MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51c317b6902b8eba36bfe0d3fd37ea678db221c01dfe9fa449ed2c901e82ae29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51c317b6902b8eba36bfe0d3fd37ea678db221c01dfe9fa449ed2c901e82ae29
SHA3-384 hash: c0f39e7153ab10b71638cbf0918ba084359ec399fbbe6ed96af0004215fb3454b4bafd571527fa313e133513f3866851
SHA1 hash: d19f6c1e00a8231f2e9b6939743f673c63c6346c
MD5 hash: 8a6c719cf97003955c89cbb7221851ef
humanhash: romeo-yellow-apart-alaska
File name:Latesten-v.winx--Setup.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:10'485'743 bytes
First seen:2025-07-17 20:22:47 UTC
Last seen:2025-07-18 19:33:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bf95d1fc1d10de18b32654b123ad5e1f (327 x LummaStealer, 65 x Rhadamanthys, 25 x Vidar)
ssdeep 24576:+0aFvzHzO/pTE7RfX7mu7r3DOpGMenAf/GzWubiCJ8cT0+WIRjqx:+3bQpTIR/7VDoyzWubiCJZ0+LG
TLSH T167B65432B2A1138CB1921142E29577F297889A439BE145FF59E46FDC40D10FAB78A73F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon a5ba1b999b9a1ad8 (1 x LummaStealer)
Reporter aachum
Tags:AutoIT CypherIT exe LummaStealer


Avatar
iamaachum
https://0t7jhlvj090525i4.cfd/ctm_content-0d177b7484cc2825cb2f33963d91373c/filemir_687956719bb28/?partner=294&pg=0&file=&q=FL-Studio-Crack-24-1-2---License-Key-2024-Full-Version-Download => https://mega.nz/file/2nhnBaba#fuzb0YhN1kKLyCwsVR0Vs9QEtbYsMrC4BTUjE3bjNxE

Intelligence

File Origin
# of uploads :
2
# of downloads :
43
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Latesten-v.winx--Setup.exe
Verdict:
Malicious activity
Analysis date:
2025-07-17 20:38:24 UTC
Tags:
autoit lumma stealer
Link:
https://app.any.run/tasks/718c999a-64ee-404b-8f40-bb6c44c8e5fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/15118/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68795bae84b37dd61eef1d34
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Moving a file to the %temp% directory
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a window
Creating a process from a recently created file
DNS request
Connection attempt
Sending a custom TCP request
Сreating synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer microsoft_visual_cc overlay overlay packed
Link:
https://www.filescan.io/uploads/68795bb68a7d628a81b5197f/reports/588165ea-3fe4-4e03-9353-ee502eba49c2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/51c317b6902b8eba36bfe0d3fd37ea678db221c01dfe9fa449ed2c901e82ae29
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5b927fc3-997b-4aae-bf8e-a9503cbacc44
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1739183
Signature
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Search for Antivirus process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/51c317b6902b8eba36bfe0d3fd37ea678db221c01dfe9fa449ed2c901e82ae29
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/8a6c719cf97003955c89cbb7221851ef
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51c317b6902b8eba36bfe0d3fd37ea678db221c01dfe9fa449ed2c901e82ae29/
Verdict:
Malicious
Threat:
trojan.darkgate/filerepmalware
Link:
https://tip.neiki.dev/file/51c317b6902b8eba36bfe0d3fd37ea678db221c01dfe9fa449ed2c901e82ae29
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Suspicious
First seen:
2025-07-17 20:23:12 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
14 of 37 (37.84%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=khbrpnuqfohlunv74dj72n7km6g3eioadx7j7jcj5uwjahucvyuq._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery spyware stealer
Link:
https://tria.ge/reports/250717-y56tqs1q14/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://neutee.pics/aknx
https://gigohe.top/diau
https://unxyng.top/zpld
https://trbxlj.top/atiw
https://annwt.xyz/xkan
https://blihlo.shop/atkg
https://gehkmx.top/xkaj
https://sacrp.top/amnt
https://dktnd.top/xuqi
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ea2b3b53-d1c6-4a87-bee2-92a0de7e6cd4
Unpacked files
SH256 hash:
51c317b6902b8eba36bfe0d3fd37ea678db221c01dfe9fa449ed2c901e82ae29
MD5 hash:
8a6c719cf97003955c89cbb7221851ef
SHA1 hash:
d19f6c1e00a8231f2e9b6939743f673c63c6346c
Link:
https://www.unpac.me/results/482a3c71-c278-415d-b7f2-b36918c69dc9/
SH256 hash:
091f39dc98817c130a49432a60e9fb831811f7a43d9343a93426504339229159
MD5 hash:
438b643b2ba7be06b43d3df035eb4f67
SHA1 hash:
6c596788a8c977db0383bc875f1d9afb8c72f9e2
Link:
https://www.unpac.me/results/482a3c71-c278-415d-b7f2-b36918c69dc9/
SH256 hash:
bb4fb924885b8d6719cb88e7f231abcbb7c2a1c69be92a12ce7bb56bed9129e3
MD5 hash:
094ae615109634f48bede4a612e36fc8
SHA1 hash:
a8b8cbf4d8a7f368b3ae53090bab40a2793657eb
Link:
https://www.unpac.me/results/482a3c71-c278-415d-b7f2-b36918c69dc9/
SH256 hash:
222e0cdbe022be9bb3b4ea0943036d1c8b78f29f093963a74b063737d8893709
MD5 hash:
0e6cd048a76adde6c723f8a4e01dcc6f
SHA1 hash:
6221eae90b2fac479c60c6a68785ae63bd2c806e
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/482a3c71-c278-415d-b7f2-b36918c69dc9/
Parent samples :
51c317b6902b8eba36bfe0d3fd37ea678db221c01dfe9fa449ed2c901e82ae29
f72ff7d169c4c0a940667127f37701dac14b0d84374ad6e43e85ffcc726a68b3
4b47faff7b263f41d793c672180137082540566b36fc09edad7b989e69b48d99
dd5691dd8c38d6c0d5958373603fffc3e0bec43b279f1a49154ba0dec3d5deee
6d75b4922025d7859a1a5722b621b2f24de54a1a5329d0c8781839bf6255a717
33635d2e6d00ec50497def4568a33bf742a396e322498997b9524d9f2e0f38e1
6920efd832e31f0ff94436c4242f00443dc3d3df4511a6fbaa8b899767bdb001
e10dfec034a6b02f742d6ad433eb8093dcae1146c4a6770de6d6d2d5b72e2098
64d6d6f8d4b8911e0f4ba9030382ca1664d7eba8775d00544d56e2dc336208da
9252554a1b23a6176d96112dc681cbcc770ca5f145997400cdece5c1857fbcd2
badbf65775ddf265a3dd2eeb5dae28d29b13158a0a5f153bc6b80320eaae9766
d4961daaa5ad74ff738009724a37c620f29b77466128c6f9904e980a27e477db
e0a7d335923c17e8aa3a9d2a2470eab4c0c702fee4bc7ac68b8132ea3a8e9be7
cb6f2bac0167f527d2bbf2e80c1f85b0a213036ee46580a41a8df84cb3ba3682
cae777f6d88874325a18a95690fbf16b3d2ef3a3eea9872a66f9276681532321
2006e4294f495b50c83fc3af87da570cca4ba734dd070a39d216788d275ef14d
06eb897938487b4f61c9700dc16e25c588e384f0d2b1494282ed15f43c72f379
361947959afaf7e693744d24b2c6255f15d52cf5cacc8327688a6ec99c39de67
e2c59fe0739496885e68ca445bd9bca98d7ebcd4eaebdd23372458310a2b67cf
7b5d27a8c83193458095b40fec18fd1a2b210c37b98a04f457d6cb00e738abff
a23fccf55b1723554101f8fb4e1edb642fc10b751da75aff77998bff533f4c68
e248994d1e415aeb2ec170f513316130788bbb05545e5fb9f662d64f3103195b
0199f546f8bf01c87988e2842af69b624988c0f59040f4a15121e835e2c977e3
065be426a2c3cd1c507830b823d0692fff540d8b7d9735909ba9440c48e3eacd
d91fe8b3fa9a25a1ea150e318a454184c43c624052115d8e678f9b77cfc08c36
f3320e52f9ff893c6cbf220d7f4a9dddfdaaad64c1d60b7b267d22d7a078def1
1f3c77c33691626963a381711d31b2479d0aed92508e3f89a7ce88eeae49a522
0551b0aeb48adf90e5bab83569d46c866d78b2b7606c8abea03071266a4865d9
40e3105cd34d54cacd7e2559e19f1fa28e6e9ee2a09bec6a5a083262f334fa14
31c73da21862c01ecb0756a853404ea93ddf1db86ce2a6cb52ccd0ce1cfd01c3
ad8d2d36547bb6c3fd44a137948dae585b9c66f7f3e6c36adcb0fd1f6a130a37
628035c14718c064036edf3cd0fe349007bc37d22cca740f4880e2cde3a78bc7
8bbb9d145a516df1da43ecaa97efa6fd0ec63a2f7a7de4d378bf3c71282041fb
3f6af0243792dc32b9264f6001302cb782f0a98042cef498b87ea73441e0895a
6b715e8feeb3258e7b087ec2f6a49c421cfadc55af15a9cd157a6e6c34186d4d
ca96fc2d143f1c95db784f29912f41591d19db4ba92f525df7c4fa65e46f27b8
d2e01156051ad7112d93eb59632df9e67c20f32c09ace834e21746bef13dfd7e
125edb38ce9edda52a7ccace6d5d7adfd37b7e9ebfd38cf7dd072c16124bc1c3
280c766b56a8d5ae804d40c9f916593fb1b834e7b31ecf84cf85b6f28b866bad
e8f406637b174c38a8ab6a53011e3582a43d6d2beccf3c88dc843f00e6681803
e1df25e08b0d4abbfa0ff2762a8a653bb07be8feb79333a1049ed0afb68f6b2f
f1edf22002a14f6e9051114c1fe39e4d001fac227ac66789568d6cf958b104ea
445c2b7e309849a87a14d0cc4973101a774dfaaccfb39956f5d7dd664709bbc0
f9665f6f71dd641d32333f2a69609c7d6117b9901b38df9e72f0f8303192e491
08f5b86c67cd29b0ee69b4e5cb1a519c88e8bc0b529dd31cd153984a81146998
b889976d25b916ea716f7508bc9cf3139c313c29df36cf59d0a1d7bb57232585
9461f71f1624999d38d8b565c7e87a118371abfa11bb53005a800add90ff2653
53e9cb85656943c6be73087b3b43ee170f241f28638709dc5c272c890e7d663d
f8dca22fefddd91121473797629afad8182ed265d4556e48e443b1d804b8e731
782be5b43d925282bd13bf7e1505f2adc2044128cc2c222c16c44659797a97f3
63d7760f91c7129bb067776bac96ca7e7eac65f288e8a98d62a51272740a81d8
e7b70294a3acb6b76bac1cc1c3a7f01bbf5bb873c7bec447b1d516c5b2f16370
4669c2df4877615a620c08b298739d883aa874c8a8e97de3c9dc99dc34dd757c
61d434c485bcadf7a99049d0a9deba8755a37f572ad36fa7d713ce5e055d7d43
4f74c9436d6e306fee66bc786f8a4c373a7d268a60e14c51fad83b0c17e9faaa
7ef04f3a1e80ad5f4b04aae62765e89a0ac5ec8c91b0b23dbc76ca43abc227ff
0c5eae2dff6ef68137771eac539f48a2805cb18b637940783eb83e47b4a7431e
67031bdb411115a4b2fa222617c0064ac5294c28b9aa7e38fa5a84fb23548d4d
049c6830765643461e9eb7da0ae99df6046b700cd7f70572c2cd8e0053eb71a2
434d2ab1d62b64593ddb18c2b4f72947d2e78aee2c3dc4acb6d700fdcf3ae02e
23b7f89dbe25730939afb4bae4ebc99f86107b09c9842e65a51e2a7eee698a80
bd9855bea0fb4610f17220b381493b4155525c28ee9fe832fd698d78b8d9a864
cfe1a1f491591e88446d3c980f7b5d90c618946f4b5359c71f6eadda9e6eef42
d87fb4f7c8d5023adeb8d1203fa083c683e1875451a02c717b8d1b5f63215a53
dc1743c2975b3779937a38f5b5119f73c05b97fda2a453e99291521602f5c22d
a89086ac12f022d02b464b8a7493a2cb48bd043e38fa0371eac607f0f4dee5b8
a6613babd861b08bb41cf07083a4e71fba2121652d800974f14fd222bec2ef47
98cb76f26bd16bd8566285da0516f7736a5fdbcdc6129ec3a0f38bc09db6fc13
1144f6c33d9ca7c1b9b23fa1bf8d64b441f10cd1d0a35638827771cc9df5d2d3
98032e7110937432f683fe27e8eb942e885010e468d5bfacaa63fda8e63ef8f3
c666625bcef1fb5597f949257f37664390427322959c483cd16027db33db4bb7
7a24c4f86f94cd9d79aa543c58e6c079795ffedf981ebf63dd91f01532e56e01
b7fccdb3313848b8d6002a580781065ab7e8356b5f327b056aa6c9ebf7e76ae4
99b66d8309edba2ad061e5274a148288012f93a05839a99ff071fea6fe16d2a5
7b232254d4b4be67111e92f5c2e34bc331403393c2d019b31e256ca7d798cd08
b24514c4d862a8ec284f1e3b80ce7394dd68ea69b0ea3867526467a8086eba74
afa7b8bdf56270a87c326a46d11cb9ddd3880c3bbe711079753223ed01c4343b
9bfbf455319d2708851fc80207b23758debf9d2e27e79a37eab61bdce97ec77f
7d535ced79cd715cc19958b60bf36c8c1767512badbe52cd5de772794343f891
39f9313b61a51d858cd6c87914ab9750133d81901595ee83d8f722bf21bf16eb
377dbb4bb7cab67ba00659c9086ab22fe8d2adf0e8c6f23b98f456e9b62519eb
84e0c2a0b99db9bc662e25f6e33308732db054d2c2110335dcf50573d6452e03
1e53be9313b624ca36e549021df95a17b8b63e09dfe1f16813b21c8d6ce954dc
SH256 hash:
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af
MD5 hash:
08e9796ca20c5fc5076e3ac05fb5709a
SHA1 hash:
07971d52dcbaa1054060073571ced046347177f7
Link:
https://www.unpac.me/results/482a3c71-c278-415d-b7f2-b36918c69dc9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51c317b6902b8eba36bfe0d3fd37ea678db221c01dfe9fa449ed2c901e82ae29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 51c317b6902b8eba36bfe0d3fd37ea678db221c01dfe9fa449ed2c901e82ae29

(this sample)

  
Link
https://tria.ge/250717-yze4tsfp2z/behavioral1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/15118/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments