MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4aa835e4f60ef32752666a447dc715c519c4808fb4ff31b513a3f4362506849a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4aa835e4f60ef32752666a447dc715c519c4808fb4ff31b513a3f4362506849a
SHA3-384 hash: 301e1d2c90362ea5d9932dad8c61d59f52b33af19fb9f34ff0b87410bb6b86e58c24a26f5141a210429a601f08270cc7
SHA1 hash: 1f9ffef0cfa3d2bd97a98135df8ed207df73a8b0
MD5 hash: a48f03bf1ee28b7cf10fe4c650077740
humanhash: carbon-kentucky-butter-freddie
File name:2025-08-17_a48f03bf1ee28b7cf10fe4c650077740_black-basta_cobalt-strike_cryptbot_luca-stealer_satacom_vidar.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:12'025'840 bytes
First seen:2025-08-18 12:38:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e0a0e8f80bbd1a9c0078e57256f1c3d (5 x GCleaner, 4 x LummaStealer, 3 x CoinMiner)
ssdeep 196608:zzj26KcDLzwTmZ1wejzJU1lMDM/78B5MmvTP8uyh70a0j5EFF7bELF/594f4VzZ9:K6KEzFZ2AJU//9m7P8jBaoRYLt5mf4VL
Threatray 615 similar samples on MalwareBazaar
TLSH T1DFC63355E6FC01F4D877A2788A9A4D13F3BA3C450758D38F07A967462F372A4AD29B30
TrID 92.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10522/11/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.7% (.EXE) OS/2 Executable (generic) (2029/13)
0.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter zhuzhu0009
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
56
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4fed859e-cb19-4607-8cba-dce7160c36b7
Verdict:
Malicious activity
Analysis date:
2025-08-18 12:49:59 UTC
Tags:
lumma stealer autoit telegram
Link:
https://app.any.run/tasks/4fed859e-cb19-4607-8cba-dce7160c36b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/21943/
Detection(s):
SecuriteInfo.com.BackDoor.RevetRat.2.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a31ee0c2f5296a1a28256e
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
DNS request
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/4aa835e4f60ef32752666a447dc715c519c4808fb4ff31b513a3f4362506849a
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4fbd06e0-9f7f-4b13-8f10-43e7a10df733
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4aa835e4f60ef32752666a447dc715c519c4808fb4ff31b513a3f4362506849a
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
.Net Executable PDB Path PE (Portable Executable) PE File Layout PE Memory-Mapped (Dump) SVG Win 64 Exe x64
Link:
https://app.malva.re/file/a48f03bf1ee28b7cf10fe4c650077740
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4aa835e4f60ef32752666a447dc715c519c4808fb4ff31b513a3f4362506849a/
Threat name:
Win64.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2025-08-12 09:07:00 UTC
File Type:
PE+ (Exe)
Extracted files:
253
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jkudlzhwb3zsoutgnjch3ryvyum4jaepwt7tdnitup2dmjigqsna._file
Verdict:
malicious
Label(s):
unc_loader_058
Create hunting rule
Similar samples:
0cf6212d1f5a46d4ddebdaa4dea81e0cdff6ea3f81a41edff6b3cb8cc333bbff
LummaStealer
5f3675761016548372c9daa01d58cbdfce0510283ada6eaf9463d4161d09fa4c
LummaStealer
b808a450da812d5bd1eea8d1baae5f3bd4abf8bd36bc8569c9e2d75f687dd76c
LummaStealer
d1e371d754658620e3ea7abf8c49cffe4cd427d1a8a40e390fb6d5e2cf463668
LummaStealer
error
LummaStealer
fa135fee9b275129626848260c3be11f5b4cf2620c3d29388d17bc5d80f2108f
LummaStealer
+ 605 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer trojan
Link:
https://tria.ge/reports/250818-pvtxragj6v/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Enumerates processes with tasklist
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Modifies trusted root certificate store through registry
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://t.me/erfkfj3j9f
https://panlos.forum/fudx
https://mastwin.in/qsaz
https://ordinarniyvrach.ru/xiur
https://yamakrug.ru/lzka
https://vishneviyjazz.ru/neco
https://yrokistorii.ru/uqya
https://stolewnica.ru/xjuf
https://visokiywkaf.ru/mmtn
https://kletkamozga.ru/iwyq
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2db255c5-d13a-4035-8254-e0046f8f5f66
Unpacked files
SH256 hash:
4aa835e4f60ef32752666a447dc715c519c4808fb4ff31b513a3f4362506849a
MD5 hash:
a48f03bf1ee28b7cf10fe4c650077740
SHA1 hash:
1f9ffef0cfa3d2bd97a98135df8ed207df73a8b0
Link:
https://www.unpac.me/results/1d448cd8-249d-4832-8dbb-19872f8f6048/
SH256 hash:
2481b4487992e9b98a330c3ec8d85272841d947e0e82d5305cb0fa39a4c1f1f7
MD5 hash:
5b891be7bf1d98acf47b8fcaabc6ca09
SHA1 hash:
b489b787a45c970bde92714a2bfabcae1bd9c6dc
Link:
https://www.unpac.me/results/1d448cd8-249d-4832-8dbb-19872f8f6048/
SH256 hash:
52416bb8275988aa5145be6359b6c6a92e3c20817544682c2c1978b50ff2052c
MD5 hash:
a341d9bfaae6a784cb9e2ea49c183fb4
SHA1 hash:
d061c12dffa6a725f649dae49c99f157e93bb175
Link:
https://www.unpac.me/results/1d448cd8-249d-4832-8dbb-19872f8f6048/
SH256 hash:
5883d041c5f5020ac4b66314d5f89cb6331db3c4ec1c912f72b3ebb9aa8c41e2
MD5 hash:
449bf7a46490fa07881d969b6d52c0f1
SHA1 hash:
e520a8318e867c7840e6deadef36abcdf2894417
Link:
https://www.unpac.me/results/1d448cd8-249d-4832-8dbb-19872f8f6048/
SH256 hash:
739c063a600d6e462042939fec77535a5d4c94c6bdbe3da61bb4ab670c341577
MD5 hash:
39bf9e72a5dd7763ccd461571107438a
SHA1 hash:
e27e3bdcbb11bce1a30b989ca59801c9fccc7a24
Link:
https://www.unpac.me/results/1d448cd8-249d-4832-8dbb-19872f8f6048/
SH256 hash:
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af
MD5 hash:
08e9796ca20c5fc5076e3ac05fb5709a
SHA1 hash:
07971d52dcbaa1054060073571ced046347177f7
Link:
https://www.unpac.me/results/1d448cd8-249d-4832-8dbb-19872f8f6048/
SH256 hash:
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e
MD5 hash:
b77eeaeaf5f8493189b89852f3a7a712
SHA1 hash:
c40cf51c2eadb070a570b969b0525dc3fb684339
Link:
https://www.unpac.me/results/1d448cd8-249d-4832-8dbb-19872f8f6048/
SH256 hash:
dbefec15acb08e0312e1c0693da98d1b246b0863e250da5cab8aaf506f8486c6
MD5 hash:
8adb474b17dc4ec1a2994c73ac10954a
SHA1 hash:
8acad12914a3de7780ce1e38e9fcc6d5c62dced8
Link:
https://www.unpac.me/results/1d448cd8-249d-4832-8dbb-19872f8f6048/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4aa835e4f60ef32752666a447dc715c519c4808fb4ff31b513a3f4362506849a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/21943/

Comments