MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03ceed5a7cec5718a3065696d8d78d5adc802cc95109ed68acb393c231760776. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 5


Intelligence 5 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03ceed5a7cec5718a3065696d8d78d5adc802cc95109ed68acb393c231760776
SHA3-384 hash: 6fa769cb7dacf7ce4a08ec2428fb06249233cb3e5a843e0218922114498c8717dcdafbd86636cafa6f559e881fcc4958
SHA1 hash: b42cf0698b6b0b6308f0b19d787db3c977de0daf
MD5 hash: 435760a824c3cc0dbb278fe82d954535
humanhash: orange-rugby-indigo-leopard
File name:#𝓟𝓪$$𝓒Ō𝔻𝓮--6623__𝓞𝓹𝓮𝓝_𝓢𝓮𝓽𝓾𝓹$@!!𝓟𝓒.7z
Download: download sample
Signature LummaStealer
Create hunting rule
File size:13'277'667 bytes
First seen:2025-04-11 14:05:55 UTC
Last seen:Never
File type: 7z
MIME type:application/x-7z-compressed
Note:This file is a password protected archive. The password is: 6623
ssdeep 393216:yBBfvKDN/kPOs+G5q84ZaaV+1Vj3qfDyQ:0BfEN/Zs+Gt48aV+7jWb
TLSH T1F3D633CBCF3A8BEC6AD05AB64C377BF941041926D499F29CE76321CD96C603D9C94827
TrID 57.1% (.7Z) 7-Zip compressed archive (v0.4) (8000/1)
42.8% (.7Z) 7-Zip compressed archive (gen) (6000/1)
Magika sevenzip
Reporter aachum
Tags:7z file-pumped LummaStealer pw-6623


Avatar
iamaachum
https://edsflps2.pro/?=ijn&diu=1045&sid=LDn => https://mega.nz/file/iY10BRIZ#Z__i9aUH4hHt5LSzaaMe4VlmpHFZ5_IbnINZwujHBFY

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
ES ES
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Setup.exe
Pumped file This file is pumped. MalwareBazaar has de-pumped it.
File size:698'906'712 bytes
SHA256 hash: 3f734ec477bbb5004e72dbcbacf1731167f5e631547f58e9b5f5f512fe7d43fd
MD5 hash: ed893371c87e32127d1d07f39f11c040
De-pumped file size:954'880 bytes (Vs. original size of 698'906'712 bytes)
De-pumped SHA256 hash: 4896e1fe2a9db96f0d54c924261d7fde00e2396c2fcea238aea20c71074e06ca
De-pumped MD5 hash: 37742c97eb6f54ab5c163513e93a3f99
MIME type:application/x-dosexec
Signature LummaStealer
Vendor Threat Intelligence
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f926f0d6e7c3effad00f31
Tags:
vmdetect emotet
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/03ceed5a7cec5718a3065696d8d78d5adc802cc95109ed68acb393c231760776
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/03ceed5a7cec5718a3065696d8d78d5adc802cc95109ed68acb393c231760776/
Threat name:
Binary.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-04-10 22:50:24 UTC
File Type:
Binary (Archive)
AV detection:
3 of 24 (12.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=apho2wt45rlrriygk2lnrv4nlloialgjkee622fmwoj4emlwa53a._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery spyware stealer
Link:
https://tria.ge/reports/250411-xcen4sxtds/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
System Location Discovery: System Language Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://dipsafals.digital/oxwp
https://soursopsf.run/gsoiao
https://changeaie.top/geps
https://easyupgw.live/eosz
https://liftally.top/xasj
https://upmodini.digital/gokk
https://salaccgfa.top/gsooz
https://qzestmodp.top/zeda
https://txcelmodo.run/nahd
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

7z 03ceed5a7cec5718a3065696d8d78d5adc802cc95109ed68acb393c231760776

(this sample)

LummaStealer

Executable exe 4896e1fe2a9db96f0d54c924261d7fde00e2396c2fcea238aea20c71074e06ca

  
Link
https://tria.ge/250411-q8pqma1scv/behavioral1
  
Delivery method
Distributed via web download
  
Dropping
SHA256 4896e1fe2a9db96f0d54c924261d7fde00e2396c2fcea238aea20c71074e06ca
  
Dropping
MD5 37742c97eb6f54ab5c163513e93a3f99
  
Dropping
SHA256 9667f74b0fa7eb520c63f2d4dc953d1fd68780059b98db4d1dffa3f94f3de7b1
  
Dropping
MD5 426bc89d97ba34f88576d315b84af69e

Comments