MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fc99a4a795be01233dc1cac16fcf53ae785a2210f81320052880ed69d54f84b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	2fc99a4a795be01233dc1cac16fcf53ae785a2210f81320052880ed69d54f84b
SHA3-384 hash:	d47f5ceda7afeef2f5a61e9527877e1ca5a900bdda8bb98fed5bcd133f88687a8eec462d90cf05a2e9fd50489162b7c4
SHA1 hash:	beeee3bbb60d204393f78579bcec6442c4d301b0
MD5 hash:	85c43b38df0e5011e4640cb6233128cf
humanhash:	undress-lion-high-leopard
File name:	loader.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	1'280'000 bytes
First seen:	2025-06-28 20:08:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	74fea8d9720dbfeca2a3ee9f97393036 (13 x LummaStealer, 2 x Stealc, 2 x XWorm)
ssdeep	24576:V6J5Xy3qnVIlZ2XAkHEM4pyKWpSSGshSHEM4pyKWpSSGsh:W54qWlmAkHakKW9hSHakKW9h
Threatray	528 similar samples on MalwareBazaar
TLSH	T10545D029D152A2EDED2640B505A275A0B962F923C6342FFF83D4D3325E0BBD41F2E719
TrID	63.5% (.EXE) Win64 Executable (generic) (10522/11/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	AntiSkidding
Tags:	exe LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

778

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

loader.exe

Verdict:

Malicious activity

Analysis date:

2025-06-28 20:12:04 UTC

Tags:

lumma stealer

Link:

https://app.any.run/tasks/4bbeba44-68e6-4333-bb84-0704cb0c8e4e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/11498/

Detection(s):

SecuriteInfo.com.Win64.MalwareX-gen.27611.22017.UNOFFICIAL

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68604bf937c343677946ba53

Tags:

virus zusy

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context entropy fingerprint microsoft_visual_cc packed packed packer_detected

Link:

https://www.filescan.io/uploads/68604c0845e80b29f8a3be20/reports/6134957f-d94b-450f-b3bf-5501bbc6c85b/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/2fc99a4a795be01233dc1cac16fcf53ae785a2210f81320052880ed69d54f84b

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/cfc26f99-9aed-4950-85de-905c697c5245

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2fc99a4a795be01233dc1cac16fcf53ae785a2210f81320052880ed69d54f84b

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2fc99a4a795be01233dc1cac16fcf53ae785a2210f81320052880ed69d54f84b/

Threat name:

Win64.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-06-28 20:09:33 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=f7ezustzlpqbem64dswbn7hvhltylirbb6ateacsrahnnhku7bfq._file

Verdict:

malicious

Label(s):

lummastealer

LummaStealer

295a1da71cc9ed7ad3157eae22eb94de0ab71c5dd4a0c399c237c7b97ac2fdd6

LummaStealer

7b748fbc361bb66d5af0ab5c7e709186b1a3110e9fa0a2912a2e6b577d8b0b94

LummaStealer

b1c2e4e5d8bb333d20933910e6b5c2a83268f0ad13fa3b0be1b479117955a982

LummaStealer

c3b72389eba306e58381b4a62bce1d04e1071664dc2ec106e06e59a32fb4e54f

LummaStealer

error

LummaStealer

+ 518 additional samples on MalwareBazaar

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma discovery spyware stealer

Link:

https://tria.ge/reports/250628-yxdszshq7z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Browser Information Discovery

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Lumma Stealer, LummaC

Lumma family

Malware Config

C2 Extraction:

https://ketxsuz.xyz/xpaw
https://pacwpw.xyz/qwpr
https://comkxjs.xyz/taox
https://unurew.xyz/anhd
https://trsuv.xyz/gait
https://sqgzl.xyz/taoa
https://cexpxg.xyz/airq
https://urarfx.xyz/twox
https://liaxn.xyz/nbzh

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/e7ebf75e-a00d-439b-80f1-5e9f44bf6883

Unpacked files

SH256 hash:

2fc99a4a795be01233dc1cac16fcf53ae785a2210f81320052880ed69d54f84b

MD5 hash:

85c43b38df0e5011e4640cb6233128cf

SHA1 hash:

beeee3bbb60d204393f78579bcec6442c4d301b0

Link:

https://www.unpac.me/results/e4432d72-55f0-48a7-992f-07300bb87e7f/

Malware family:

Lumma

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2fc99a4a795b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2fc99a4a795be01233dc1cac16fcf53ae785a2210f81320052880ed69d54f84b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/11498/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::FreeConsole KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW
WIN_USER_API	Performs GUI Actions	USER32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample