates memory in foreign processes 54->137 139 Injects a PE file into a foreign processes 54->139 62 MSBuild.exe 54->62         started        signatures20 process21 dnsIp22 87 C:\Users\user\AppData\...\tmp7DDE.tmp.cmd, DOS 58->87 dropped 153 Antivirus detection for dropped file 58->153 155 Multi AV Scanner detection for dropped file 58->155 157 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 58->157 65 cmd.exe 58->65         started        68 cmd.exe 58->68         started        113 steamcommunity.com 23.54.187.178, 443, 49698 AKAMAI-ASUS United States 62->113 file23 signatures24 process25 signatures26 117 Adds a directory exclusion to Windows Defender 65->117 70 powershell.exe 65->70         started        73 conhost.exe 65->73         started        75 timeout.exe 65->75         started        77 conhost.exe 68->77         started        79 timeout.exe 68->79         started        81 schtasks.exe 68->81         started        process27 signatures28 147 Loading BitLocker PowerShell Module 70->147 83 WmiPrvSE.exe 70->83         started        process29
Score:
86%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/030341b8ce7dfcd95d3918808fbc8b6f3b540457c2c02a916afe012c4a4fd76f
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) SFX 7z Win 32 Exe x86
Link:
https://app.malva.re/file/3c1b9e4e02d350ad9cc0db8f1d1b8bff
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/030341b8ce7dfcd95d3918808fbc8b6f3b540457c2c02a916afe012c4a4fd76f/
Verdict:
Malicious
Threat:
Trojan.Win32.SFX
Link:
https://tip.neiki.dev/file/030341b8ce7dfcd95d3918808fbc8b6f3b540457c2c02a916afe012c4a4fd76f
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2025-07-19 13:47:33 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ambudogopx6nsxjzdcai7peln45vibcxylacvelk7yasyssp25xq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
012f21316b621c52a86a52db8c648eca3111d375ccb0c9e50fae1c14516e9a48
LummaStealer
1fbb7cc796ed31d975e436f3e164633914fccdaaeb5da6075862d87e3601dc33
LummaStealer
3665ea3dd2379f851bd539390cc427ae6fe713fe46001689241862083eee4716
LummaStealer
630af8886f6e7b8cb7b530ed641a4ddf20eec3bedd2a5aa60285b5a5805a603a
LummaStealer
6cee9586194abdbf1dc2c633ca2c9993335fcbbd5580b810de5e194c9122db4d
LummaStealer
cb764bddb9387738042de870f08c16e2470eb0da23c594a3ec4d882b42a6e0d7
LummaStealer
error
LummaStealer
+ 858 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery stealer
Link:
https://tria.ge/reports/250719-q3q2hawqs6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://mcaumnb.shop/dpsz
https://gigohe.top/diau
https://daruubs.top/griw
https://cidtfhh.shop/zdik
https://annwt.xyz/xkan
https://blihlo.shop/atkg
https://greqjfu.xyz/uhbf
https://rayrhs.top/aktr
https://furwmsx.shop/xowq
Verdict:
Malicious
Tags:
Win.Malware.7zip-10013374-0
YARA:
n/a
Link:
https://app.threat.zone/submission/56b7ad77-f8ef-4f12-bc3c-187c40bc77c4
Unpacked files
SH256 hash:
030341b8ce7dfcd95d3918808fbc8b6f3b540457c2c02a916afe012c4a4fd76f
MD5 hash:
3c1b9e4e02d350ad9cc0db8f1d1b8bff
SHA1 hash:
854b6fc46b312c7ad1fe8d47bb24da07dca39bd1
Link:
https://www.unpac.me/results/9e22da91-e44b-4e6d-a812-11d40dbfb9b5/
SH256 hash:
35cad6a00df9ad70a65d51e2c7746770db868c2d9fa36d53fddade15b928fe12
MD5 hash:
aa1bd1acbdc60b3b27db2ab689d9eb06
SHA1 hash:
1a9707a771f9db875386c22c4f45039457aa0d0c
Link:
https://www.unpac.me/results/9e22da91-e44b-4e6d-a812-11d40dbfb9b5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/030341b8ce7dfcd95d3918808fbc8b6f3b540457c2c02a916afe012c4a4fd76f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:observer
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked observer malware samples.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/15798/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::CheckTokenMembership
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::ShellExecuteExW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AssignProcessToJobObject
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExA
USER32.dll::CreateWindowExW

Comments