MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36faabc901ccaf27b5c07f327fd0a12d9b3512fbf83982c1cd1ceb88beee566e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	36faabc901ccaf27b5c07f327fd0a12d9b3512fbf83982c1cd1ceb88beee566e
SHA3-384 hash:	9d601c14f8b38fedde8c0de26a9953dc2c1b6ec0f3f20790736efd8ad9fd8c1b599ec54534148df8f8ecd6280d8aff45
SHA1 hash:	d6446e4edcbdd46211201522ddd4185e2b594df6
MD5 hash:	c196fc5a29c362becd7cd20759d797d5
humanhash:	venus-bulldog-sierra-ten
File name:	36faabc901ccaf27b5c07f327fd0a12d9b3512fbf83982c1cd1ceb88beee566e
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	3'074'048 bytes
First seen:	2025-08-14 11:50:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1e67d2940d71dd2c69b0a1f1192a549d (10 x LummaStealer, 3 x DarkCloud, 2 x Rhadamanthys)
ssdeep	49152:sxgdQFKC/PRoa3xPCX5VwIKAXsopRbC3fdS2C:zoyuCpVwIKw3GlS2C
Threatray	355 similar samples on MalwareBazaar
TLSH	T120E59E18AD69D0DAFDE305F17F2DA262B412AF3BCD28176350F8CB611245DDD123A26B
TrID	63.5% (.EXE) Win64 Executable (generic) (10522/11/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Neiki
Tags:	exe LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

36faabc901ccaf27b5c07f327fd0a12d9b3512fbf83982c1cd1ceb88beee566e.exe

Verdict:

Malicious activity

Analysis date:

2025-08-14 11:37:16 UTC

Tags:

lumma stealer attachments attc-unc

Link:

https://app.any.run/tasks/6bb1f2f2-ea8c-4f13-b936-cff88f925a8b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Lumma

Link:

https://www.capesandbox.com/analysis/21335/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=689dcd9b48c64d68735c5c18

Tags:

extens trojan packed

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Connection attempt to an infection source

Creating a window

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

Query of malicious DNS domain

Sending a TCP request to an infection source

Unauthorized injection to a system process

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/36faabc901ccaf27b5c07f327fd0a12d9b3512fbf83982c1cd1ceb88beee566e

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/12b7c474-2976-4b8d-8461-ee33656592ca

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/36faabc901ccaf27b5c07f327fd0a12d9b3512fbf83982c1cd1ceb88beee566e

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) Win 64 Exe x64

Link:

https://app.malva.re/file/c196fc5a29c362becd7cd20759d797d5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/36faabc901ccaf27b5c07f327fd0a12d9b3512fbf83982c1cd1ceb88beee566e/

Verdict:

Malicious

Threat:

Family.LUMMA

Link:

https://tip.neiki.dev/file/36faabc901ccaf27b5c07f327fd0a12d9b3512fbf83982c1cd1ceb88beee566e

Threat name:

Win64.Trojan.LummaStealer

Status:

Malicious

First seen:

2025-08-13 18:44:21 UTC

File Type:

PE+ (Exe)

AV detection:

20 of 23 (86.96%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=g35kxsibzsxspnoap4zh7ufbfwntkex37a4yfqondtvyrpxokzxa._file

Verdict:

malicious

Label(s):

lummastealer

LummaStealer

36faabc901ccaf27b5c07f327fd0a12d9b3512fbf83982c1cd1ceb88beee566e

LummaStealer

94d652a0381712a46483fc97eafcff63a7093bab28a18cda71a73da71bad21b8

LummaStealer

bfbfadc7a859737845d1c6ae06380f7b15fcbd74b15f9e18522c9d862a326d77

LummaStealer

cc38ae217a27510ee91b1db057f8eef6b8130bd78612fade76060e72587aacb3

LummaStealer

ce11ca94496f7d9fe85318314e88e2dbe000e87352c14f9685a7eb9ee2d5215a

LummaStealer

error

LummaStealer

+ 345 additional samples on MalwareBazaar

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma discovery spyware stealer

Link:

https://tria.ge/reports/250814-nzy7lat1ft/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Browser Information Discovery

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Lumma Stealer, LummaC

Lumma family

Malware Config

C2 Extraction:

https://vaganetka.ru/opza/api
https://mastwin.in/qsaz/api
https://ordinarniyvrach.ru/xiur/api
https://yamakrug.ru/lzka/api
https://vishneviyjazz.ru/neco/api
https://yrokistorii.ru/uqya/api
https://stolewnica.ru/xjuf/api
https://visokiywkaf.ru/mmtn/api
https://kletkamozga.ru/iwyq/api

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/277f5664-495b-4656-9fe6-e9e2898b4ef3

Unpacked files

SH256 hash:

36faabc901ccaf27b5c07f327fd0a12d9b3512fbf83982c1cd1ceb88beee566e

MD5 hash:

c196fc5a29c362becd7cd20759d797d5

SHA1 hash:

d6446e4edcbdd46211201522ddd4185e2b594df6

Link:

https://www.unpac.me/results/c654e1a7-5797-415f-911f-ad31772c31d8/

Malware family:

Lumma

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/36faabc901cc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/36faabc901ccaf27b5c07f327fd0a12d9b3512fbf83982c1cd1ceb88beee566e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://tip.neiki.dev/file/36faabc901ccaf27b5c07f327fd0a12d9b3512fbf83982c1cd1ceb88beee566e

Cape

https://www.capesandbox.com/analysis/21335/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample