MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07ec6f9433eb7a396ccfb2bf8f18f9845784c493258fac2e8072237052c9de60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07ec6f9433eb7a396ccfb2bf8f18f9845784c493258fac2e8072237052c9de60
SHA3-384 hash: f17f2617a213b1a9d119c9f8ba90053da35b7d1b582004be43503ab02fe5040f2e166c11bc0eba928abd90764e8940cb
SHA1 hash: 63f41fa9a8c27f37bd95f1d0e4d6c70501a0b62a
MD5 hash: b2ee2fc454a3687bcb045ba49bf71074
humanhash: minnesota-fillet-paris-mars
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:306'688 bytes
First seen:2025-11-13 13:18:27 UTC
Last seen:2025-11-14 00:19:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c72d40c71bcbf3442320a9ed25ba079c (2 x LummaStealer)
ssdeep 6144:6X2wbep/wFuEWLKxLzAatJaoFk7tilv3ci4Ml+1SGs++p3cZnh:qQFw4EW0fve7tilvci7lnGD+3ch
TLSH T1316423FFA176162FE7486BB608E1A2DA7E27B9F536C5348979C6DE720C538122344B01
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543 LummaStealer UPX


Avatar
Bitsight
url: http://178.16.54.200/files/7048135242/R9xCtXh.exe
File size (compressed) :306'688 bytes
File size (de-compressed) :667'648 bytes
Format:win32/pe
Unpacked file: a4dd26ed32c9fc6df421007e6cb8ff8b6ab4ae3cacae434d051aa0cd50436947

Intelligence

File Origin
# of uploads :
7
# of downloads :
122
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2025-11-13 13:20:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7449b7fd-8c5b-4231-916e-35789ba34acd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AuraStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/38098/
Detection(s):
SecuriteInfo.com.FileRepMalware.47865624.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.AURAStealer-D.53229197.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6915dad9434cd67b17c0d68e
Tags:
rasteal overt virus crypt
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt
DNS request
Sending a custom TCP request
Query of malicious DNS domain
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt fingerprint packed packed packed upx
Link:
https://www.filescan.io/uploads/6915dad702b730ac84ead988/reports/0d4c0386-6fac-48eb-8e04-8dce8193e3d1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/07ec6f9433eb7a396ccfb2bf8f18f9845784c493258fac2e8072237052c9de60
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-13T11:02:00Z UTC
Last seen:
2025-11-14T10:24:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.Win32.Aur.sb Trojan-PSW.Win32.Aur.ar PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/07ec6f9433eb7a396ccfb2bf8f18f9845784c493258fac2e8072237052c9de60/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0b25c710-4cdf-42c5-adb3-6f765d97b25e
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/07ec6f9433eb7a396ccfb2bf8f18f9845784c493258fac2e8072237052c9de60
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/b2ee2fc454a3687bcb045ba49bf71074
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/07ec6f9433eb7a396ccfb2bf8f18f9845784c493258fac2e8072237052c9de60/
Verdict:
Malicious
Threat:
Family.AURA_STEALER
Link:
https://tip.neiki.dev/file/07ec6f9433eb7a396ccfb2bf8f18f9845784c493258fac2e8072237052c9de60
Threat name:
Win32.Trojan.AURAStealer
Create hunting rule
Status:
Malicious
First seen:
2025-11-13 13:19:19 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a7wg7fbt5n5ds3gpwk7y6ghzqrlyjretewh2yluaoirxauwj3zqa._file
Verdict:
malicious
Label(s):
aurastealer
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
aura_stealer
Create hunting rule
Score:
  10/10
Tags:
family:aura_stealer discovery stealer upx
Link:
https://tria.ge/reports/251113-qkmw5aeq8w/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
UPX packed file
AuraStealer
Aura_stealer family
Detects AuraStealer stealer
Gathering data
Unpacked files
SH256 hash:
07ec6f9433eb7a396ccfb2bf8f18f9845784c493258fac2e8072237052c9de60
MD5 hash:
b2ee2fc454a3687bcb045ba49bf71074
SHA1 hash:
63f41fa9a8c27f37bd95f1d0e4d6c70501a0b62a
Link:
https://www.unpac.me/results/3f8e6c90-2299-4b01-b92a-6da175a9cb53/
SH256 hash:
a4dd26ed32c9fc6df421007e6cb8ff8b6ab4ae3cacae434d051aa0cd50436947
MD5 hash:
7f53398c05f45095857d2abd4d3933d8
SHA1 hash:
2b73dd2fb546566cc49ebae573316b749f53de0f
Detections:
win_lumma_auto
Create hunting rule
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/3f8e6c90-2299-4b01-b92a-6da175a9cb53/
Parent samples :
a4dd26ed32c9fc6df421007e6cb8ff8b6ab4ae3cacae434d051aa0cd50436947
07ec6f9433eb7a396ccfb2bf8f18f9845784c493258fac2e8072237052c9de60
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lumma
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/07ec6f9433eb7a396ccfb2bf8f18f9845784c493258fac2e8072237052c9de60

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AuraStealer
Create hunting rule
Author:enzok
Description:AuraStealer Payload
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:UPX20030XMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:win_lumma_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lumma.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 07ec6f9433eb7a396ccfb2bf8f18f9845784c493258fac2e8072237052c9de60

(this sample)

LummaStealer

Executable exe a4dd26ed32c9fc6df421007e6cb8ff8b6ab4ae3cacae434d051aa0cd50436947

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3704332/
Cape
Cape
https://www.capesandbox.com/analysis/38098/
  
Dropping
SHA256 a4dd26ed32c9fc6df421007e6cb8ff8b6ab4ae3cacae434d051aa0cd50436947
  
Dropping
MD5 7f53398c05f45095857d2abd4d3933d8
  
URLhaus
https://urlhaus.abuse.ch/url/3704833/

Comments