MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12174cc882128203ecf30f4ea30632f1ebb104b4f8cbb8f025442574d69a8828. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12174cc882128203ecf30f4ea30632f1ebb104b4f8cbb8f025442574d69a8828
SHA3-384 hash: e1ea6add0ee6c73b511e43cc3ffe9ccf38ca5d32511dccb9fb25ae8a75c2239895d160af3d5de9af9b1e7974879bc095
SHA1 hash: 3b9cf2fa71c371b9b51afff42dd6e095163016a6
MD5 hash: 3bea01fbe0bd954ed58e7e3a517c5275
humanhash: mockingbird-east-monkey-tennis
File name:Luma_Crypt_Packlab.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'459'712 bytes
First seen:2025-07-28 03:24:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 94d8ff6057177a8611280e66cadf0c19 (29 x LummaStealer, 6 x CoinMiner, 2 x Rhadamanthys)
ssdeep 24576:1cVXETShDtdBHjmaGFMeyOqIpGWi7jmaGFMeyOqIpGWi8:ChqGj3VPLIpGP7j3VPLIpGP8
Threatray 209 similar samples on MalwareBazaar
TLSH T12965E01DB97D90EBECE34070AB5A5511F532BC278B74A9DF41E497A00907EED0B3A326
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
50
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Luma_Crypt_Packlab.exe
Verdict:
Malicious activity
Analysis date:
2025-07-26 11:08:18 UTC
Tags:
lumma stealer
Link:
https://app.any.run/tasks/26cfb877-4f2e-47ab-ac67-dec421be487a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/17261/
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6884b722af3050dc8d311d48
Tags:
virus krypt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
DNS request
Behavior that indicates a threat
Connection attempt
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/12174cc882128203ecf30f4ea30632f1ebb104b4f8cbb8f025442574d69a8828
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/45085170-5c64-4a4a-8ebc-20f18258a470
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1745316
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Silenttrinity Stager Msbuild Activity
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/12174cc882128203ecf30f4ea30632f1ebb104b4f8cbb8f025442574d69a8828
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/3bea01fbe0bd954ed58e7e3a517c5275
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12174cc882128203ecf30f4ea30632f1ebb104b4f8cbb8f025442574d69a8828/
Verdict:
Malicious
Threat:
Win64.Malware.Heuristic
Link:
https://tip.neiki.dev/file/12174cc882128203ecf30f4ea30632f1ebb104b4f8cbb8f025442574d69a8828
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-07-26 11:08:20 UTC
File Type:
PE+ (Exe)
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ciluzsecckbah3htb5hkgbrs6hv3cbfu7df3r4bfiqsxjvu2raua._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
12174cc882128203ecf30f4ea30632f1ebb104b4f8cbb8f025442574d69a8828
LummaStealer
1967625692921a306f4d8565b67e1edf9c1da2988d67a76c93659f5a91d546f5
LummaStealer
2220c14ec416ff9ec8868b13f0db69545280a1b9fef9ff1c56e744516c74f8aa
LummaStealer
c16f2b2394cc709740d882cd23ce1c21be66d60a4b549053abfc9102b3c3328a
LummaStealer
c8c95cd440e281b41ef25f14f4ad4c95d9192f3768568b962798ba6149cf7fab
LummaStealer
error
LummaStealer
f61917435c2b8af970c43e1a8258f4745f576e8b5ad53a5e689587e76d593718
LummaStealer
f78e03e5a79d23790276fba6c7e40b239e7536dccbdc57fdb80fa195c4d16394
LummaStealer
+ 199 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery stealer
Link:
https://tria.ge/reports/250728-dyxbhahq3s/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://nortlmm.com/riwq
https://molefkx.com/xalo
https://sponfht.com/xrie
https://runuxs.org/zpla
https://follcp.org/atnr
https://remotuw.org/xiza
https://boltex.net/xpao
https://detrewb.net/aqyw
https://berijng.net/otir
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6c89e36a-9faa-4eb6-ba07-bf4d5150a943
Unpacked files
SH256 hash:
12174cc882128203ecf30f4ea30632f1ebb104b4f8cbb8f025442574d69a8828
MD5 hash:
3bea01fbe0bd954ed58e7e3a517c5275
SHA1 hash:
3b9cf2fa71c371b9b51afff42dd6e095163016a6
Link:
https://www.unpac.me/results/4f1e5cf7-5094-4702-92f2-1200cffebceb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/12174cc882128203ecf30f4ea30632f1ebb104b4f8cbb8f025442574d69a8828

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/17261/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExA
USER32.dll::CreateWindowExW

Comments