MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2705018412749bb3e11bca68ba5d7052261f539a57d29437178de804757a4b2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 7

Intelligence 7 IOCs YARA 18 File information Comments

SHA256 hash:	2705018412749bb3e11bca68ba5d7052261f539a57d29437178de804757a4b2b
SHA3-384 hash:	05fc149a0f9615e59e2fbdf9cfc4a14be16935bf4ff28a6918f4d1e1420bfb25fb5128bf25e54ca45868d0e96d339ba8
SHA1 hash:	f489a8f792a9f1ce92dc86ee7042c0d39fa33043
MD5 hash:	cc8aa60492ff139f53a8bec66c8ee8aa
humanhash:	utah-nitrogen-summer-bluebird
File name:	ꜱᴀᴛᴜᴘ__0ᴘᴇɴ.zip
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	48'904'071 bytes
First seen:	2025-04-16 22:56:32 UTC
Last seen:	2025-04-16 22:56:33 UTC
File type:	zip
MIME type:	application/zip
ssdeep	786432:zXpgiwvC/XLV7LpQNGY+bIl5+GZkWNb9uPaoh3Xaxp:z0YRLpE+k
TLSH	T178B76A0E62DCF965D86A53388DE1CE219671BC160BE39BCF3167BD985E327C07A35221
TrID	61.2% (.XLSX) Excel Microsoft Office Open XML Format document (34000/1/7) 31.5% (.ZIP) Open Packaging Conventions container (17500/1/4) 7.2% (.ZIP) ZIP compressed archive (4000/1)
Magika	zip
Reporter	aachum
Tags:	HIjackLoader IDATLoader LummaStealer zip

iamaachum

https://uploadify.cloud/0MdWlkPTE0JmZpZD0zMzRjOQ => https://www.mediafire.com/file/wub7c2ywxg1bsd2/#%EA%9D%90%E2%B1%A5$$%E2%B1%B3%C7%BF%C9%8D%C4%90%E2%9C%B2-5174_%E2%9C%B5O%CD%8D%E2%82%B1%CE%B5%E2%82%A6%E2%80%BB-%E2%9C%BB%C5%9E%CE%B5t-%C9%84%E2%82%B14U%E2%A7%89.zip/file

Intelligence

File Origin

# of uploads :

# of downloads :

531

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6800395f2203b3e10ccfe1b1

Tags:

infosteal

Verdict:

Unknown

Threat level:

n/a -.1/10

Confidence:

100%

Tags:

expired-cert microsoft_visual_cc signed

Link:

https://www.filescan.io/uploads/680035c5931404048d7fb34d/reports/2006992b-68d1-400e-96e7-39e88f8355f1/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/2705018412749bb3e11bca68ba5d7052261f539a57d29437178de804757a4b2b

Result

Verdict:

SUSPICIOUS

Link:

https://labs.inquest.net/dfi/sha256/2705018412749bb3e11bca68ba5d7052261f539a57d29437178de804757a4b2b

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Score:

10%

Verdict:

Benign

File Type:

Result

Malware family:

hijackloader

Score:

10/10

Tags:

family:hijackloader discovery

Link:

https://tria.ge/reports/250417-fanqkaywcs/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2705018412749bb3e11bca68ba5d7052261f539a57d29437178de804757a4b2b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	golang Create hunting rule

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	Jupyter_infostealer Create hunting rule
Author:	CD_R0M_
Description:	Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022

Rule name:	ldpreload Create hunting rule
Author:	xorseed
Reference:	https://stuff.rop.io/

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETDLLMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	swfdoc_hunter Create hunting rule

Rule name:	test_Malaysia Create hunting rule
Author:	rectifyq
Description:	Detects file containing malaysia string

Rule name:	with_urls Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the presence of an or several urls
Reference:	http://laboratorio.blogs.hispasec.com/