MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 226a1ff2b5c820419ece3b76bf6a6c96e1ce4e6138b5688971660d1d3f3d5df5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 226a1ff2b5c820419ece3b76bf6a6c96e1ce4e6138b5688971660d1d3f3d5df5
SHA3-384 hash: 70a26c069a0f5aa4b3b33ba8b7c24a0db83c82ac0243effcd256696fea2fb965a0f83a3c2bf18f789ada7a3f2c6282d4
SHA1 hash: 3a5b1e4560775dc812af8274fdf0e6f8b8526340
MD5 hash: 8f9c589739865b9b5356aab078ff38e0
humanhash: river-delta-juliet-pasta
File name:setup.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:99'614'710 bytes
First seen:2025-08-11 19:22:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32f3282581436269b3a75b6675fe3e08 (197 x LummaStealer, 122 x Rhadamanthys, 8 x CoinMiner)
ssdeep 24576:mKU3asqFU+JJjCslba6K6bOqGQZuKLukF0/S+1thI4jLmvEfagEP65R:u7UJjVhGQZuKLukuB64S+EP8R
TLSH T125281280C78774F255CA03142342496D083CA6DA53290DF62E5A6BACA5D3BD8F67DF2F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 70e4b4b4b8d4e869 (2 x LummaStealer)
Reporter aachum
Tags:AutoIT CypherIT exe LummaStealer


Avatar
iamaachum
https://sitdownbromeback.icu/?3iatwuBpXIgCEMSWLfcRse7ljzkGnP5bvQrmxAUH=86DzHO7E4jZt2lUALov9eNiFmMkcgPWGVuXY0n5saS1TrQB&t7gGLl129eEqQsmDjIk5uU3PSvAB0ow6Fa4XypzbWVC => https://mega.nz/file/nYdkTJpR#7MFKmFvMp42qOHHXZFYkL9Fn3VpGAyxTQeLCQn7xjms

Intelligence

File Origin
# of uploads :
1
# of downloads :
166
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2025-08-11 19:25:23 UTC
Tags:
lumma stealer autoit
Link:
https://app.any.run/tasks/27e82435-4b02-42d3-b421-aba19372d205

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689a4320fca70bd90e8e60c6
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
DNS request
Connection attempt to an infection source
Сreating synchronization primitives
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug blackhole installer microsoft_visual_cc overlay overlay packed
Link:
https://www.filescan.io/uploads/689a430a9ef4d2ff7cf6e16f/reports/f0686ac4-17f5-4a41-a139-51057cfc8ed5/overview
Verdict:
Malicious
Labled as:
Infostealer/LummaC2
Link:
https://www.hybrid-analysis.com/sample/226a1ff2b5c820419ece3b76bf6a6c96e1ce4e6138b5688971660d1d3f3d5df5
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1754868
Signature
C2 URLs / IPs found in malware configuration
Detected CypherIt Packer
Drops PE files with a suspicious file extension
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1754868 Sample: setup.exe Startdate: 11/08/2025 Architecture: WINDOWS Score: 100 34 xAJfsEcMkPMhFqsZqxHO.xAJfsEcMkPMhFqsZqxHO 2->34 36 vishneviyjazz.ru 2->36 40 Suricata IDS alerts for network traffic 2->40 42 Found malware configuration 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 5 other signatures 2->46 9 setup.exe 25 2->9         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->30 dropped 12 cmd.exe 1 9->12         started        process6 signatures7 52 Detected CypherIt Packer 12->52 54 Drops PE files with a suspicious file extension 12->54 15 cmd.exe 4 12->15         started        18 conhost.exe 12->18         started        process8 file9 32 C:\Users\user\AppData\Local\...\Results.pif, PE32 15->32 dropped 20 Results.pif 15->20         started        24 extrac32.exe 18 15->24         started        26 tasklist.exe 1 15->26         started        28 2 other processes 15->28 process10 dnsIp11 38 vishneviyjazz.ru 172.86.89.51, 443, 49721, 49722 M247GB United States 20->38 48 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->48 50 Query firmware table information (likely to detect VMs) 20->50 signatures12
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/226a1ff2b5c820419ece3b76bf6a6c96e1ce4e6138b5688971660d1d3f3d5df5
Gathering data
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/226a1ff2b5c820419ece3b76bf6a6c96e1ce4e6138b5688971660d1d3f3d5df5
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-11 08:00:03 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ejvb74vvzaqedhwohn3l62tms3q44ttbhc2wrclrmygr2pz5lx2q._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery spyware stealer
Link:
https://tria.ge/reports/250811-x3n1gazrx8/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Enumerates processes with tasklist
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://vishneviyjazz.ru/neco/api
https://mastwin.in/qsaz/api
https://ordinarniyvrach.ru/xiur/api
https://yamakrug.ru/lzka/api
https://yrokistorii.ru/uqya/api
https://stolewnica.ru/xjuf/api
https://visokiywkaf.ru/mmtn/api
https://kletkamozga.ru/iwyq/api
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/275f6c65-082b-401e-a8c6-725ab2baafd9
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/226a1ff2b5c820419ece3b76bf6a6c96e1ce4e6138b5688971660d1d3f3d5df5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 226a1ff2b5c820419ece3b76bf6a6c96e1ce4e6138b5688971660d1d3f3d5df5

(this sample)

  
Link
https://tria.ge/250811-xsjm1asxay/behavioral2
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments