MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cf6212d1f5a46d4ddebdaa4dea81e0cdff6ea3f81a41edff6b3cb8cc333bbff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 11 File information Comments

SHA256 hash:	0cf6212d1f5a46d4ddebdaa4dea81e0cdff6ea3f81a41edff6b3cb8cc333bbff
SHA3-384 hash:	0414dd6882306387c8c7bb1c1c72e9ab576de403a62dbf35a6716372d7528b667f530fdc5b54c6138b3fc4230a5789af
SHA1 hash:	a7af3302460fb6d3e68d9f28f830b502d2822c29
MD5 hash:	cb9424576cd272eff131650382267d52
humanhash:	carolina-connecticut-blue-queen
File name:	2025-08-17_cb9424576cd272eff131650382267d52_black-basta_cobalt-strike_cryptbot_luca-stealer_satacom_vidar.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	12'025'857 bytes
First seen:	2025-08-18 12:38:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7e0a0e8f80bbd1a9c0078e57256f1c3d (5 x GCleaner, 4 x LummaStealer, 3 x CoinMiner)
ssdeep	196608:zzLwejzJU1lMDM/78B5MmvTP8uyh70a0j5EFF7bELF/594f4VzZ5J26KcDLzwTmh:EAJU//9m7P8jBaoRYLt5mf4VFq6KEzFh
Threatray	615 similar samples on MalwareBazaar
TLSH	T124C63355E6FC01F4D877A2788A9A4D13F3BA3C450758938F07A967462F372E4AD29B30
TrID	92.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.6% (.EXE) Win64 Executable (generic) (10522/11/4) 1.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 0.7% (.EXE) OS/2 Executable (generic) (2029/13) 0.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter	zhuzhu0009
Tags:	exe LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

493dc5e4-b3aa-416d-951b-4d88d7fb8c3e

Verdict:

Malicious activity

Analysis date:

2025-08-18 12:40:00 UTC

Tags:

lumma stealer autoit telegram

Link:

https://app.any.run/tasks/493dc5e4-b3aa-416d-951b-4d88d7fb8c3e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Lumma

Link:

https://www.capesandbox.com/analysis/21947/

Detection(s):

SecuriteInfo.com.BackDoor.RevetRat.2.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68a31f148fd55a79c528e8dc

Tags:

phishing spawn shell sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a file

Searching for the Windows task manager window

Running batch commands

Creating a process with a hidden window

Launching cmd.exe command interpreter

Launching a process

Using the Windows Management Instrumentation requests

DNS request

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/0cf6212d1f5a46d4ddebdaa4dea81e0cdff6ea3f81a41edff6b3cb8cc333bbff

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b88b76b2-d6a0-4cad-b783-678c806a6888

Score:

95%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0cf6212d1f5a46d4ddebdaa4dea81e0cdff6ea3f81a41edff6b3cb8cc333bbff

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

.Net Executable PDB Path PE (Portable Executable) PE File Layout PE Memory-Mapped (Dump) SVG Win 64 Exe x64

Link:

https://app.malva.re/file/cb9424576cd272eff131650382267d52

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0cf6212d1f5a46d4ddebdaa4dea81e0cdff6ea3f81a41edff6b3cb8cc333bbff/

Threat name:

Win64.Spyware.Lummastealer

Status:

Malicious

First seen:

2025-08-12 08:06:00 UTC

File Type:

PE+ (Exe)

Extracted files:

253

AV detection:

19 of 36 (52.78%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bt3ccli7ljdnjxpl3ksn5ka6btp7n2r7qgsb5x7wwpfyzqztxp7q._file

Verdict:

malicious

Label(s):

unc_loader_058

LummaStealer

5f3675761016548372c9daa01d58cbdfce0510283ada6eaf9463d4161d09fa4c

LummaStealer

6bc1c41e0568a5d2d70731d75713da66273e1e541347e2bb42a20609acb9fa48

LummaStealer

b808a450da812d5bd1eea8d1baae5f3bd4abf8bd36bc8569c9e2d75f687dd76c

LummaStealer

d1e371d754658620e3ea7abf8c49cffe4cd427d1a8a40e390fb6d5e2cf463668

LummaStealer

error

LummaStealer

+ 605 additional samples on MalwareBazaar

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma discovery stealer

Link:

https://tria.ge/reports/250818-pwpz7agj7z/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Browser Information Discovery

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Enumerates processes with tasklist

