MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 066bea0b80fe5ce960b6cc56223abf6e203bb5b9cb7606c73c0e631df2c0462c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 066bea0b80fe5ce960b6cc56223abf6e203bb5b9cb7606c73c0e631df2c0462c
SHA3-384 hash: d5579e85417914ac52846c4a4f3a3dadd6cea2d5d43188bb7e4724adcb35665da8ff4bde4e317ecce373c8f04da4463f
SHA1 hash: d75fb9cb84aed041d33bff05c6364b4470c65992
MD5 hash: ce2f96f4c72a286f42fea3299faff564
humanhash: five-maryland-johnny-berlin
File name:setup.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:99'614'704 bytes
First seen:2025-09-12 18:07:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32f3282581436269b3a75b6675fe3e08 (197 x LummaStealer, 122 x Rhadamanthys, 8 x CoinMiner)
ssdeep 24576:PEfzv2epmXRcNDMdFb/QzJHNezReAVduno8n9Mmcz:HepeZFz06d6b9Mnz
Threatray 923 similar samples on MalwareBazaar
TLSH T1B42823BFB32C915ECAFBE15D0D9128CA286665C171250A0C7502A06F770E7B5C279EEF
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter aachum
Tags:AutoIT CypherIT exe LummaStealer


Avatar
iamaachum
https://fgdhjkvnuf.pro/?file=D16Ct0hQSpkx8eOEiVylFKB9YNIfjdXru&qWFhungOGDz8d=RoQxbeD0hKWFmCVtlcykMXOYrH4gj7d2NAnLiJ9P5p8ZTS6 => https://www.mediafire.com/file/5k4b8n3x6cfs3fk/D0WN10@D%20%7BP%F0%9D%9A%8A%F0%9D%9A%825%20--%E2%96%BA%203891)%7D%20%F0%9D%99%B5%F0%9D%9A%8411%20%F0%9D%9A%82%F0%9D%99%B4%F0%9D%9A%83%F0%9D%9A%84P.zip/file

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2025-09-12 18:10:21 UTC
Tags:
autoit lumma stealer
Link:
https://app.any.run/tasks/e5e19883-b8ff-4ac8-be69-43fe914afd14

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c466dae579c633a4b4be03
Tags:
autoit emotet nsis
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug blackhole installer microsoft_visual_cc nsis overlay
Link:
https://www.filescan.io/uploads/68c461a673287948292862e8/reports/334a45f6-aaed-4ed9-8e3c-598217aacb83/overview
Verdict:
Malicious
Labled as:
StartPage.OVJ
Link:
https://www.hybrid-analysis.com/sample/066bea0b80fe5ce960b6cc56223abf6e203bb5b9cb7606c73c0e631df2c0462c
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-12T16:54:00Z UTC
Last seen:
2025-09-12T16:54:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/066bea0b80fe5ce960b6cc56223abf6e203bb5b9cb7606c73c0e631df2c0462c/results?tab=lookup
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1776682
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected CypherIt Packer
Drops PE files with a suspicious file extension
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1776682 Sample: setup.exe Startdate: 12/09/2025 Architecture: WINDOWS Score: 100 34 sirhirssg.su 2->34 36 DPTrIuODKNGXIuMIHZwAcBztnSTMe.DPTrIuODKNGXIuMIHZwAcBztnSTMe 2->36 40 Suricata IDS alerts for network traffic 2->40 42 Found malware configuration 2->42 44 Antivirus detection for URL or domain 2->44 46 6 other signatures 2->46 9 setup.exe 26 2->9         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->30 dropped 12 cmd.exe 1 9->12         started        process6 signatures7 52 Detected CypherIt Packer 12->52 54 Drops PE files with a suspicious file extension 12->54 15 cmd.exe 4 12->15         started        18 conhost.exe 12->18         started        process8 file9 32 C:\Users\user\AppData\Local\Temp\...\Drug.pif, PE32 15->32 dropped 20 Drug.pif 15->20         started        24 extrac32.exe 19 15->24         started        26 tasklist.exe 1 15->26         started        28 2 other processes 15->28 process10 dnsIp11 38 sirhirssg.su 64.227.2.250, 443, 49691, 49692 DIGITALOCEAN-ASNUS United States 20->38 48 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->48 50 Query firmware table information (likely to detect VMs) 20->50 signatures12
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/066bea0b80fe5ce960b6cc56223abf6e203bb5b9cb7606c73c0e631df2c0462c
Gathering data
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-09-12 18:13:02 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
14 of 38 (36.84%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=azv6uc4a7zoosyfwzrlceov7nyqdxnnzzn3anrz4bzrr34waiywa._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
1e92ab886a0ff5ee8d3bee04bd395f109b35bd7528636a47aff437372e7da99d
LummaStealer
3331ebaab4919b68536c5bcddf7aebf2577e027c48858116defd358ca16940b6
LummaStealer
45ae6ae59589498416090cfdfced2064e1b9490948eb993a901f7049fada8526
LummaStealer
654ef3d3358fce7ef7794491c00e0c124bea10db5a1e5307ca1c86fbde075d11
LummaStealer
88556db83f38d96d84a7a03aa667a66f25d5e6d3b71557db346f48eba429ca00
LummaStealer
cac30178cd32b2b64b95b11041b4a7d9a5391b00bc48a7f2fa1466be40be8c34
LummaStealer
cd00e9684bb6a8b2b5ea0699b89cb251221c343cfb6ab3f6ec57525b349fc25f
LummaStealer
ea99f962525094d90f6395433e936f8f583827d5da601e5300c0e8757df3c544
LummaStealer
error
LummaStealer
f57829fccab2aa91f23ab2a8779fc7aa93bf5eabd1010bb3479580989f6bce45
LummaStealer
+ 913 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery spyware stealer
Link:
https://tria.ge/reports/250912-wq725sck81/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Browser Information Discovery
Enumerates physical storage devices
Drops file in Windows directory
Enumerates processes with tasklist
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://sirhirssg.su/xzde
https://lexenorf.org/zdhs
https://prebwle.su/xazd
https://rhussois.su/tatr
https://todoexy.su/xqts
https://acrislegt.su/tazd
https://averiryvx.su/zadr
https://cerasatvf.su/qtpd
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9afdcd4d-b612-4838-9f4c-895a15633f90
Malware family:
CypherIt
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/066bea0b80fe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 066bea0b80fe5ce960b6cc56223abf6e203bb5b9cb7606c73c0e631df2c0462c

(this sample)

  
Link
https://tria.ge/250912-wk7jes1th1/behavioral2
  
Delivery method
Distributed via web download

Comments