MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03e6f4f49cec3af38bbec9ed64c195c7a85a630ec989efb3669f04a2993c1dd7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 19 File information Comments

SHA256 hash:	03e6f4f49cec3af38bbec9ed64c195c7a85a630ec989efb3669f04a2993c1dd7
SHA3-384 hash:	afc71376febb093b795f8e4fa2fed5182fca6152b15ef1c745fdcfbd72754a1229f2ecaa9b696badae43208582a9a566
SHA1 hash:	f732e938a8fda479886576df82c611f9540db42c
MD5 hash:	8cb8301f664e1e42dee8b7032fa321fc
humanhash:	helium-undress-march-december
File name:	file
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	1'762'432 bytes
First seen:	2026-04-15 17:25:03 UTC
Last seen:	2026-04-16 17:53:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	1aae8bf580c846f39c71c05898e57e88 (196 x LummaStealer, 58 x SalatStealer, 18 x ValleyRAT)
ssdeep	24576:ew48NqvO9qOoJQ/LEMC16tzKJt1rROu/3srGurkU+zE7WdUGYV5LWJfINPsb3gWH:elCY8tzc7qEDbQWH
Threatray	63 similar samples on MalwareBazaar
TLSH	T1D4854900FD8794F6E8061B3655AB62AF2735AC090FB69A87EA447F79F9723D11C32344
TrID	50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.5% (.EXE) Win64 Executable (generic) (6522/11/2) 8.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	d8ca2d8d5c6186c4 (3 x LummaStealer)
Reporter	Bitsight
Tags:	dropped-by-gcleaner exe f LummaStealer MIX7.file signed

Code Signing Certificate

Organisation:	justwatch.com
Issuer:	WR3
Algorithm:	sha256WithRSAEncryption
Valid from:	2026-03-09T11:58:38Z
Valid to:	2026-06-07T12:48:28Z
Serial number:	2f7ef0157d17625c098691cef1ff7d63
Intelligence:	8 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	06c81a0ff2538601f4567a6f3dcbbb9c5ec4079a9ed4e74dd48c455e8d5259be
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Bitsight

url: http://158.94.209.95/service

Intelligence

File Origin

# of uploads :

# of downloads :

193

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2026-04-15 17:26:42 UTC

Tags:

auto-reg loader fuery golang

Link:

https://app.any.run/tasks/95088a63-e865-4ec2-b031-74b290268956

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/61779/

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69dfca3cf68adfe1003a25ba

Tags:

injection obfusc crypt

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Sending a custom TCP request

Connection attempt to an infection source

Sending an HTTP POST request to an infection source

Sending an HTTP GET request to an infection source

Creating a file

DNS request

Connection attempt

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Query of malicious DNS domain

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-vm golang krypt packed signed

Link:

https://www.filescan.io/uploads/69dfca2e5ea31bc68a2dba8e/reports/f0f55a85-72d9-474d-b048-93410821c463/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/03e6f4f49cec3af38bbec9ed64c195c7a85a630ec989efb3669f04a2993c1dd7

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-04-15T15:14:00Z UTC

Last seen:

2026-04-16T04:39:00Z UTC

Hits:

~100

Detections:

Backdoor.Win32.Agima.a Backdoor.Agima.HTTP.C&C Backdoor.Win32.Agima.sb Backdoor.Win32.Agima.ce Backdoor.Win32.Agima.b

Link:

https://opentip.kaspersky.com/03e6f4f49cec3af38bbec9ed64c195c7a85a630ec989efb3669f04a2993c1dd7/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3c0e9fea-1e1e-48de-803c-3cdcadcdc76a

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/03e6f4f49cec3af38bbec9ed64c195c7a85a630ec989efb3669f04a2993c1dd7

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/03e6f4f49cec3af38bbec9ed64c195c7a85a630ec989efb3669f04a2993c1dd7/

Verdict:

Malicious

Threat:

Family.FUERY

Link:

https://tip.neiki.dev/file/03e6f4f49cec3af38bbec9ed64c195c7a85a630ec989efb3669f04a2993c1dd7

Threat name:

Win32.Spyware.Lummastealer

Status:

Malicious

First seen:

2026-04-15 17:26:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 38 (55.26%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=aptpj5e45q5phc56zhwwjqmvy6ufuyyozge67m3gt4ckfgj4dxlq._file

Verdict:

malicious

Label(s):

cryptinfinite

LummaStealer

0c50b443623b0530b30ef47f036c486d0cdd9f2088c6c1ad1b2ac2963230bff9

LummaStealer

1a164d10fe3ca9a603c70bcf83a667b92bab36dbb1705c6865fb83a48935649f

LummaStealer

3d9c9be6ebf52a46fe919cdbfdba0562e7d7591956c0d92482e8679ea439929d

LummaStealer

80ba3f0bf20a0068fbdde96d21eda37d30d5b995088524e0590bb6913335d874

LummaStealer

b48212fbb88fe59813f71e4f55d85b8549a02c090bd3879e44df6f5095d577c9

LummaStealer

c32e3e9204f8a8f77376f5800785b95f3a6a5521b205b759376dc7eb4664dd64

LummaStealer

error

LummaStealer

+ 53 additional samples on MalwareBazaar

Result

Malware family:

fuery

Score:

10/10

Tags:

family:fuery discovery persistence trojan

Link:

https://tria.ge/reports/260415-vzt17shw2w/

Behaviour

System Location Discovery: System Language Discovery

Adds Run key to start application

Family: Fuery

Malware Config

C2 Extraction:

http://let.mebeyourfriend.digital/
http://if.youwannabemylover.life/
http://make.mydaymakemyday.info/
http://iahfi.visbxskagt.com/
http://laf.oahgsfwklg.top/
http://smachrie1.weinerbuyout.top/
http://sackless2.backspacersasine.sbs/
http://recondole3.compositesclosetful.xyz/
http://dietaries4.permeatedicelanders.today/
http://epanadiplosis5.misdateswampanoag.cyou/
http://invoke6.escrimesesquipedal.digital/
http://bordrage7.kafkaesquebozo.info/
http://stacher8.disequilibrationaproctous.top/
http://scoliidae9.

Unpacked files

SH256 hash:

03e6f4f49cec3af38bbec9ed64c195c7a85a630ec989efb3669f04a2993c1dd7

MD5 hash:

8cb8301f664e1e42dee8b7032fa321fc

SHA1 hash:

f732e938a8fda479886576df82c611f9540db42c

Link:

https://www.unpac.me/results/57ae6018-4df4-40e8-9492-9d8bdc08afca/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.08

Link:

https://yomi.yoroi.company/submissions/03e6f4f49cec3af38bbec9ed64c195c7a85a630ec989efb3669f04a2993c1dd7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectGoMethodSignatures Create hunting rule
Author:	Wyatt Tauber
Description:	Detects Go method signatures in unpacked Go binaries

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Golang_Find_CSC846 Create hunting rule
Author:	Ashar Siddiqui
Description:	Find Go Signatuers

Rule name:	Golang_Find_CSC846_Simple Create hunting rule
Author:	Ashar Siddiqui
Description:	Find Go Signatuers

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Suspicious_Golang_Binary Create hunting rule
Author:	Tim Machac
Description:	Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

exe 03e6f4f49cec3af38bbec9ed64c195c7a85a630ec989efb3669f04a2993c1dd7

(this sample)

Dropped by

Gcleaner

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/61779/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample