MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e5b2ae91379b8069c04c6639bb0bca5ddea0dde567bea8cb9bc9822b9cdda0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash: 4e5b2ae91379b8069c04c6639bb0bca5ddea0dde567bea8cb9bc9822b9cdda0d
SHA3-384 hash: 24b4e41af2b70cf7f11c08100ff34b3b9013ecf065f89ff410ed9c4c9edf2701d4eee47f9d57f8cb603f3fdb592307c1
SHA1 hash: f680fbbf487f61c9bd231e48f83a9e1c092ceb6a
MD5 hash: b07f16a3b524017d20d360823c09b956
humanhash: alanine-avocado-pip-burger
File name:nadapp.exe
Download: download sample
Signature LummaStealer
File size:1'100'041 bytes
First seen:2026-07-02 17:12:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 573bb7b41bc641bd95c0f5eec13c233b (49 x GuLoader, 31 x RemcosRAT, 21 x AgentTesla)
ssdeep 24576:iw+tSVHEX47Z8E/X0xZ0Id+7IsJSa/aqGK1CIOJC1+0sPiB4HM:n+ekXkQvPd+3JS1+1CQpbB4s
TLSH T1BF3523C1314084D7FFF395791867CF9BD4A49D5086B4A34B03E13B8AA4F28D7BB2A625
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon aa59b8aad98ae9c9 (1 x LummaStealer)
Reporter Alex_sev
Tags:Downloader exe LummaStealer sabsik sloader vbs

Intelligence


File Origin
# of uploads :
1
# of downloads :
183
Origin country :
AU AU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://tmpfiles.org/w7wEdJhpGp9U/nadapp.exe
Verdict:
Malicious activity
Analysis date:
2026-06-21 06:51:07 UTC
Tags:
fingerprinting possible-phishing loader lumma stealer golang ip-check

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Tags:
corrupt xtreme virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
DNS request
Connection attempt
Sending an HTTP POST request
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug downloader installer installer installer-heuristic lolbin microsoft_visual_cc nsis powershell reconnaissance wscript
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-21T07:16:00Z UTC
Last seen:
2026-07-04T10:00:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic HEUR:Trojan.Win32.Injuke.gen
Verdict:
Malware
YARA:
5 match(es)
Tags:
Batch Command DeObfuscated Executable NSIS Installer Obfuscated PE (Portable Executable) PE File Layout PE Memory-Mapped (Dump) PowerShell PowerShell Call Scripting.FileSystemObject T1059.005 VBScript Win 32 Exe WScript.Shell x86
Threat name:
Win32.Malware.Heuristic
Status:
Malicious
First seen:
2026-06-21 12:12:09 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
26 of 36 (72.22%)
Threat level:
  2/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
adware discovery execution persistence ransomware spyware stealer
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
4e5b2ae91379b8069c04c6639bb0bca5ddea0dde567bea8cb9bc9822b9cdda0d
MD5 hash:
b07f16a3b524017d20d360823c09b956
SHA1 hash:
f680fbbf487f61c9bd231e48f83a9e1c092ceb6a
SH256 hash:
9af82d47d035f9178e520977a6dd3ce7e12b1f2ecf4b59c69b1827e6af644b83
MD5 hash:
823ca58bffca3d0df63286dbcbc36df8
SHA1 hash:
24f1a19a448b59d26b3625ca9c19a072a0562707
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:telebot_framework
Author:vietdx.mb
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments