MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63066d64377e314bc34b7e2257910324f8ca73dea9ef41586df6be5785ee868a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63066d64377e314bc34b7e2257910324f8ca73dea9ef41586df6be5785ee868a
SHA3-384 hash: 77261ebf62fc4071e69cda6d439947fe5682e34b97397d3e04db89e7f47b8c103df9df98da5eeab5732c3602bcc93b9e
SHA1 hash: ce95ce9704be9e340821fd0380140ff14bff9d3f
MD5 hash: c8c833ed296169638b87d7892ea77903
humanhash: hotel-double-saturn-beryllium
File name:recuva_professional__technician_(2024)_full_español_[mega].exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'152'960 bytes
First seen:2026-03-19 06:10:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (99 x LummaStealer, 85 x RedLineStealer, 62 x Rhadamanthys)
ssdeep 24576:X1+K3zHq53ore3heCycg3M7wFS8kKLlIJxtyKnl9Wx2MREakEY3+Dn/td1fQPiB4:YwHq5YrgjNkWKAxt7n7ADnL1oKBT7
TLSH T197A523063654D161C87407B4E9F1C1F316723C65CBA436AB32E4BE3F7B721A46A36B1A
TrID 45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
18.0% (.EXE) Win64 Executable (generic) (6522/11/2)
13.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.6% (.ICL) Windows Icons Library (generic) (2059/9)
5.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:de-pumped exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
Archives
Details
Archives
an extracted Cabinet archive from the resources and SFX parameters
Link:
https://research.acce.ciphertechsolutions.com/results/b1cdcbf0-96b0-4d0d-a995-9fbb56efb6f6/
Malware family:
n/a
ID:
1
File name:
recuva_professional__technician_(2024)_full_español_[mega].exe
Verdict:
Malicious activity
Analysis date:
2026-03-19 06:12:24 UTC
Tags:
autoit stealer lumma fingerprinting
Link:
https://app.any.run/tasks/e8276ffe-c745-4a23-8c09-e93622fda3bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/58082/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69bb938593b644ca466b8e69
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
Creating a window
DNS request
Connection attempt
Sending an HTTP POST request
Сreating synchronization primitives
Launching the process to create tasks for the scheduler
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context at autoit CAB explorer installer installer installer-heuristic lolbin microsoft_visual_cc obfuscated packed rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/69bb93824ec2f522cc4ed328/reports/e92c9a2c-390b-4016-9759-10e390dae2b6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/63066d64377e314bc34b7e2257910324f8ca73dea9ef41586df6be5785ee868a
Verdict:
Malicious
File Type:
exe x64
Detections:
Backdoor.Agent.UDP.C&C VHO:Trojan-PSW.Win32.Lumma.absy Trojan-PSW.Stealerc.HTTP.C&C Trojan-PSW.Lumma.TCP.C&C PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/63066d64377e314bc34b7e2257910324f8ca73dea9ef41586df6be5785ee868a/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/393519de-9318-474c-a76f-2b44a5cda04c
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1886133
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Detected CypherIt Packer
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to access browser extension known for cryptocurrency wallets
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1886133 Sample: recuva_professional__techni... Startdate: 19/03/2026 Architecture: WINDOWS Score: 100 61 wnvtXTFVvaWK.wnvtXTFVvaWK 2->61 63 silverhost.vg 2->63 65 genuscs.cyou 2->65 83 Suricata IDS alerts for network traffic 2->83 85 Found malware configuration 2->85 87 Antivirus detection for URL or domain 2->87 89 5 other signatures 2->89 11 recuva_professional__technician_(2024)_full_espa#U00f1ol_[mega].exe 1 8 2->11         started        14 mshta.exe 15 2->14         started        16 mshta.exe 2->16         started        signatures3 process4 signatures5 99 Uses schtasks.exe or at.exe to add and modify task schedules 11->99 18 cmd.exe 1 11->18         started        21 at.exe 1 11->21         started        101 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->101 103 Tries to access browser extension known for cryptocurrency wallets 14->103 105 Writes or reads registry keys via WMI 14->105 23 WmiPrvSE.exe 14->23         started        process6 signatures7 77 Detected CypherIt Packer 18->77 79 Uses ping.exe to sleep 18->79 81 Uses ping.exe to check the status of other devices and networks 18->81 25 cmd.exe 3 18->25         started        28 conhost.exe 18->28         started        30 cmd.exe 1 18->30         started        32 PING.EXE 1 18->32         started        34 conhost.exe 21->34         started        process8 file9 59 C:\Users\user\AppData\Local\...\Molecules.exe, PE32 25->59 dropped 36 Molecules.exe 25->36         started        40 cmd.exe 1 25->40         started        42 cmd.exe 1 25->42         started        44 4 other processes 25->44 process10 dnsIp11 67 genuscs.cyou 37.77.150.150, 443, 49696, 49701 OBIT-KZ-ASObitTelecommunicationsKazakhstannetworkRU Russian Federation 36->67 91 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->91 93 Query firmware table information (likely to detect VMs) 36->93 95 Tries to steal Mail credentials (via file / registry access) 36->95 97 7 other signatures 36->97 46 mshta.exe 1 15 36->46         started        50 chrome.exe 36->50         started        52 findstr.exe 1 40->52         started        signatures12 process13 dnsIp14 75 silverhost.vg 176.65.132.144, 443, 49731, 49732 DIOGELO-ASGB Germany 46->75 107 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 46->107 109 Tries to access browser extension known for cryptocurrency wallets 46->109 111 Writes or reads registry keys via WMI 46->111 54 chrome.exe 50->54         started        57 chrome.exe 50->57         started        signatures15 process16 dnsIp17 69 192.168.2.5, 138, 443, 49675 unknown unknown 54->69 71 www.google.com 142.251.153.119, 443, 49714 GOOGLEUS United States 54->71 73 genuscs.cyou 54->73
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/63066d64377e314bc34b7e2257910324f8ca73dea9ef41586df6be5785ee868a
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63066d64377e314bc34b7e2257910324f8ca73dea9ef41586df6be5785ee868a/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/63066d64377e314bc34b7e2257910324f8ca73dea9ef41586df6be5785ee868a
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mmdg2zbxpyyuxq2lpyrfpeidet4mu466vhxucwdn627fpbpoq2fa._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery persistence stealer
Link:
https://tria.ge/reports/260319-gxqzwahw5s/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Enumerates processes with tasklist
Adds Run key to start application
Executes dropped EXE
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://genuscs.cyou
https://egyptnf.click/xxx
https://familbg.club/help
https://genusne.click/caccc
https://mobbyyt.club/info
https://lumpeem.quest/main
https://thundut.biz/create
https://workltt.quest/owner
https://watchhr.biz/manifest
Unpacked files
SH256 hash:
63066d64377e314bc34b7e2257910324f8ca73dea9ef41586df6be5785ee868a
MD5 hash:
c8c833ed296169638b87d7892ea77903
SHA1 hash:
ce95ce9704be9e340821fd0380140ff14bff9d3f
Link:
https://www.unpac.me/results/7b756342-94f7-4f46-a0b4-d280d3692a2a/
Malware family:
CypherIt
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/63066d64377e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63066d64377e314bc34b7e2257910324f8ca73dea9ef41586df6be5785ee868a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

7z 6c56d77d3a3b8c42a14d23bc26b816ce3ccaa4a99cf1fda4d41e759ad164c543

LummaStealer

Executable exe 63066d64377e314bc34b7e2257910324f8ca73dea9ef41586df6be5785ee868a

(this sample)

  
Dropped by
MD5 9e6f7f0e1f0fc37614afeb445f36ef02
  
Dropped by
SHA256 6c56d77d3a3b8c42a14d23bc26b816ce3ccaa4a99cf1fda4d41e759ad164c543
Cape
Cape
https://www.capesandbox.com/analysis/58082/

Comments