MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31d4e4abc071d53a64a5741156dc7d5d6448cc3ff09af3e54552dcbcc63e565d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PythonStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 33 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31d4e4abc071d53a64a5741156dc7d5d6448cc3ff09af3e54552dcbcc63e565d
SHA3-384 hash: 8331648ec78977c6d5c35d0666e77acfdb5efc7291553e463f004e2fd6a424598b1ea8f3654bca221d97bc6a64398474
SHA1 hash: 47bdab8045535fbffdf36e54597827cb707e348d
MD5 hash: c0dba4559695649f33b2a8e486df4ab8
humanhash: white-autumn-oklahoma-mars
File name:Lumora-AutoJoiner.exe
Download: download sample
Signature PythonStealer
Create hunting rule
File size:30'677'646 bytes
First seen:2025-09-10 16:24:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dcaf48c1f10b0efa0a4472200f3850ed (41 x BlankGrabber, 20 x Efimer, 17 x PythonStealer)
ssdeep 786432:joS/oS0TPFD+z6W8BOvHPdNPa7dNFfrCXaD2aWc:joMo77FpWRdJa7dNFjCk2a
TLSH T10467330C67CD25D5E8D9493BA8E7A62785B0FE621374C75F86F006254A03AE1DEB4F32
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter burger
Tags:exe pysilon PythonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Lumora-AutoJoiner.exe
Verdict:
Malicious activity
Analysis date:
2025-09-10 16:25:22 UTC
Tags:
pyinstaller python uac anti-evasion auto-reg
Link:
https://app.any.run/tasks/95fc861f-a3bf-4c13-a2ff-65c56e1a3463

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c1a651b2005259887980ac
Tags:
extens shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Creating a file
Launching a process
Creating a process from a recently created file
Searching for the window
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a tool to kill processes
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand lolbin microsoft_visual_cc obfuscated overlay packed packer_detected threat
Link:
https://www.filescan.io/uploads/68c1a68fdbc6f5a29c3e8937/reports/b031e952-442c-47a3-bd83-72240b5b0e54/overview
Verdict:
Malicious
Labled as:
PySpy.B.Generic
Link:
https://www.hybrid-analysis.com/sample/31d4e4abc071d53a64a5741156dc7d5d6448cc3ff09af3e54552dcbcc63e565d
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-10T11:30:00Z UTC
Last seen:
2025-09-10T11:30:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Python.Pytr.db HEUR:Trojan-PSW.Python.Nuker.gen HEUR:Trojan-PSW.Python.Agent.gen HEUR:Trojan-PSW.Multi.Disco.gen HEUR:Trojan.Python.Yapt.c HEUR:Trojan.Python.Agent.gen HEUR:Trojan-PSW.Win32.Disco.gen HEUR:Trojan.Python.Tpyc.i not-a-virus:HEUR:PSWTool.Python.LaZagne.gen not-a-virus:HEUR:PSWTool.Python.BroPass.gen
Link:
https://opentip.kaspersky.com/31d4e4abc071d53a64a5741156dc7d5d6448cc3ff09af3e54552dcbcc63e565d/results?tab=lookup
Result
Threat name:
Python Stealer, Discord Token Stealer, P
Create hunting rule
Detection:
malicious
Classification:
rans.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1775001
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Creates autostart registry keys with suspicious names
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
UAC bypass detected (Fodhelper)
Uses cmd line tools excessively to alter registry or file data
Writes many files with high entropy
Yara detected Discord Token Stealer
Yara detected Generic Python Stealer
Yara detected PySilon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1775001 Sample: Lumora-AutoJoiner.exe Startdate: 10/09/2025 Architecture: WINDOWS Score: 100 117 discord.com 2->117 127 Antivirus / Scanner detection for submitted sample 2->127 129 Multi AV Scanner detection for submitted file 2->129 131 Yara detected PySilon Stealer 2->131 133 4 other signatures 2->133 13 Lumora-AutoJoiner.exe 1001 2->13         started        17 d.exe 2->17         started        signatures3 process4 file5 93 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 13->93 dropped 95 C:\Users\user\AppData\Local\...\python313.dll, PE32+ 13->95 dropped 97 C:\...\_umath_linalg.cp313-win_amd64.pyd, PE32+ 13->97 dropped 105 157 other files (7 malicious) 13->105 dropped 155 Adds a directory exclusion to Windows Defender 13->155 157 Writes many files with high entropy 13->157 19 Lumora-AutoJoiner.exe 1 4 13->19         started        99 C:\...