MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 3

Intelligence 3 IOCs YARA 8 File information Comments

SHA256 hash:	18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70
SHA3-384 hash:	95cbabcd0c1d23981911869f3238a3dece25233db0c5af4371957aa5ff279bf783f85682d1acf42f3280ef227ef76d60
SHA1 hash:	dc56aee7650ff6cdf0b52f0482c64f71bb308f9d
MD5 hash:	18217924c1d4fcb07af44a8201b7cc77
humanhash:	hydrogen-equal-north-berlin
File name:	LumenTeamsLauncher.zip
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	58'897'917 bytes
First seen:	2025-03-28 14:38:40 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
Note:	This file is a password protected archive. The password is: 2025
ssdeep	1572864:DOwIyWhhqtQEDXlmcn/zwIRq7C76IWGLEtUJOtL:D5IxyuMX4c0IRq7CPCUJML
TLSH	T1E3D733E6E3C831B593BB35721C2FB99DABB00EEA194452E551324277C93C2B523C527E
Magika	zip
Reporter	aachum
Tags:	file-pumped LummaStealer pw-2025 zip

iamaachum

https://www.youtube.com/watch?v=J0EZe9kEt70 => https://lumenamoris.live/fortnite => https://www.mediafire.com/folder/znaqnupjf8xek/SoftV10.4

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file is a password protected archive. The password is: 2025

This file archive contains 23 file(s), sorted by their relevance:

File name:	cef_200_percent.pak
File size:	849'165 bytes
SHA256 hash:	53288b06af1b0e1925647c54996860854cd232f6e21f2efb27ce922cf85bdeb8
MD5 hash:	3fd99f97adccfa6d3aaba9b682725372
MIME type:	application/octet-stream
Signature	LummaStealer

File name:	CREDITS.txt
File size:	0 bytes
SHA256 hash:	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
MD5 hash:	d41d8cd98f00b204e9800998ecf8427e
MIME type:	inode/x-empty
Signature	LummaStealer

File name:	AJRouter.dll
File size:	26'112 bytes
SHA256 hash:	4e2623243a9bb61f7211e591c24edb70b07974a7fa21e3f14c683f27e975777f
MD5 hash:	526fe18db976d9a1ae19fbc53fa690b1
MIME type:	application/x-dosexec
Signature	LummaStealer

File name:	DecoderMgr.dll
File size:	44'536 bytes
SHA256 hash:	406ecbc8e40c7398b6b7d8e78f4ca30b11710b8bb7775407ede6f12aa69ab4f1
MD5 hash:	eb25ee1f5c3332d3bbd16fe887cc8957
MIME type:	application/x-dosexec
Signature	LummaStealer

File name:	FFCore.dll
File size:	1'460'976 bytes
SHA256 hash:	9695408ffaa0eecf13baf9bf98e67349ba3404130e331ddc3560a73e7460c125
MD5 hash:	f8d599c7620a981623302bdbef6be1e8
MIME type:	application/x-dosexec
Signature	LummaStealer

File name:	COPYRIGHT
File size:	3'245 bytes
SHA256 hash:	6af2199047ce21b763edb2d0c494a113a2c24371a545c17221f7c8ad66e605ff
MD5 hash:	6aa4d2c892b1a12df6ecbd8408a10a73
MIME type:	text/plain
Signature	LummaStealer

File name:	cpr.dll
File size:	163'568 bytes
SHA256 hash:	91e513aed4cefc9cbc8ccd014310e75d5c098c958a23b1ac0780b07170f91f1d
MD5 hash:	7a006dc458d9c9bc4666a0f03d354d3d
MIME type:	application/x-dosexec
Signature	LummaStealer

File name:	AcSpecfc.dll
File size:	81'920 bytes
SHA256 hash:	35baad73ba5d1fed20e9d9d8178e6fcb5c08e16007e454d2f1165d5513abb281
MD5 hash:	d18a014d26a42c0ab931f05e3fe7dc3a
MIME type:	application/x-dosexec
Signature	LummaStealer

File name:	xNne0sZ2uexW
File size:	52'428'800 bytes
SHA256 hash:	2c1ce2ac6159915f5d8c8c7884d223b24e0924f989a0cbd876508966f5b1b180
MD5 hash:	199bbedb2d5c9606145b8aef5caa36b0
MIME type:	application/octet-stream
Signature	LummaStealer

File name:	AdvancedEmojiDS.dll
File size:	168'448 bytes
SHA256 hash:	561d60d53bb2cdc88fe930ff9639b5627643574421f89d37edb084af1c8ef720
MD5 hash:	330f9767c5ac5d65feffba6d957164e3
MIME type:	application/x-dosexec
Signature	LummaStealer

File name:	DemuxMgr.dll
File size:	58'872 bytes
SHA256 hash:	fcf52e82c1c7aaa94e87e968731ab3cc4cb7390e37fa06546b92ae82ef5ce305
MD5 hash:	ce2f4a0c39f2ffc2bbd544885ab59175
MIME type:	application/x-dosexec
Signature	LummaStealer

File name:	AboutSettings.dll
File size:	583'136 bytes
SHA256 hash:	8fafc666d5aabf0a073729af443e668495c2902d61490a3dcfa910af90502edf
MD5 hash:	ff67a61ea734568c8ab229f871b561e4
MIME type:	application/x-dosexec
Signature	LummaStealer

