MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f3a8337aa451a4a2c57b9c68ded1345dfa21566dfb2007f8f01f48b00538877. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f3a8337aa451a4a2c57b9c68ded1345dfa21566dfb2007f8f01f48b00538877
SHA3-384 hash: 1c1161af298c1e6a0bcc7f718a4af3788dfcf138cecfb6107a41cee290a9996f677df4f28b80002edc75f507d16f40f6
SHA1 hash: eb838b94971d50bdea44d70f2b1c916c66c85297
MD5 hash: 502cb01007ae9c562bb5768a0d8a580d
humanhash: autumn-delta-burger-high
File name:mal3.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:94'382'203 bytes
First seen:2025-06-01 07:39:35 UTC
Last seen:2025-06-01 12:47:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bf95d1fc1d10de18b32654b123ad5e1f (327 x LummaStealer, 65 x Rhadamanthys, 25 x Vidar)
ssdeep 24576:E0aeThJGomZYNaDi0PIzOGOJkkjFN6auItywihPHq4d0qKnoH:EHz+aDVOOJOkhcaXYRQto
TLSH T16D281255E7A5443EC325B11B319A72EBC7365DE332661BA945BABC03380F00F4B666B3
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon c7d8f8d4c6c38092 (1 x LummaStealer)
Reporter GDHJDSYDH1
Tags:exe lumma LummaStealer spyware stealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
1'071
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
mal3.exe
Verdict:
Malicious activity
Analysis date:
2025-06-01 07:33:04 UTC
Tags:
autoit autoit-loader telegram lumma stealer
Link:
https://app.any.run/tasks/c31115b5-66de-45b2-b629-ff0713bd0480

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683c024b668438e362e999e7
Tags:
phishing autoit emotet nsis
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Searching for the window
Creating a file
Creating a process from a recently created file
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
blackhole installer invalid-signature microsoft_visual_cc overlay packed packed packer_detected signed
Link:
https://www.filescan.io/uploads/683c03fd985349514e5f1718/reports/df5ccc13-57dc-4b9d-af31-1716883e65f7/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/3f3a8337aa451a4a2c57b9c68ded1345dfa21566dfb2007f8f01f48b00538877
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1703257
Signature
Drops PE files with a suspicious file extension
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1703257 Sample: mal3.exe Startdate: 01/06/2025 Architecture: WINDOWS Score: 64 23 Multi AV Scanner detection for submitted file 2->23 25 Sigma detected: Search for Antivirus process 2->25 27 Joe Sandbox ML detected suspicious sample 2->27 7 mal3.exe 25 2->7         started        process3 process4 9 cmd.exe 4 7->9         started        file5 21 C:\Users\user\AppData\Local\...\Retrieved.com, PE32 9->21 dropped 29 Drops PE files with a suspicious file extension 9->29 13 cmd.exe 2 9->13         started        15 Retrieved.com 9->15         started        17 extrac32.exe 15 9->17         started        19 7 other processes 9->19 signatures6 process7
Score:
90%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3f3a8337aa451a4a2c57b9c68ded1345dfa21566dfb2007f8f01f48b00538877
Gathering data
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/3f3a8337aa451a4a2c57b9c68ded1345dfa21566dfb2007f8f01f48b00538877
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-05-31 21:27:32 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h45ign5kiuneulcxxhdi33itixp2eflg36zaa74pah2iwactrb3q._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery spyware stealer
Link:
https://tria.ge/reports/250601-jhw9fsvvbw/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Checks installed software on the system
Checks computer location settings
Deletes itself
Executes dropped EXE
Reads user/profile data of local email clients
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://https://t.me/dasb12v3v12zxddf/api
https://buqtnw.digital/feo/api
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://localixbiw.top/zlpa
https://korxddl.top/qidz
https://harumseeiw.top/tqmn
https://diecam.top/laur/api
https://citellcagt.top/gjtu
https://thundeqqbw.bet/aznd
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c6e76c7b-3c2c-4536-995d-1cb7ebadab3c
Malware family:
CypherIt
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3f3a8337aa45/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 3f3a8337aa451a4a2c57b9c68ded1345dfa21566dfb2007f8f01f48b00538877

(this sample)

  
Link
https://tria.ge/250601-jdgyzaep71
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments