MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 095d6b718e8a0f7b23349596e3ef892dc02a82467b750581361ea4c206d9193e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	095d6b718e8a0f7b23349596e3ef892dc02a82467b750581361ea4c206d9193e
SHA3-384 hash:	772db7d7b293f4f37cf8b74d39e2f793ce0156f5949f5bb2648202fcc27576bd4a4b93fc8b82476cc0d98b82e11622d5
SHA1 hash:	145549920ddd254dcca3b2cce05386a4a7eec1ff
MD5 hash:	966f56514282a84607330e8dea9f7abc
humanhash:	emma-romeo-one-queen
File name:	Setup.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	1'395'712 bytes
First seen:	2025-08-25 20:34:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1ce39e07a979f0e3da342ee46f74268b (8 x LummaStealer, 2 x Rhadamanthys, 2 x CoinMiner)
ssdeep	24576:2Qb60rv833KVuHQkX4vzSvbnetnbqXay51qQm:z62v8327k2b5qXam1qL
Threatray	694 similar samples on MalwareBazaar
TLSH	T1FF55D019E83691D7FCC700F1AB195251A4337D378F285AAB40E89B51256AEED0A3F337
TrID	63.5% (.EXE) Win64 Executable (generic) (10522/11/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	AntiSkidding
Tags:	exe fake-cheat LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Setup.exe

Verdict:

Malicious activity

Analysis date:

2025-08-25 20:37:25 UTC

Tags:

lumma stealer

Link:

https://app.any.run/tasks/dd8d9440-97c4-438f-ab85-218b09fb19cc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Lumma

Link:

https://www.capesandbox.com/analysis/23512/

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68acc91d3e988eb6ab82b7e3

Tags:

n/a

Result

Verdict:

Clean

Maliciousness:

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

fingerprint microsoft_visual_cc obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/68acc8d528a89d9dd4f3e931/reports/2bf8a45d-2348-421b-8427-d177720133c6/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/095d6b718e8a0f7b23349596e3ef892dc02a82467b750581361ea4c206d9193e

Verdict:

Clean

File Type:

exe x64

Link:

https://opentip.kaspersky.com/095d6b718e8a0f7b23349596e3ef892dc02a82467b750581361ea4c206d9193e/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/4cceb54c-f206-4feb-88c5-2ec054a566e0

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/095d6b718e8a0f7b23349596e3ef892dc02a82467b750581361ea4c206d9193e

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/966f56514282a84607330e8dea9f7abc

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/095d6b718e8a0f7b23349596e3ef892dc02a82467b750581361ea4c206d9193e/

Verdict:

Malicious

Threat:

Family.LUMMA

Link:

https://tip.neiki.dev/file/095d6b718e8a0f7b23349596e3ef892dc02a82467b750581361ea4c206d9193e

Threat name:

Win64.Trojan.LummaStealer

Status:

Malicious

First seen:

2025-08-25 20:35:46 UTC

File Type:

PE+ (Exe)

AV detection:

20 of 23 (86.96%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bfoww4morihxwizuswloh34jfxacvasgpn2qlajwd2smebwzde7a._file

Verdict:

malicious

Label(s):

lummastealer

LummaStealer

3b26ad8a676ae6099b1202a684ea9b1964a99b9eeadda009bbf449c8355803fd

LummaStealer

66714b3368a2365b0ac7cb6a09bf95dc6fb98989a74bcd2e274971b4237e6df7

LummaStealer

69391d8f605bce4ca985eb31a516c366cab535348a5c90c27f8af466a078efbb

LummaStealer

a5354a7a2c9f1258561afc9d7ee5918ea573b03ff18a8f2c8ad828294a2c0054

LummaStealer

adb09e49fc9282b4a434f5439e86e50f5d9c9ec14e328fc8872918c092f1b605

LummaStealer

b303e5fa63277691ab5249294772aed02d0f294fe2d69dc5dfe2cc77a15a4e7a

LummaStealer

error

LummaStealer

+ 684 additional samples on MalwareBazaar

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma defense_evasion discovery spyware stealer

Link:

https://tria.ge/reports/250825-zcmqts1vew/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Browser Information Discovery

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Modifies trusted root certificate store through registry

Lumma Stealer, LummaC

Lumma family

Malware Config

C2 Extraction:

https://cursilibim.ru/zajd
https://mastwin.in/qsaz
https://tiltyufaz.ru/tlxa
https://runmgov.ru/tixd
https://semipervaz.ru/xued
https://capitalior.ru/akts
https://retrofik.ru/jgur
https://shagkeg.ru/xkzd
https://copulardi.ru/xhza

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/bdaee649-0ca7-4ea0-95b1-edc1cd8a26e0

Unpacked files

SH256 hash:

095d6b718e8a0f7b23349596e3ef892dc02a82467b750581361ea4c206d9193e

MD5 hash:

966f56514282a84607330e8dea9f7abc

SHA1 hash:

145549920ddd254dcca3b2cce05386a4a7eec1ff

Link:

https://www.unpac.me/results/9eb2048b-9e36-4221-b29e-9ec9eb0f562f/

Malware family:

Lumma

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/095d6b718e8a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/095d6b718e8a0f7b23349596e3ef892dc02a82467b750581361ea4c206d9193e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/23512/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample