MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 096249c0a08df8abc0d198b29f09e30152fb57acfd7125e7cf8524b9221919da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 096249c0a08df8abc0d198b29f09e30152fb57acfd7125e7cf8524b9221919da
SHA3-384 hash: 87987ec05290f74e7dc144d927bb2701b4b76a5c7ea50ff663b071e968c28271b68c511d7fedb28256382bbfdb02728f
SHA1 hash: a30eeae8ba14a3a2227f30265042dff7c789205a
MD5 hash: 228405636c683ea49c21ce1139397978
humanhash: nineteen-freddie-burger-dakota
File name:Labs-v1.3.68.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:6'517'992 bytes
First seen:2025-09-26 22:53:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d42595b695fc008ef2c56aabd8efd68e (124 x Vidar, 92 x Rhadamanthys, 51 x Stealc)
ssdeep 49152:u2T1PT6v7h2CmI+puvDcQxOgjmRyxmyoZAdTcGtjURL:u25LCmHpuvDcXHA1tj+
Threatray 452 similar samples on MalwareBazaar
TLSH T101665B17ACA14BEAD0FA9232C8B655957E37F8040B3127D72E60B2382E767D0BD75760
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter powerpellet1077
Tags:exe LummaStealer


Avatar
powerpellet1077
Roblox executor lumma

Intelligence

File Origin
# of uploads :
1
# of downloads :
242
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Labs-v1.3.67.exe
Verdict:
Malicious activity
Analysis date:
2025-09-26 10:27:03 UTC
Tags:
anti-evasion lumma rhadamanthys stealer golang
Link:
https://app.any.run/tasks/49e03771-ba17-4d4c-b2fa-48765e727243

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29201/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d719ab91dd51f6514f1c18
Tags:
obfusc spoof crypt overt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Sending a custom TCP request
DNS request
Connection attempt
Sending a UDP request
Reading critical registry keys
Searching for the window
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm expand golang invalid-signature lolbin overlay signed
Link:
https://www.filescan.io/uploads/68d719a8674d5fd6aa0e1428/reports/40227bcf-cfc7-4e31-92cb-0275590d2616/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/096249c0a08df8abc0d198b29f09e30152fb57acfd7125e7cf8524b9221919da
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-26T03:08:00Z UTC
Last seen:
2025-09-26T03:08:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.SBEscape.sb Trojan.Win64.SBEscape.aoa Trojan.Win32.Crypt.sb BSS:Trojan.Win32.Generic VHO:Trojan-PSW.Win32.Crypt.gen
Link:
https://opentip.kaspersky.com/096249c0a08df8abc0d198b29f09e30152fb57acfd7125e7cf8524b9221919da/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3f96a001-377b-4840-a78f-e7602149b838
Score:
65%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/096249c0a08df8abc0d198b29f09e30152fb57acfd7125e7cf8524b9221919da
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/228405636c683ea49c21ce1139397978
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/096249c0a08df8abc0d198b29f09e30152fb57acfd7125e7cf8524b9221919da/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/096249c0a08df8abc0d198b29f09e30152fb57acfd7125e7cf8524b9221919da
Threat name:
Win64.Spyware.Rhadamanthys
Create hunting rule
Status:
Suspicious
First seen:
2025-09-26 10:27:05 UTC
File Type:
PE+ (Exe)
Extracted files:
10
AV detection:
17 of 38 (44.74%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bfretqfarx4kxqgrtczj6cpdafjpwv5m7vyslz6pquslsiqzdhna._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
1432383d831789281e458a5134d7637620ad69247691b189ed688d86b4805ea2
LummaStealer
1936ccd7cc0f18a24224533eab9a88c37130495143dc5599542cc4607650352b
LummaStealer
1fc8d0798605394a2a0dbc39c80bf5221483668c22faf6782e5254cbbd90a1d3
LummaStealer
56cf64ca5d71f829a5db031b0ea02ad7aaf9cafe881fbbe30487bd5dccf7a4f6
LummaStealer
5a68af44b9399b0bf6e41e5d60b994251dedb610c700dcfd81198b67a0518d0e
LummaStealer
70210b70626f6136e71422b70bec9d784c9e08921d5841a97a64588670cd3a02
LummaStealer
7610fe95df2a433e8d52377e8301642dacb2e66b19d695f568a6b745d68fd3c5
LummaStealer
d1911dff6da25f6c988bc566667bb42f455c2d681eace32e353331996c3510b7
LummaStealer
df89c633af01d2b5d803e3f72a9398da78152fb7fdb0f1683e5e2ba067e69932
LummaStealer
error
LummaStealer
+ 442 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/250926-2vsqxawtay/
Behaviour
Suspicious behavior: EnumeratesProcesses
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fd7ffe4a-a7ae-4e96-a374-bd3c37144c39
Unpacked files
SH256 hash:
096249c0a08df8abc0d198b29f09e30152fb57acfd7125e7cf8524b9221919da
MD5 hash:
228405636c683ea49c21ce1139397978
SHA1 hash:
a30eeae8ba14a3a2227f30265042dff7c789205a
Link:
https://www.unpac.me/results/3da688b8-2715-4dff-9379-f33a285a2d3b/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/096249c0a08d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/096249c0a08df8abc0d198b29f09e30152fb57acfd7125e7cf8524b9221919da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 096249c0a08df8abc0d198b29f09e30152fb57acfd7125e7cf8524b9221919da

(this sample)

Malpedia
Malpedia
https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/29201/

Comments