MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07b8e705a0017ab1df5ffabc1fc7fb0a4d0738e98235b5725e47bb9d5229c5c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 26 File information Comments

SHA256 hash: 07b8e705a0017ab1df5ffabc1fc7fb0a4d0738e98235b5725e47bb9d5229c5c4
SHA3-384 hash: 33e8ffc7cd2a5161adb12fc2cbba118dcb905c52e6535ceaaae92c9f504a00392f21ac9df4eee203eeb7f537fbb4cc1c
SHA1 hash: 9497cb3a673c53c4c45db85818326e675e9d928f
MD5 hash: 600e1b59222ec1bf5d83f62a7cc0b9cc
humanhash: earth-violet-venus-finch
File name:application.exe
Download: download sample
Signature LummaStealer
File size:31'720'900 bytes
First seen:2026-01-05 13:48:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'855 x Amadey, 290 x Smoke Loader)
ssdeep 393216:9sZRNyoVY6taWqFp80fEO4jaFMD+Jx4N3xu2UnW631VYtl5nhgttSF:90+oSW9Ap88EO42G+n4NhA2l5+tS
TLSH T1E267BF17B7E84065D0BB9238896B9716E675BC21073096CF2254B7AE1F33BD05E3A723
TrID 74.6% (.IME) Microsoft Input Method Editor (365088/19/49)
8.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
6.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
3.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
2.1% (.EXE) Win64 Executable (generic) (10522/11/4)
Magika pebin
dhash icon 2f60f2babedcd423 (1 x LummaStealer)
Reporter JAMESWT_WT
Tags:communicationfirewall-security-cc exe LummaStealer memory-scanner-cc offenms-cyou

Intelligence


File Origin
# of uploads :
1
# of downloads :
167
Origin country :
IT IT
Vendor Threat Intelligence
Malware configuration found for:
Archives AutoIt
Details
Archives
an extracted Cabinet archive from the resources and SFX parameters
Malware family:
n/a
ID:
1
File name:
_07b8e705a0017ab1df5ffabc1fc7fb0a4d0738e98235b5725e47bb9d5229c5c4.exe
Verdict:
Malicious activity
Analysis date:
2026-01-05 13:49:13 UTC
Tags:
autoit lumma stealer fingerprinting

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Tags:
phishing autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Creating a process from a recently created file
Creating a window
DNS request
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm autoit CAB expand installer installer installer-heuristic lolbin lolbin microsoft_visual_cc overlay overlay packed packed rundll32 runonce sc sfx
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-01T15:47:00Z UTC
Last seen:
2026-01-06T00:55:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic Backdoor.Agent.UDP.C&C Backdoor.Win32.Agent.myxcid
Gathering data
Threat name:
Win32.Malware.Heuristic
Status:
Malicious
First seen:
2026-01-01 20:34:48 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
14 of 24 (58.33%)
Threat level:
  2/5
Result
Malware family:
Score:
  10/10
Tags:
family:lumma discovery execution persistence spyware stealer
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
System Time Discovery
Launches sc.exe
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Lumma Stealer, LummaC
Lumma family
Process spawned unexpected child process
Malware Config
C2 Extraction:
https://offenms.cyou/api
https://whitepepper.su/asds
https://hammernew.su/asdase
https://heavylussy.su/ccvfd
https://broguenko.su/asfase
https://homuncloud.su/ascasef
https://familyriwo.su/fssdaw
https://izzardtow.su/cascasc
https://basilicros.su/asdasq
Dropper Extraction:
https://memory-scanner.cc
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:attack_India
Rule name:CHM_File_Executes_JS_Via_PowerShell
Author:daniyyell
Description:Detects a Microsoft Compiled HTML Help (CHM) file that executes embedded JavaScript to launch a messagebox via PowerShell
Rule name:cobalt_strike_beacon_detected
Author:0x0d4y
Description:This rule detects cobalt strike beacons.
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_powershell
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:detect_Redline_Stealer
Author:Varp0s
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Author:Willi Ballenthin
Rule name:Mimikatz_Generic
Author:Still
Description:attempts to match all variants of Mimikatz
Rule name:NET
Author:malware-lu
Rule name:NETDLLMicrosoft
Author:malware-lu
Rule name:ProgramLanguage_Rust
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:skip20_sqllang_hook
Author:Mathieu Tartare <mathieu.tartare@eset.com>
Description:YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication.
Reference:https://www.welivesecurity.com/
Rule name:Suspicious_Process
Author:Security Research Team
Description:Suspicious process creation
Rule name:Sus_All_Windows_PE_Malware
Author:DiegoAnalytics
Description:Detects Windows PE malware of all types, avoids non-executables like .html
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments