MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5490dc64bd49f7e57bea3f5f5b885bd439558921f2d7fed8a08768845d12fbbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash: 5490dc64bd49f7e57bea3f5f5b885bd439558921f2d7fed8a08768845d12fbbe
SHA3-384 hash: 91847f1632dd3dc68223b72806a5cd92469afc886bad698da95b218c93c71dc8de0266d5b76ee516f662ee6e348ace6a
SHA1 hash: cf62ddac9123f80e369e5fcb4d8b90dd19855d61
MD5 hash: 876ab7df5a06948e6d87879e46614254
humanhash: nevada-pasta-sink-september
File name:bleweed.exe
Download: download sample
Signature LummaStealer
File size:2'832'912 bytes
First seen:2026-01-08 07:15:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:Xv8FRj/nUjHcrNtCdiCNT7D+J1wmJyPHJv2EzxUOOAGZAmksFYnnl:XQRQ8rNKiCdcatXzxnJGZAm7
TLSH T1A9D5CF962467AB7BE0D310F18463827149E42DA74EE04C5F607AF16E523583E79EF32E
TrID 30.2% (.EXE) Win64 Executable (generic) (10522/11/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4504/4/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon f0d0acd0d8acd4f0 (1 x AsyncRAT, 1 x LummaStealer)
Reporter mshakeel
Tags:c2 Defense Evasion exe LummaStealer signed

Code Signing Certificate

Organisation:ArcaneStream-OrbitPeak-DataTech
Issuer:ArcaneStream-OrbitPeak-DataTech
Algorithm:sha256WithRSAEncryption
Valid from:2026-01-03T10:30:19Z
Valid to:2028-01-04T10:30:19Z
Serial number: 857a7ecf1cea592d
Thumbprint Algorithm:SHA256
Thumbprint: 477e9eef0946b4338d85a18c222cc2d358be18a9b3afdf51503531e25ffbea56
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
mshakeel
I came across this while I was browsing royalcert.com to verify a certificate. The website redirected me to a fake cloudflare verification which in turn downloaded a script to be executed on Windows PC and downloads and executes the attached file.

Intelligence


File Origin
# of uploads :
1
# of downloads :
175
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
bleweed.exe
Verdict:
Malicious activity
Analysis date:
2026-01-08 08:03:11 UTC
Tags:
lumma stealer fingerprinting

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Tags:
injection phishing virus agent
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
DNS request
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-08T04:56:00Z UTC
Last seen:
2026-01-10T03:07:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.Win32.Lumma.aaai PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Lumma.sb
Gathering data
Threat name:
Win32.Spyware.Lummastealer
Status:
Malicious
First seen:
2026-01-08 08:02:00 UTC
File Type:
PE (Exe)
Extracted files:
23
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
lummastealer
Similar samples:
Result
Malware family:
Score:
  10/10
Tags:
family:lumma discovery spyware stealer
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://arrierzh.cyou/api
https://whitepepper.su/asds
https://hammernew.su/asdase
https://heavylussy.su/ccvfd
https://broguenko.su/asfase
https://homuncloud.su/ascasef
https://familyriwo.su/fssdaw
https://izzardtow.su/cascasc
https://basilicros.su/asdasq
Verdict:
Malicious
Tags:
Win.Packed.njRAT-10027743-0
YARA:
n/a
Unpacked files
SH256 hash:
5490dc64bd49f7e57bea3f5f5b885bd439558921f2d7fed8a08768845d12fbbe
MD5 hash:
876ab7df5a06948e6d87879e46614254
SHA1 hash:
cf62ddac9123f80e369e5fcb4d8b90dd19855d61
SH256 hash:
c07f079901912a1a2ed00263f45a3fa3e48a720ce263e0697260c4a4695e9d66
MD5 hash:
c9e833fcf9c77d630bfd3b56b175898c
SHA1 hash:
9028c6bfb503fd3c5ce383889daed537be48de02
Detections:
LummaStealer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Author:albertzsigovits
Rule name:pe_no_import_table
Description:Detect pe file that no import table

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 5490dc64bd49f7e57bea3f5f5b885bd439558921f2d7fed8a08768845d12fbbe

(this sample)

Comments