\_umath_linalg.cp313-win_amd64.pyd, PE32+ 17->99 dropped 101 C:\...\_multiarray_umath.cp313-win_amd64.pyd, PE32+ 17->101 dropped 103 C:\Users\user\AppData\Local\...\_rust.pyd, PE32+ 17->103 dropped 107 87 other files (4 malicious) 17->107 dropped 23 d.exe 17->23         started        signatures6 process7 file8 81 C:\Users\user\d\d.exe, PE32+ 19->81 dropped 83 C:\Users\user\d\d.exe:Zone.Identifier, ASCII 19->83 dropped 135 Creates autostart registry keys with suspicious names 19->135 137 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->137 139 Adds a directory exclusion to Windows Defender 19->139 25 cmd.exe 19->25         started        28 powershell.exe 23 19->28         started        30 cmd.exe 23->30         started        32 cmd.exe 23->32         started        34 cmd.exe 23->34         started        36 4 other processes 23->36 signatures9 process10 signatures11 147 Uses cmd line tools excessively to alter registry or file data 25->147 38 d.exe 25->38         started        50 3 other processes 25->50 149 Loading BitLocker PowerShell Module 28->149 42 conhost.exe 28->42         started        44 ComputerDefaults.exe 30->44         started        52 3 other processes 30->52 46 reg.exe 32->46         started        48 conhost.exe 32->48         started        54 2 other processes 34->54 56 7 other processes 36->56 process12 file13 85 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 38->85 dropped 87 C:\Users\user\AppData\Local\...\python313.dll, PE32+ 38->87 dropped 89 C:\...\_umath_linalg.cp313-win_amd64.pyd, PE32+ 38->89 dropped 91 157 other files (7 malicious) 38->91 dropped 141 Adds a directory exclusion to Windows Defender 38->141 143 Writes many files with high entropy 38->143 58 d.exe 38->58         started        62 d.exe 44->62         started        145 UAC bypass detected (Fodhelper) 46->145 signatures14 process15 dnsIp16 119 discord.com 162.159.128.233, 443, 49696, 49702 CLOUDFLARENETUS United States 58->119 121 127.0.0.1 unknown unknown 58->121 151 Adds a directory exclusion to Windows Defender 58->151 65 powershell.exe 58->65         started        68 cmd.exe 58->68         started        109 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 62->109 dropped 111 C:\Users\user\AppData\Local\...\python313.dll, PE32+ 62->111 dropped 113 C:\...\_umath_linalg.cp313-win_amd64.pyd, PE32+ 62->113 dropped 115 140 other files (7 malicious) 62->115 dropped 70 d.exe 62->70         started        file17 signatures18 process19 signatures20 123 Loading BitLocker PowerShell Module 65->123 72 conhost.exe 65->72         started        74 conhost.exe 68->74         started        125 Adds a directory exclusion to Windows Defender 70->125 76 powershell.exe 70->76         started        process21 signatures22 153 Loading BitLocker PowerShell Module 76->153 79 conhost.exe 76->79         started        process23
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/31d4e4abc071d53a64a5741156dc7d5d6448cc3ff09af3e54552dcbcc63e565d
Gathering data
Verdict:
Malicious
Threat:
Family.PYSILON
Link:
https://tip.neiki.dev/file/31d4e4abc071d53a64a5741156dc7d5d6448cc3ff09af3e54552dcbcc63e565d
Threat name:
Win64.Trojan.PySpy
Create hunting rule
Status:
Malicious
First seen:
2025-09-10 16:24:51 UTC
File Type:
PE+ (Exe)
Extracted files:
3591
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ghkojk6aohktuzffoqivnxd5lvsertb76cnphzkfklolzrr6kzoq._file
Result
Malware family:
pysilon
Create hunting rule
Score:
  10/10
Tags:
family:pysilon defense_evasion execution persistence pyinstaller upx
Link:
https://tria.ge/reports/250910-txd2ja1wgt/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
UPX packed file
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Loads dropped DLL
Sets file to hidden
Command and Scripting Interpreter: PowerShell
Enumerates VirtualBox DLL files
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ac67b52e-8b2a-4775-80d7-9f937e157bc9
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/31d4e4abc071d53a64a5741156dc7d5d6448cc3ff09af3e54552dcbcc63e565d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Create hunting rule
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments