MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 51c33c759a4dce3025317f5be5ae94cb600f67d17d72458a603278c172b039a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
LummaStealer
Vendor detections: 3
| SHA256 hash: | 51c33c759a4dce3025317f5be5ae94cb600f67d17d72458a603278c172b039a2 |
|---|---|
| SHA3-384 hash: | 495e51fc52c1e82fc12242caf999ee33444335cb88fdbe061bc861508416a669d4693cddc739feb477ce256b4f64620c |
| SHA1 hash: | 11ae80c6f792cfc3944fc1059307f8037c66e73a |
| MD5 hash: | bed125ebf5e4973f530ffbcb2466ab10 |
| humanhash: | west-ceiling-bluebird-potato |
| File name: | cx-programmer 9.1 free download full.7z |
| Download: | download sample |
| Signature | LummaStealer |
| File size: | 16'919'635 bytes |
| First seen: | 2026-04-01 08:08:57 UTC |
| Last seen: | Never |
| File type: | 7z |
| MIME type: | application/x-7z-compressed |
| Note: | This file is a password protected archive. The password is: 5332 |
| ssdeep | 393216:Fo1u3VIAvSZgy8XS+CPZWDl08hnJAJj4ib4zs4y1Ow7vdGzP:FgulIxl8XS+CPaDAJsicyEP |
| TLSH | T1210733B17C2C72E45779CD3F281E08EFA9779C0AE50A245EEE72741F58869D361F2824 |
| TrID | 57.1% (.7Z) 7-Zip compressed archive (v0.4) (8000/1) 42.8% (.7Z) 7-Zip compressed archive (gen) (6000/1) |
| Magika | sevenzip |
| Reporter |  aachum |
| Tags: | 7z CountLoader file-pumped LummaStealer msedge-vg pw-5332 |
iamaachum
https://media.ultranodecluster4.mom/cx-programmer+9.1+free+download+Full.zipCountLoader C2: https://msedge.vg
Intelligence
File Origin
# of uploads :
1
# of downloads :
83
Origin country :
ESFile Archive Information
This file is a password protected archive. The password is: 5332
This file archive contains 1 file(s), sorted by their relevance:
| File name: | cx-programmer 9.1 free download full.exe |
|---|---|
| Pumped file | This file is pumped. MalwareBazaar has de-pumped it. |
| File size: | 902'227'087 bytes |
| SHA256 hash: | e5da93a02b7e1faaab0041ca68750293d79ddbbd353eedad4de8618957f75f38 |
| MD5 hash: | 496e6e5e00656874012adce0091325bc |
| De-pumped file size: | 1'497'088 bytes (Vs. original size of 902'227'087 bytes) |
| De-pumped SHA256 hash: | bbdd32373a701742689d1b34d1597d6c4347758d91bea4e9cb4aa875237cd07c |
| De-pumped MD5 hash: | d913b865bbc2ee1a60390ed9d01d5872 |
| MIME type: | application/x-dosexec |
| Signature | LummaStealer |
Vendor Threat Intelligence
Gathering data
Verdict:
Clean
Score:
99.9%
Tags:
n/a
Verdict:
Unknown
File Type:
7z
Gathering data
Detection(s):
Suspicious file
Result
Malware family:
lumma
Score:
10/10
Tags:
family:lumma adware discovery persistence spyware stealer
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://centegn.cyou
https://egyptnf.click/xxx
https://familbg.club/help
https://genusne.click/caccc
https://mobbyyt.club/info
https://lumpeem.quest/main
https://thundut.biz/create
https://workltt.quest/owner
https://watchhr.biz/manifest
https://egyptnf.click/xxx
https://familbg.club/help
https://genusne.click/caccc
https://mobbyyt.club/info
https://lumpeem.quest/main
https://thundut.biz/create
https://workltt.quest/owner
https://watchhr.biz/manifest
Dropper Extraction:
https://msedge.vg
Please note that we are no longer able to provide a coverage score for Virus Total.
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | command_and_control |
|---|---|
| Author: | CD_R0M_ |
| Description: | This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group |
| Rule name: | CP_Script_Inject_Detector |
|---|---|
| Author: | DiegoAnalytics |
| Description: | Detects attempts to inject code into another process across PE, ELF, Mach-O binaries |
| Rule name: | DebuggerException__SetConsoleCtrl |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DetectGoMethodSignatures |
|---|---|
| Author: | Wyatt Tauber |
| Description: | Detects Go method signatures in unpacked Go binaries |
| Rule name: | Detect_Golang_Binary |
|---|---|
| Author: | Andrew Morrow |
| Description: | Detects binaries compiled with Go |
| Rule name: | GoBinTest |
|---|
| Rule name: | golang |
|---|
| Rule name: | Golangmalware |
|---|---|
| Author: | Dhanunjaya |
| Description: | Malware in Golang |
| Rule name: | goLangMatch3 |
|---|
| Rule name: | goLangMatch4 |
|---|
| Rule name: | golang_binary_string |
|---|---|
| Description: | Golang strings present |
| Rule name: | golang_bin_JCorn_CSC846 |
|---|---|
| Author: | Justin Cornwell |
| Description: | CSC-846 Golang detection ruleset |
| Rule name: | Golang_Find_CSC846 |
|---|---|
| Author: | Ashar Siddiqui |
| Description: | Find Go Signatuers |
| Rule name: | Golang_Find_CSC846_Simple |
|---|---|
| Author: | Ashar Siddiqui |
| Description: | Find Go Signatuers |
| Rule name: | HiveRansomware |
|---|---|
| Author: | Dhanunjaya |
| Description: | Yara Rule To Detect Hive V4 Ransomware |
| Rule name: | PE_Digital_Certificate |
|---|---|
| Author: | albertzsigovits |
| Rule name: | ProgramLanguage_Golang |
|---|---|
| Author: | albertzsigovits |
| Description: | Application written in Golang programming language |
| Rule name: | SEH__vectored |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | Suspicious_Golang_Binary |
|---|---|
| Author: | Tim Machac |
| Description: | Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific) |
| Rule name: | ThreadControl__Context |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE |
|---|---|
| Author: | CYFARE |
| Description: | Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments |
| Reference: | https://cyfare.net/ |
| Rule name: | VECT_Ransomware |
|---|---|
| Author: | Mustafa Bakhit |
| Description: | Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments. |
| Rule name: | win32_lumma_stealer |
|---|---|
| Author: | Reedus0 |
| Description: | Rule for detecting LummaStealer malware |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
LummaStealer
7z 51c33c759a4dce3025317f5be5ae94cb600f67d17d72458a603278c172b039a2
(this sample)
exe Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.