File name:	FFEffectWidgets.dll
File size:	4'426'480 bytes
SHA256 hash:	d5033b388793560adf3c39b897f1d25753aad0decbe8bb8e69b8af73f27c5c86
MD5 hash:	461ef166ce06f0e2d18761cba484f2c6
MIME type:	application/x-dosexec
Signature	LummaStealer

File name:	alibabacloud-oss-cpp-sdk.dll
File size:	1'722'096 bytes
SHA256 hash:	2ee24618c12271b7c9c18df5f2beddf02fd93ee7457707e0a6a54d8d8e88aaa2
MD5 hash:	2698f138e8c4d573bb0daedc47acd123
MIME type:	application/x-dosexec
Signature	LummaStealer

File name:	adprovider.dll
File size:	60'416 bytes
SHA256 hash:	31c4a155e70c8ca2fc843ac1f72ea3dd889c143865f09bc495f7246f413df667
MD5 hash:	107f29505a3631d5f093fc90d0b151f4
MIME type:	application/x-dosexec
Signature	LummaStealer

File name:	FCore.dll
File size:	1'079'024 bytes
SHA256 hash:	ddfe9847c034560a081308b15667d918752482e9d86c1a1992e4bb6f4369ffda
MD5 hash:	08796fb8d3bc55994ff2e6c4d209910f
MIME type:	application/x-dosexec
Signature	LummaStealer

File name:	Pass-2025.txt
File size:	2 bytes
SHA256 hash:	e29c9c180c6279b0b02abd6a1801c7c04082cf486ec027aa13515e4f3884bb6b
MD5 hash:	6364d3f0f495b6ab9dcf8d3b5c6e0b01
MIME type:	text/plain
Signature	LummaStealer

File name:	FFAdvancedColorAdjust.dll
File size:	903'920 bytes
SHA256 hash:	aaebdf1476de441e32fba84d6a0d2b3294d832dce9a64884865b78725c2854c7
MD5 hash:	f31fb6d2488f9b4c15891167909410ec
MIME type:	application/x-dosexec
Signature	LummaStealer

File name:	cloud-disk.dll
File size:	946'552 bytes
SHA256 hash:	4ef94bfdb914e87d141a4103e3035dfb7e963b0309b41e1e0675966dfd85137c
MD5 hash:	d8e7969fb5db62f81b09e83c157954c3
MIME type:	application/x-dosexec
Signature	LummaStealer

File name:	cef_100_percent.pak
File size:	733'416 bytes
SHA256 hash:	f1f82538f0b293b02da26b19c128b23c53ffbe36b8524cd7a1ddf874a60b3ed2
MD5 hash:	0094d5f116cfa9dcc094f28c200b40cd
MIME type:	application/octet-stream
Signature	LummaStealer

File name:	lekeystore.jks
File size:	39'920 bytes
SHA256 hash:	742176460afa2a4ed3642142dfa954e7f53668009a4973459888d5edf9ed1bdb
MD5 hash:	e8fb6c3324cb66e60900b813b364a5de
MIME type:	application/x-dosexec
Signature	LummaStealer

File name:	ActiveSyncProvider.dll
File size:	1'707'520 bytes
SHA256 hash:	4ef9b2e7a0bfe36aaf1d2205fa72e3c82a3a7d43a26018535887e4f9bf1d9e30
MD5 hash:	ae097d6faca854a02642f6fdbfd1d967
MIME type:	application/x-dosexec
Signature	LummaStealer

File name:	The_LauncherV1.exe
Pumped file	This file is pumped. MalwareBazaar has de-pumped it.
File size:	699'806'912 bytes
SHA256 hash:	c03102bedf3ea19bfcc15e027de5c1ad5dc9388bfc3f381278a268c67598d50a
MD5 hash:	649d5d4706d00ca633b485ec2db125dd
De-pumped file size:	806'912 bytes (Vs. original size of 699'806'912 bytes)
De-pumped SHA256 hash:	236434ede41998a84dea3fefa45f43215191726c38d7fbc4791265af87721701
De-pumped MD5 hash:	e5c14e727c178665571675efd3d762b9
MIME type:	application/x-dosexec
Signature	LummaStealer

Vendor Threat Intelligence

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67c1e73c2dfba428b46f2f8b

Tags:

n/a

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70

Result

Verdict:

UNKNOWN

Link:

https://labs.inquest.net/dfi/sha256/18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Gathering data

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=daliamfjo23loln3eer3adnpyzzzyxbg4xupx7p7mgxgl3uqj5ya._file

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma discovery execution spyware stealer

Link:

https://tria.ge/reports/250328-skamxaxxcx/

Malware Config

C2 Extraction:

https://ironproe.live/FLsapz
https://woreheatq.live/gsopp
https://castmaxw.run/ganzde
https://weldorae.digital/geds
https://7usteelixr.live/aguiz
https://advennture.top/GKsiio
https://targett.top/dsANGt
https://smeltingt.run/giiaus
https://ferromny.digital/gwpd

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	HUNTING_SUSP_TLS_SECTION Create hunting rule
Author:	chaosphere
Description:	Detect PE files with .tls section that can be used for anti-debugging
Reference:	Practical Malware Analysis - Chapter 16

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PK_PUMP_AND_DUMP Create hunting rule
Author:	Will Metcalf @node5
Description:	Walks Zip Central Directory filename entries looking for abused extension then checks for a file that's at least 25M and then check to see how much uncompressed size is vs compressed size

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)