MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e92ab886a0ff5ee8d3bee04bd395f109b35bd7528636a47aff437372e7da99d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e92ab886a0ff5ee8d3bee04bd395f109b35bd7528636a47aff437372e7da99d
SHA3-384 hash: 7c80764e263e89b83e7d3cefeb2be8e1f6390b279da692a7089f1e15279107459bab979663e1ee2ba285878c75988177
SHA1 hash: b6a068ae82be799a73ef6f3b3f788a8a6e57e4a8
MD5 hash: 0b566e01caf2bfd16cecda77eb37e792
humanhash: speaker-nebraska-ack-eighteen
File name:Setup.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:94'371'813 bytes
First seen:2025-09-05 17:47:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32f3282581436269b3a75b6675fe3e08 (197 x LummaStealer, 122 x Rhadamanthys, 8 x CoinMiner)
ssdeep 24576:mrcH3w4XLV9G13tqsJK6kFjxYxlGvXNpN9:jwG7G6iK6kV64Npz
Threatray 2'243 similar samples on MalwareBazaar
TLSH T10B2812571380E364B4EF786726107B088470ECF7755D6E386E57D82876ABAEA03F3621
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter aachum
Tags:AutoIT CypherIT exe LummaStealer


Avatar
iamaachum
https://hitmeup.space/?p=1085&enHash=bC4Gtpl71zfc => https://mega.nz/file/1UcXkTYQ#h46tsbKmVZd_C1Z-dafEDQA7yRB2EF-lq19WVeLFuaw

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2025-09-06 02:22:24 UTC
Tags:
autoit lumma stealer auto-startup arechclient2 backdoor rat xor-url generic
Link:
https://app.any.run/tasks/870d310b-ab11-4f91-8d42-f13894448e85

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68bb2255eb163e0ec18494d7
Tags:
autoit emotet nsis
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
DNS request
Connection attempt
Sending a custom TCP request
Сreating synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug blackhole installer microsoft_visual_cc nsis overlay
Link:
https://www.filescan.io/uploads/68bb223620d0ee406d97150b/reports/5c1ef9ec-c4af-4083-9c93-640d6bda951f/overview
Verdict:
Malicious
Labled as:
Infostealer/LummaC2
Link:
https://www.hybrid-analysis.com/sample/1e92ab886a0ff5ee8d3bee04bd395f109b35bd7528636a47aff437372e7da99d
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-04T19:16:00Z UTC
Last seen:
2025-09-04T19:16:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic HEUR:Trojan.Win32.Autoit.gen Backdoor.Agent.UDP.C&C Trojan.Win32.Autoit.sb HEUR:Trojan.Script.Generic HEUR:Trojan.Script.AUO.gen
Link:
https://opentip.kaspersky.com/1e92ab886a0ff5ee8d3bee04bd395f109b35bd7528636a47aff437372e7da99d/results?tab=lookup
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1771998
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected CypherIt Packer
Drops PE files with a suspicious file extension
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1771998 Sample: Setup.exe Startdate: 05/09/2025 Architecture: WINDOWS Score: 100 34 streamin.style 2->34 36 gYpggsWbdmw.gYpggsWbdmw 2->36 40 Suricata IDS alerts for network traffic 2->40 42 Found malware configuration 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 6 other signatures 2->46 9 Setup.exe 24 2->9         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->30 dropped 12 cmd.exe 1 9->12         started        process6 signatures7 52 Detected CypherIt Packer 12->52 54 Drops PE files with a suspicious file extension 12->54 15 cmd.exe 4 12->15         started        18 conhost.exe 12->18         started        process8 file9 32 C:\Users\user\AppData\Local\Temp\...\Rat.pif, PE32 15->32 dropped 20 Rat.pif 15->20         started        24 extrac32.exe 17 15->24         started        26 tasklist.exe 1 15->26         started        28 3 other processes 15->28 process10 dnsIp11 38 streamin.style 145.223.96.77, 443, 49697, 49698 VBA-ASNL Netherlands 20->38 48 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->48 50 Query firmware table information (likely to detect VMs) 20->50 signatures12
Score:
46%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/1e92ab886a0ff5ee8d3bee04bd395f109b35bd7528636a47aff437372e7da99d
Gathering data
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-09-05 11:03:22 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d2jkxcdkb7265dj35ycl2ok7ccntlplvfbrwur5p6q3tolt5vgoq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
unc_loader_058
Create hunting rule
Similar samples:
0040cda86058738ebde0150d7ed174aeb24b06fe9c11c17aa41a1385b0a258bc
LummaStealer
0435624c83fb463eb1d149d0b5228d3bfadbcb6d056b13c83b091e8e36f0015b
LummaStealer
27281a80300ffe0a103880c950b04bfd542415b55ec986ea4aac5d6edfec529d
LummaStealer
2d04c13fd74da6be1a58c55a30a2b753656d6a1aa1b0c6d426fe861f37de47c3
LummaStealer
97c03024290fb8939e3b25844ac4fa2d66f2a4f6bb91438457c99445c1fcd970
LummaStealer
9d1fb3557af008bd1c383ef15f5870f78c6f299ea23781c6b5326d602644fe68
LummaStealer
c09255d1b0b54132c0d40502ad635bcff41a9a3f92427b39879d620e96eb387d
LummaStealer
cd00e9684bb6a8b2b5ea0699b89cb251221c343cfb6ab3f6ec57525b349fc25f
LummaStealer
df8a790d84cff513666c6d01fadaf2bc23e029150f3d26cd9798c003328f8fd6
LummaStealer
error
LummaStealer
f57764db1fdb67a38593290017ce65a9aa83a114b4e9b9c32a46129db38d2717
LummaStealer
+ 2'233 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery spyware stealer
Link:
https://tria.ge/reports/250905-wc362afn4x/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Enumerates processes with tasklist
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://streamin.style/iqzb
https://mastwin.in/qsaz
https://digitbasket.com/pqox
https://voando26.com/iwnn
https://iaed.link/ndbh
https://pyscalp.com/iqop
https://lzh.fr/mnsn
https://phoenix-brands.dev/qyzb
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a8586866-fb3f-4504-a25f-1398d131bd03
Malware family:
CypherIt
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1e92ab886a0f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lumma
Create hunting rule
Author:kevoreilly
Description:Lumma Payload
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:win_lumma_generic
Create hunting rule
Author:dubfib

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 1e92ab886a0ff5ee8d3bee04bd395f109b35bd7528636a47aff437372e7da99d

(this sample)

  
Link
https://tria.ge/250905-v2fxcs1ky4/behavioral2
  
Delivery method
Distributed via web download

Comments