MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d2b367b54df052eb06facc632acbba3f0f34001347da8229f26379aa9efe5cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d2b367b54df052eb06facc632acbba3f0f34001347da8229f26379aa9efe5cf
SHA3-384 hash: e95e21d32058eb5c2e4f958a34e6b444c2bdebe649b6b3b26aeab5ccf583006966643b08046659a4acfb5dc29bc9cee1
SHA1 hash: d26dfbea654807fc3ba219a3ad5b141d255c5f3e
MD5 hash: 8b6b1283ec679b7a9b7123e72b762998
humanhash: tennessee-diet-maine-leopard
File name:𝚜𝚎𝚝𝚞𝚙 ┘ 🪪.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:99'614'732 bytes
First seen:2025-08-26 12:35:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c32ba42c73a2bc24d2788f7750d87edb (45 x LummaStealer, 37 x Rhadamanthys, 3 x Vidar)
ssdeep 24576:KliDpVkGmOIaY9Qlhr1daaFgB2lv4gQ+hiYVzTTd3:zDp2XfaJ+amB2pwiBVzTp
TLSH T1F6288CB78755F7CF1ACE74BBFB208249B52A223EF2539B9E1231D01E210D55D1632A27
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter aachum
Tags:AutoIT CypherIT exe LummaStealer


Avatar
iamaachum
https://www.file-counter.com/ => https://disk.yandex.com/d/gJs5Oz0XanQGng

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
20563571-14f7-437f-bdbc-58b8ba9204e4
Verdict:
Malicious activity
Analysis date:
2025-08-26 12:44:56 UTC
Tags:
lumma stealer autoit
Link:
https://app.any.run/tasks/20563571-14f7-437f-bdbc-58b8ba9204e4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68adaa84eb163e0ec182c414
Tags:
phishing autoit emotet
Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context installer microsoft_visual_cc obfuscated overlay packed packer_detected
Link:
https://www.filescan.io/uploads/68adaa967137d684583dd158/reports/fa8b92c6-d97d-4b76-9a11-bba4ac8f4867/overview
Verdict:
Malicious
Labled as:
Infostealer/LummaC2
Link:
https://www.hybrid-analysis.com/sample/1d2b367b54df052eb06facc632acbba3f0f34001347da8229f26379aa9efe5cf
Verdict:
Unknown
File Type:
First seen:
2025-08-26T11:38:00Z UTC
Last seen:
2025-08-26T11:38:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/1d2b367b54df052eb06facc632acbba3f0f34001347da8229f26379aa9efe5cf/results?tab=lookup
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1765371
Signature
C2 URLs / IPs found in malware configuration
Detected CypherIt Packer
Drops PE files with a suspicious file extension
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1765371 Sample: #Ud835#Ude9c#Ud835#Ude8e#Ud... Startdate: 26/08/2025 Architecture: WINDOWS Score: 100 37 runmgov.ru 2->37 39 jzDPEZVmEWgMfDYqaw.jzDPEZVmEWgMfDYqaw 2->39 43 Suricata IDS alerts for network traffic 2->43 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 5 other signatures 2->49 10 #Ud835#Ude9c#Ud835#Ude8e#Ud835#Ude9d#Ud835#Ude9e#Ud835#Ude99 #U2518 #Ud83e#Udeaa.exe 23 2->10         started        signatures3 process4 file5 35 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 10->35 dropped 13 cmd.exe 1 10->13         started        process6 signatures7 55 Detected CypherIt Packer 13->55 57 Drops PE files with a suspicious file extension 13->57 16 cmd.exe 4 13->16         started        19 conhost.exe 13->19         started        process8 file9 33 C:\Users\user\AppData\Local\...ating.pif, PE32 16->33 dropped 21 Eating.pif 16->21         started        25 findstr.exe 1 16->25         started        27 extrac32.exe 12 16->27         started        29 2 other processes 16->29 process10 dnsIp11 41 runmgov.ru 142.93.82.250, 443, 49691, 49692 DIGITALOCEAN-ASNUS United States 21->41 51 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->51 53 Query firmware table information (likely to detect VMs) 21->53 31 conhost.exe 25->31         started        signatures12 process13
Score:
22%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/1d2b367b54df052eb06facc632acbba3f0f34001347da8229f26379aa9efe5cf
Gathering data
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-08-26 13:15:03 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=duvtm62u34cs5mdpvtddflf3upypgqabgr62qiu7ey3zvkpp4xhq._file
Verdict:
malicious
Label(s):
unc_loader_058
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250826-ptbd1szkt6/
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Modifies trusted root certificate store through registry
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://runmgov.ru/tixd
https://mastwin.in/qsaz
https://tiltyufaz.ru/tlxa
https://semipervaz.ru/xued
https://capitalior.ru/akts
https://retrofik.ru/jgur
https://shagkeg.ru/xkzd
https://copulardi.ru/xhza
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bc34b0de-8986-43c0-950b-c7df86dd5de2
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1d2b367b54df/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 1d2b367b54df052eb06facc632acbba3f0f34001347da8229f26379aa9efe5cf

(this sample)

  
Link
https://tria.ge/250826-pbkvqsyqv9/behavioral2
  
Delivery method
Distributed via web download

Comments