MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19a6b0d4e0d799b5323b0ffd3f6f6ad624f1ffeb72a36802f01364065b0bb3d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19a6b0d4e0d799b5323b0ffd3f6f6ad624f1ffeb72a36802f01364065b0bb3d8
SHA3-384 hash: b20f732cb93c198860bd9bb5a1b5b926d6a887c424585d770b68811a43d908e23de4fbe6f2f448669c4181ac618d6a05
SHA1 hash: 57c7601306950544e1690a568168d3f7f6e74dbb
MD5 hash: a80c962b64796db3d16bc841e1fcc098
humanhash: saturn-blossom-lion-robert
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:3'082'752 bytes
First seen:2025-08-14 13:18:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e67d2940d71dd2c69b0a1f1192a549d (10 x LummaStealer, 3 x DarkCloud, 2 x Rhadamanthys)
ssdeep 49152:QxgdQFKC/PRoa3xPCX5VwIKAXsopRSRiGKUrO8/:HoyuCpVwIKw3SkUr/
Threatray 369 similar samples on MalwareBazaar
TLSH T1C3E59E18AD69D0DAFDE305F17F2DA262B412AF3BCD28176350F8CB611245DDD123A26B
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
63823479254abd69b76746f195089105368640951c327340496d1104e247fec2.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-08-14 11:12:50 UTC
Tags:
gcleaner loader lumma stealer auto autoit telegram redline amadey botnet auto-startup
Link:
https://app.any.run/tasks/ca0dcef4-cbc7-44ff-a84a-9f3a938895ba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/21396/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689de240b0026751df5c6199
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Creating a window
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/19a6b0d4e0d799b5323b0ffd3f6f6ad624f1ffeb72a36802f01364065b0bb3d8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/14a4eaf1-2307-41cc-a11a-e400fc44d194
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1756986
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1756986 Sample: random.exe Startdate: 14/08/2025 Architecture: WINDOWS Score: 100 32 t.me 2->32 34 star-azurefd-prod.trafficmanager.net 2->34 36 8 other IPs or domains 2->36 46 Found malware configuration 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected LummaC Stealer 2->50 52 3 other signatures 2->52 9 random.exe 2->9         started        signatures3 process4 signatures5 54 Writes to foreign memory regions 9->54 56 Allocates memory in foreign processes 9->56 58 Injects a PE file into a foreign processes 9->58 12 MSBuild.exe 9->12         started        process6 dnsIp7 42 t.me 149.154.167.99, 443, 49692 TELEGRAMRU United Kingdom 12->42 44 kenyafu.top 138.124.101.92, 443, 49693, 49723 NOKIA-ASFI Norway 12->44 60 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->60 62 Query firmware table information (likely to detect VMs) 12->62 64 Tries to harvest and steal ftp login credentials 12->64 66 3 other signatures 12->66 16 chrome.exe 12->16         started        19 chrome.exe 12->19         started        21 chrome.exe 12->21         started        23 chrome.exe 12->23         started        signatures8 process9 dnsIp10 30 192.168.2.8, 138, 443, 49616 unknown unknown 16->30 25 chrome.exe 16->25         started        28 chrome.exe 19->28         started        process11 dnsIp12 38 www.google.com 142.250.65.196, 443, 49705, 49706 GOOGLEUS United States 25->38 40 142.251.40.228, 443, 49712, 49713 GOOGLEUS United States 28->40
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/19a6b0d4e0d799b5323b0ffd3f6f6ad624f1ffeb72a36802f01364065b0bb3d8
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/a80c962b64796db3d16bc841e1fcc098
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/19a6b0d4e0d799b5323b0ffd3f6f6ad624f1ffeb72a36802f01364065b0bb3d8/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/19a6b0d4e0d799b5323b0ffd3f6f6ad624f1ffeb72a36802f01364065b0bb3d8
Threat name:
Win64.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-08-14 13:07:47 UTC
File Type:
PE+ (Exe)
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dgtlbvha26m3kmr3b76t633k2yspd77lokrwqaxqcnsamwylwpma._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
36faabc901ccaf27b5c07f327fd0a12d9b3512fbf83982c1cd1ceb88beee566e
LummaStealer
94d652a0381712a46483fc97eafcff63a7093bab28a18cda71a73da71bad21b8
LummaStealer
bfbfadc7a859737845d1c6ae06380f7b15fcbd74b15f9e18522c9d862a326d77
LummaStealer
cc38ae217a27510ee91b1db057f8eef6b8130bd78612fade76060e72587aacb3
LummaStealer
ce11ca94496f7d9fe85318314e88e2dbe000e87352c14f9685a7eb9ee2d5215a
LummaStealer
error
LummaStealer
+ 359 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery stealer
Link:
https://tria.ge/reports/250814-qkdcpahk3t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://t.me/romakorz
https://vaganetka.ru/opza/api
https://mastwin.in/qsaz/api
https://ordinarniyvrach.ru/xiur/api
https://yamakrug.ru/lzka/api
https://vishneviyjazz.ru/neco/api
https://yrokistorii.ru/uqya/api
https://stolewnica.ru/xjuf/api
https://visokiywkaf.ru/mmtn/api
https://kletkamozga.ru/iwyq/api
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/47092507-60e5-4005-89c5-e3f20ba092fd
Unpacked files
SH256 hash:
19a6b0d4e0d799b5323b0ffd3f6f6ad624f1ffeb72a36802f01364065b0bb3d8
MD5 hash:
a80c962b64796db3d16bc841e1fcc098
SHA1 hash:
57c7601306950544e1690a568168d3f7f6e74dbb
Link:
https://www.unpac.me/results/4ebd41d1-1c07-44a3-b02e-d5661a500796/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/19a6b0d4e0d7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/19a6b0d4e0d799b5323b0ffd3f6f6ad624f1ffeb72a36802f01364065b0bb3d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 19a6b0d4e0d799b5323b0ffd3f6f6ad624f1ffeb72a36802f01364065b0bb3d8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3594026/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/21396/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::EmptyClipboard
USER32.dll::OpenClipboard
USER32.dll::CreateWindowExW

Comments