MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3331ebaab4919b68536c5bcddf7aebf2577e027c48858116defd358ca16940b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3331ebaab4919b68536c5bcddf7aebf2577e027c48858116defd358ca16940b6
SHA3-384 hash: f5f8d3bd24480b3675115eabd1d0d19c37df4d6079e3afd8fd502926d3157d81bade0b269f2da137ea5ee2d7aba4fac7
SHA1 hash: 4890e7be84daa364f6c4173564a522c6f23f7f7e
MD5 hash: 9f55cc87dfc48c2e33efa3fac351bee5
humanhash: muppet-beryllium-august-one
File name:setup.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:99'614'760 bytes
First seen:2025-09-09 15:24:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b729b61eb1515fcf7b3e511e4e66258b (70 x LummaStealer, 16 x Rhadamanthys, 8 x Adware.Generic)
ssdeep 24576:vVDDBg+zKBDTgnUTeZswhmY5rslXEqKpctHkcU4DUXZ:vNGDakMyY5rQZ6ctHkcaXZ
Threatray 1'020 similar samples on MalwareBazaar
TLSH T1DE28129993159A2D45276EC5B1E0FA228978FC92371B45A1D0CDF02CDB23C61F62DBC7
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter aachum
Tags:AutoIT CypherIT exe LummaStealer


Avatar
iamaachum
https://cdxtsd.cfd/?file=8X5ZeRHSfpFh60LO9A1NvzEcBusJQw2b&jDo16AerT2ZNn=j2ThNbtmnz64CgyVo3SBaDH8i7pRdFZOfPc01qYXGrMlIKU => https://mega.nz/file/LPAw2aiL#wJefupjyWB_xZ6NiK8VadBE37ZVTC32IuivJNTc9ZCg

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2025-09-09 15:25:35 UTC
Tags:
lumma stealer autoit
Link:
https://app.any.run/tasks/41035715-9f37-4f0a-8f4f-971ac24d256b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c0476fb200525988793445
Tags:
autoit emotet nsis
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Sending a custom TCP request
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer microsoft_visual_cc overlay packed packer_detected
Link:
https://www.filescan.io/uploads/68c0471fcfa59bfdc7f5c93f/reports/01a5588b-3472-4d61-8548-eb51cb8a148e/overview
Verdict:
Malicious
Labled as:
Infostealer/LummaC2
Link:
https://www.hybrid-analysis.com/sample/3331ebaab4919b68536c5bcddf7aebf2577e027c48858116defd358ca16940b6
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-07T19:50:00Z UTC
Last seen:
2025-09-07T19:50:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/3331ebaab4919b68536c5bcddf7aebf2577e027c48858116defd358ca16940b6/results?tab=lookup
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1774111
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected CypherIt Packer
Drops PE files with a suspicious file extension
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1774111 Sample: setup.exe Startdate: 09/09/2025 Architecture: WINDOWS Score: 100 33 figueqhk.xin 2->33 35 tetrwoo.asia 2->35 37 RStdtEICWxpwio.RStdtEICWxpwio 2->37 41 Suricata IDS alerts for network traffic 2->41 43 Found malware configuration 2->43 45 Antivirus detection for URL or domain 2->45 47 6 other signatures 2->47 9 setup.exe 25 2->9         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->29 dropped 12 cmd.exe 1 9->12         started        process6 signatures7 49 Detected CypherIt Packer 12->49 51 Drops PE files with a suspicious file extension 12->51 15 cmd.exe 4 12->15         started        18 conhost.exe 12->18         started        process8 file9 31 C:\Users\user\AppData\...\Congratulations.pif, PE32 15->31 dropped 20 Congratulations.pif 15->20         started        23 extrac32.exe 17 15->23         started        25 tasklist.exe 1 15->25         started        27 2 other processes 15->27 process10 dnsIp11 39 tetrwoo.asia 134.209.165.152, 443, 49692, 49693 DIGITALOCEAN-ASNUS United States 20->39
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3331ebaab4919b68536c5bcddf7aebf2577e027c48858116defd358ca16940b6
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-08 01:44:36 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gmy6xkvusgnwqu3mlpg566xl6jlx4at4jccycfw67u2yziljic3a._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
1e76bd86504d6762bb931749d262a2d20b67ac561dc1f74fefe25754ad02f5c5
LummaStealer
890f25396e54abd5814342a99022e26a311f8a874bb392971e6724bfec84b907
LummaStealer
a18851ced5e3bd124b195adc3912018e634920a389927920adba8c171676ef96
LummaStealer
b57fdf0cc3944d31a5cbf7727ef0702ec6ba8fd729cf14f7a8cbd6c6e0d4f56c
LummaStealer
bdd838e9ebbf968de1d44b5de4cd16a1b622624c1963c7138f28cdd7648fcd4d
LummaStealer
d1df3488c28c94deddcddd5301fb12ff0d86875a199a6ddc8cf3f1b97d0fa621
LummaStealer
error
LummaStealer
f49ef520f7362b8c359c61f5dfa2ca2e8131d6bfa9bd52eebc831bd830f55c60
LummaStealer
+ 1'010 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery stealer
Link:
https://tria.ge/reports/250909-svcj9acl81/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Executes dropped EXE
Loads dropped DLL
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://figueqhk.xin/qyvv
https://tetrwoo.asia/niuo
https://hffiahz.asia/pppm
https://plataukz.xin/nbvg
https://sprimvd.my/zcbh
https://renohhde.xin/nvhu
https://lithfzx.my/bvcg
https://titlexy.my/bavg
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bc14e8ea-1e2c-48f1-95ea-f72f9803debc
Malware family:
CypherIt
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3331ebaab491/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3331ebaab4919b68536c5bcddf7aebf2577e027c48858116defd358ca16940b6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 3331ebaab4919b68536c5bcddf7aebf2577e027c48858116defd358ca16940b6

(this sample)

  
Link
https://tria.ge/250909-spmg9ssrw8/behavioral2
  
Delivery method
Distributed via web download

Comments