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Lumma Stealer, LummaC

Lumma family

Malware Config

C2 Extraction:

https://t.me/erfkfj3j9f
https://panlos.forum/fudx
https://mastwin.in/qsaz
https://ordinarniyvrach.ru/xiur
https://yamakrug.ru/lzka
https://vishneviyjazz.ru/neco
https://yrokistorii.ru/uqya
https://stolewnica.ru/xjuf
https://visokiywkaf.ru/mmtn
https://kletkamozga.ru/iwyq

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/7053fea1-a3cc-4723-bad1-ee9dafa40630

Unpacked files

SH256 hash:

0cf6212d1f5a46d4ddebdaa4dea81e0cdff6ea3f81a41edff6b3cb8cc333bbff

MD5 hash:

cb9424576cd272eff131650382267d52

SHA1 hash:

a7af3302460fb6d3e68d9f28f830b502d2822c29

Link:

https://www.unpac.me/results/de3c8daa-e759-4698-bfc9-8cf7cffe7dfc/

SH256 hash:

2481b4487992e9b98a330c3ec8d85272841d947e0e82d5305cb0fa39a4c1f1f7

MD5 hash:

5b891be7bf1d98acf47b8fcaabc6ca09

SHA1 hash:

b489b787a45c970bde92714a2bfabcae1bd9c6dc

Link:

https://www.unpac.me/results/de3c8daa-e759-4698-bfc9-8cf7cffe7dfc/

SH256 hash:

52416bb8275988aa5145be6359b6c6a92e3c20817544682c2c1978b50ff2052c

MD5 hash:

a341d9bfaae6a784cb9e2ea49c183fb4

SHA1 hash:

d061c12dffa6a725f649dae49c99f157e93bb175

Link:

https://www.unpac.me/results/de3c8daa-e759-4698-bfc9-8cf7cffe7dfc/

SH256 hash:

5883d041c5f5020ac4b66314d5f89cb6331db3c4ec1c912f72b3ebb9aa8c41e2

MD5 hash:

449bf7a46490fa07881d969b6d52c0f1

SHA1 hash:

e520a8318e867c7840e6deadef36abcdf2894417

Link:

https://www.unpac.me/results/de3c8daa-e759-4698-bfc9-8cf7cffe7dfc/

SH256 hash:

739c063a600d6e462042939fec77535a5d4c94c6bdbe3da61bb4ab670c341577

MD5 hash:

39bf9e72a5dd7763ccd461571107438a

SHA1 hash:

e27e3bdcbb11bce1a30b989ca59801c9fccc7a24

Link:

https://www.unpac.me/results/de3c8daa-e759-4698-bfc9-8cf7cffe7dfc/

SH256 hash:

8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af

MD5 hash:

08e9796ca20c5fc5076e3ac05fb5709a

SHA1 hash:

07971d52dcbaa1054060073571ced046347177f7

Link:

https://www.unpac.me/results/de3c8daa-e759-4698-bfc9-8cf7cffe7dfc/

SH256 hash:

b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

MD5 hash:

b77eeaeaf5f8493189b89852f3a7a712

SHA1 hash:

c40cf51c2eadb070a570b969b0525dc3fb684339

Link:

https://www.unpac.me/results/de3c8daa-e759-4698-bfc9-8cf7cffe7dfc/

SH256 hash:

dbefec15acb08e0312e1c0693da98d1b246b0863e250da5cab8aaf506f8486c6

MD5 hash:

8adb474b17dc4ec1a2994c73ac10954a

SHA1 hash:

8acad12914a3de7780ce1e38e9fcc6d5c62dced8

Link:

https://www.unpac.me/results/de3c8daa-e759-4698-bfc9-8cf7cffe7dfc/

Malware family:

GHOSTPULSE

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0cf6212d1f5a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0cf6212d1f5a46d4ddebdaa4dea81e0cdff6ea3f81a41edff6b3cb8cc333bbff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SelfExtractingRAR Create hunting rule
Author:	Xavier Mertens
Description:	Detects an SFX archive with automatic script execution

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/21947/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (FORCE_INTEGRITY)	high

Reviews

ID	Capabilities	Evidence
GDI_PLUS_API	Interfaces with Graphics	gdiplus.dll::GdiplusStartup gdiplus.dll::GdiplusShutdown gdiplus.dll::GdipAlloc
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryExA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetSystemInfo KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::AllocConsole KERNEL32.dll::AttachConsole KERNEL32.dll::WriteConsoleW KERNEL32.dll::FreeConsole KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileW KERNEL32.dll::MoveFileExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample