MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66a95113e2a864364c9335f9f042193ac83f8e1875be0c8ff13aba966d6705e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	66a95113e2a864364c9335f9f042193ac83f8e1875be0c8ff13aba966d6705e1
SHA3-384 hash:	32b001278218331e71c7418fa73af73cfda09d5adb840deeb325a2e68f31e26517d494533dc4adf023bf9f679513d123
SHA1 hash:	5e17a81d152ac6a3b9a8ac4cd488315e1dd15f83
MD5 hash:	077a1ca0ba79fe1230d5ca8d949e5a58
humanhash:	muppet-mango-cold-arkansas
File name:	setup_patched.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	1'509'888 bytes
First seen:	2025-04-09 23:07:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	302282537de3b214b217506cb528553c (2 x LummaStealer)
ssdeep	24576:kjXWEUPrpyMPLkWyE0SpJS+KCgZ7BpVnSyJc92I7AOYn+ulzwJo5DkbC6vXOc8UW:0atrEltVSp2I7Ah+wzwnHvOAQr
Threatray	1 similar samples on MalwareBazaar
TLSH	T13C658E23B6C66C3AE05E0A364973A625953F6651A51E8D1FF7FC0888CF252402F3B677
TrID	64.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 16.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.9% (.EXE) Win32 Executable (generic) (4504/4/1) 3.2% (.EXE) Win16/32 Executable Delphi generic (2072/23) 3.1% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	aachum
Tags:	de-pumped exe LummaStealer

iamaachum

https://fine-download.click/?Lp1VD7hd58vinAWFGmgxQc2JU6ftNTuErY3XqOwI=L9kSU2vxs7Q0HRgaTrZ8V5MyuK6WOJINnY1C3Fblhej=1JiylvTLFHrxubpaDsoen70XCStKVO54YR2EPQmBjhfcgzN&h=131 => https://mega.nz/file/z5AmyJqL#ycKdr5HHjQAicDJabD2ZNvrJkxOrWvNDjTPWATDOB2Y

Intelligence

File Origin

# of uploads :

# of downloads :

487

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

setup_patched.exe

Verdict:

Malicious activity

Analysis date:

2025-04-09 22:56:29 UTC

Tags:

lumma stealer loader

Link:

https://app.any.run/tasks/0ea982b8-9226-43a0-a9a0-b480b352d58f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Lumma

Link:

https://www.capesandbox.com/analysis/1423/

Verdict:

Malicious

Score:

91.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67f6fb1df9ba909217ce490c

Tags:

virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

DNS request

Connection attempt

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

borland_delphi explorer fingerprint lolbin overlay

Link:

https://www.filescan.io/uploads/67f6fdd9b070fb3f9461692f/reports/d247a336-e0a1-4b82-a6f2-b76108946b84/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/66a95113e2a864364c9335f9f042193ac83f8e1875be0c8ff13aba966d6705e1

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/fb2ea440-5f35-42b4-8b75-6bf7095ce316

Result

Threat name:

LummaC Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1661281

Signature

Antivirus detection for URL or domain

Contains functionality to modify windows services which are used for security filtering and protection

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Suricata IDS alerts for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/66a95113e2a864364c9335f9f042193ac83f8e1875be0c8ff13aba966d6705e1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/66a95113e2a864364c9335f9f042193ac83f8e1875be0c8ff13aba966d6705e1/

Threat name:

Win32.Spyware.Lummastealer

Status:

Malicious

First seen:

2025-04-09 22:56:30 UTC

File Type:

PE (Exe)

AV detection:

17 of 24 (70.83%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m2uvce7cvbsdmtetgx47aqqzhled7dqyow7azd7rhk5jm3lhaxqq._file

Verdict:

malicious

Label(s):

lummastealer

LummaStealer

error

LummaStealer

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma discovery spyware stealer

Link:

https://tria.ge/reports/250409-24krnavxcs/

Behaviour

Suspicious behavior: EnumeratesProcesses

System Location Discovery: System Language Discovery

Checks installed software on the system

Reads user/profile data of local email clients

Lumma Stealer, LummaC

Lumma family

Malware Config

C2 Extraction:

https://freshenqew.digital/wpoo
https://jrxsafer.top/shpaoz
https://plantainklj.run/opafg
https://puerrogfh.live/iqwez
https://quavabvc.top/iuzhd
https://advennture.top/GKsiio
https://targett.top/dsANGt
https://rambutanvcx.run/adioz
https://p6ywmedici.top/noagis

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6bb560b9-6d46-475d-89bf-15be03066d22

Unpacked files

SH256 hash:

66a95113e2a864364c9335f9f042193ac83f8e1875be0c8ff13aba966d6705e1

MD5 hash:

077a1ca0ba79fe1230d5ca8d949e5a58

SHA1 hash:

5e17a81d152ac6a3b9a8ac4cd488315e1dd15f83

Link:

https://www.unpac.me/results/73f6c4fc-24ed-4b24-8730-5bfce1b35a3c/

Malware family:

Lumma

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/66a95113e2a8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/66a95113e2a864364c9335f9f042193ac83f8e1875be0c8ff13aba966d6705e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

7z 21d9328f56233b026c0fa5ab3ed885e6c07f356fcbc32fe47c6125434929345c

LummaStealer

exe 66a95113e2a864364c9335f9f042193ac83f8e1875be0c8ff13aba966d6705e1

(this sample)

exe 2591b5272080358c5c6c85483f6e2219db00449bb3e0c84f061734bf53c64677

Link

https://tria.ge/250409-2t6alsvky7/behavioral1

Dropped by

SHA256 21d9328f56233b026c0fa5ab3ed885e6c07f356fcbc32fe47c6125434929345c

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/1423/

Dropping

SHA256 2591b5272080358c5c6c85483f6e2219db00449bb3e0c84f061734bf53c64677

Dropping

MD5 7066e5469854529606279d403bba0540

Dropped by

MD5 48ccd17cc8cb7aa1c2d3f7537adffb40

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	advapi32.dll::InitializeSecurityDescriptor
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::DuplicateTokenEx advapi32.dll::SetSecurityDescriptorDacl
WIN32_PROCESS_API	Can Create Process and Threads	advapi32.dll::CreateProcessAsUserW kernel32.dll::CreateProcessW kernel32.dll::OpenProcess advapi32.dll::OpenProcessToken kernel32.dll::CloseHandle winhttp.dll::WinHttpCloseHandle
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryA kernel32.dll::LoadLibraryExW kernel32.dll::LoadLibraryW kernel32.dll::GetDriveTypeW kernel32.dll::GetVolumeInformationW kernel32.dll::GetSystemInfo
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateDirectoryW kernel32.dll::CreateFileW kernel32.dll::CreateFileMappingW kernel32.dll::DeleteFileW kernel32.dll::MoveFileExW kernel32.dll::GetFileAttributesW
WIN_BASE_USER_API	Retrieves Account Information	kernel32.dll::QueryDosDeviceW
WIN_HTTP_API	Uses HTTP services	winhttp.dll::WinHttpConnect winhttp.dll::WinHttpOpenRequest winhttp.dll::WinHttpOpen winhttp.dll::WinHttpQueryDataAvailable winhttp.dll::WinHttpQueryHeaders winhttp.dll::WinHttpReadData
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegConnectRegistryW advapi32.dll::RegCreateKeyExW advapi32.dll::RegDeleteKeyW advapi32.dll::RegLoadKeyW advapi32.dll::RegOpenKeyExW advapi32.dll::RegQueryInfoKeyW
WIN_SOCK_API	Uses Network to send and receive data	ws2_32.dll::WSACreateEvent
WIN_SVC_API	Can Manipulate Windows Services	advapi32.dll::ChangeServiceConfig2W advapi32.dll::ControlService advapi32.dll::CreateServiceW advapi32.dll::OpenSCManagerW advapi32.dll::OpenServiceW advapi32.dll::QueryServiceStatus
WIN_USER_API	Performs GUI Actions	user32.dll::PeekMessageW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample