MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d9beb40b14a956556ef97cfa2ac410ec8c7509d35dbd2d050effc8c092e6de9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d9beb40b14a956556ef97cfa2ac410ec8c7509d35dbd2d050effc8c092e6de9
SHA3-384 hash: a6999abaf40ed769703e5dc8182808013fb5280baa426dc603299b5f005994af99d17794c652c18800e44bb5e0f233ce
SHA1 hash: cc8cb59d30d428c1ca135bb4f8a0561486ce5ade
MD5 hash: f7112cbc3171fec9547eddaabef0bd68
humanhash: early-nuts-cup-juliet
File name:𝓢𝓔𝓣𝓤𝓟🔹.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:99'614'770 bytes
First seen:2025-08-11 19:58:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32f3282581436269b3a75b6675fe3e08 (197 x LummaStealer, 122 x Rhadamanthys, 8 x CoinMiner)
ssdeep 24576:TniO/qdjRNHDY1GXdbANgzu5ayIJ5iuTdlN7fzx:b/q5YadbAGUayIHtzx
TLSH T19E2892FED04C03529D9726A6E897241A5FDFCC313914727702EEAA459B871CC27AB732
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 3070e0c0c9f0760e (2 x LummaStealer)
Reporter aachum
Tags:AutoIT CypherIT exe LummaStealer


Avatar
iamaachum
https://www.download-setup.com/ => https://mega.nz/file/uox3EBiT#4Uwk-Q4fWG7WpZvPeOxB4mX8iamxVlU02f2DBGWq5nw

Intelligence

File Origin
# of uploads :
1
# of downloads :
967
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b3be2661-d018-4b7d-b168-74e8f59a7cab
Verdict:
Malicious activity
Analysis date:
2025-08-11 20:01:52 UTC
Tags:
lumma stealer autoit
Link:
https://app.any.run/tasks/b3be2661-d018-4b7d-b168-74e8f59a7cab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689a4ba4fca70bd90e8e6bd5
Tags:
phishing autoit emotet nsis
Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug blackhole installer microsoft_visual_cc overlay overlay packed
Link:
https://www.filescan.io/uploads/689a4b659ef4d2ff7cf6f016/reports/8fe3afb8-63ef-4675-9a34-0857b27a9ac3/overview
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1754904
Signature
C2 URLs / IPs found in malware configuration
Detected CypherIt Packer
Drops PE files with a suspicious file extension
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Search for Antivirus process
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1754904 Sample: #Ud835#Udce2#Ud835#Udcd4#Ud... Startdate: 11/08/2025 Architecture: WINDOWS Score: 100 37 vaganetka.ru 2->37 39 djCjeXobqvlSrmbkLYmIV.djCjeXobqvlSrmbkLYmIV 2->39 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected LummaC Stealer 2->49 51 4 other signatures 2->51 9 #Ud835#Udce2#Ud835#Udcd4#Ud835#Udce3#Ud835#Udce4#Ud835#Udcdf#Ud83d#Udd39.exe 23 2->9         started        signatures3 process4 file5 35 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->35 dropped 12 cmd.exe 1 9->12         started        15 svchost.exe 1 1 9->15         started        process6 dnsIp7 57 Detected CypherIt Packer 12->57 59 Drops PE files with a suspicious file extension 12->59 18 cmd.exe 4 12->18         started        21 conhost.exe 12->21         started        43 127.0.0.1 unknown unknown 15->43 signatures8 process9 file10 33 C:\Users\user\AppData\Local\...\Temple.pif, PE32 18->33 dropped 23 Temple.pif 18->23         started        27 extrac32.exe 18 18->27         started        29 tasklist.exe 1 18->29         started        31 3 other processes 18->31 process11 dnsIp12 41 vaganetka.ru 172.86.89.51, 443, 49690, 49691 M247GB United States 23->41 53 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->53 55 Query firmware table information (likely to detect VMs) 23->55 signatures13
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0d9beb40b14a956556ef97cfa2ac410ec8c7509d35dbd2d050effc8c092e6de9
Gathering data
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/0d9beb40b14a956556ef97cfa2ac410ec8c7509d35dbd2d050effc8c092e6de9
Threat name:
Win32.Dropper.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-11 20:28:43 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
15 of 38 (39.47%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bwn6wqfrjkkwkvxps7h2flcbb3emoue5gxn5fucq576iycjonxuq._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/250811-yp4pfa1nt2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://vaganetka.ru/opza/api
https://mastwin.in/qsaz/api
https://ordinarniyvrach.ru/xiur/api
https://yamakrug.ru/lzka/api
https://vishneviyjazz.ru/neco/api
https://yrokistorii.ru/uqya/api
https://stolewnica.ru/xjuf/api
https://visokiywkaf.ru/mmtn/api
https://kletkamozga.ru/iwyq/api
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/be788f78-a89e-48f5-b555-721b0c3c22ba
Malware family:
CypherIt
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0d9beb40b14a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 0d9beb40b14a956556ef97cfa2ac410ec8c7509d35dbd2d050effc8c092e6de9

(this sample)

  
Link
https://tria.ge/250811-xvrrdszqs9/behavioral2
  
Delivery method
Distributed via web download

Comments