MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bc1c41e0568a5d2d70731d75713da66273e1e541347e2bb42a20609acb9fa48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 8 File information Comments

SHA256 hash:	6bc1c41e0568a5d2d70731d75713da66273e1e541347e2bb42a20609acb9fa48
SHA3-384 hash:	692d2049acf352f56d3919fbf1c15429c960da49f6a5d30ebdde28bfe35c24f76520aaa1869b40b01c0e43858fca636c
SHA1 hash:	f17e749e2c637f1bd8318a3bf15473a2b7643c5e
MD5 hash:	f513a2ed8a51b4b35685410cb50102be
humanhash:	jig-solar-hot-fix
File name:	2025-08-17_f513a2ed8a51b4b35685410cb50102be_black-basta_cobalt-strike_cryptbot_luca-stealer_satacom_vidar.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	4'330'928 bytes
First seen:	2025-08-18 12:38:55 UTC
Last seen:	2025-08-18 12:38:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7e0a0e8f80bbd1a9c0078e57256f1c3d (5 x GCleaner, 4 x LummaStealer, 3 x CoinMiner)
ssdeep	98304:zziJr0Hwom0SQ46PYoBqT1DjJsyiYaIySqaW9:zzgr0HLTT7RBqdSxvam
Threatray	612 similar samples on MalwareBazaar
TLSH	T1D6162315E7E901F9F0B39674CA629D12DAB37C5E033286DF13E457962F272A0DE29321
TrID	92.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.6% (.EXE) Win64 Executable (generic) (10522/11/4) 1.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 0.7% (.EXE) OS/2 Executable (generic) (2029/13) 0.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter	zhuzhu0009
Tags:	exe LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9551b518-40c0-4ed5-97f2-376fb0c56fcd

Verdict:

Malicious activity

Analysis date:

2025-08-18 12:42:29 UTC

Tags:

autoit lumma stealer

Link:

https://app.any.run/tasks/9551b518-40c0-4ed5-97f2-376fb0c56fcd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/21948/

Detection(s):

SecuriteInfo.com.BackDoor.RevetRat.2.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68a31f1bc2f5296a1a2825f2

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a file

Searching for the Windows task manager window

Running batch commands

Creating a process with a hidden window

Launching cmd.exe command interpreter

Launching a process

Using the Windows Management Instrumentation requests

DNS request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm blackhole expand fingerprint installer large-file lolbin microsoft_visual_cc overlay overlay packed redcap sfx threat

Link:

https://www.filescan.io/uploads/68a31f80a4bdac9f5b9bf679/reports/71d6a5e3-8e13-4077-b3d3-c35b41ac10da/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/6bc1c41e0568a5d2d70731d75713da66273e1e541347e2bb42a20609acb9fa48

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/fa3ff14b-5067-4ff8-9afb-8a7a9802f494

Score:

95%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6bc1c41e0568a5d2d70731d75713da66273e1e541347e2bb42a20609acb9fa48

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

AutoIt Executable PDB Path PE (Portable Executable) PE File Layout PE Memory-Mapped (Dump) Win 64 Exe x64

Link:

https://app.malva.re/file/f513a2ed8a51b4b35685410cb50102be

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6bc1c41e0568a5d2d70731d75713da66273e1e541347e2bb42a20609acb9fa48/

Threat name:

Win64.Spyware.Lummastealer

Status:

Malicious

First seen:

2025-08-12 13:17:00 UTC

File Type:

PE+ (Exe)

Extracted files:

106

AV detection:

17 of 24 (70.83%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=npa4ihqfncs5fvyhghlvoe62mytt4hsucnd6fo2cuidatlfz7jea._file

Verdict:

malicious

Label(s):

unc_loader_058

LummaStealer

160a3c92e951e6185506aab0c2b8c2a1889ec4e8990fb28e0291d3261c61606e

LummaStealer

d1e371d754658620e3ea7abf8c49cffe4cd427d1a8a40e390fb6d5e2cf463668

LummaStealer

dddbfe676a237215b06701ba41918949a439bccbcf06e167c1734f1c00def3e2

LummaStealer

e71fc1170426b7f5407b292a1b880a1bf5475b7990af6ddf4b82312fc2da6611

LummaStealer

error

LummaStealer

+ 602 additional samples on MalwareBazaar

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma discovery spyware stealer

Link:

https://tria.ge/reports/250818-pw1rpatvez/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Enumerates processes with tasklist

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Lumma Stealer, LummaC

Lumma family

Malware Config

C2 Extraction:

https://vishneviyjazz.ru/neco
https://mastwin.in/qsaz
https://ordinarniyvrach.ru/xiur
https://yamakrug.ru/lzka
https://yrokistorii.ru/uqya
https://stolewnica.ru/xjuf
https://visokiywkaf.ru/mmtn
https://kletkamozga.ru/iwyq

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b85003da-d411-47fc-a5d8-54dc7a91780e

Unpacked files

SH256 hash:

6bc1c41e0568a5d2d70731d75713da66273e1e541347e2bb42a20609acb9fa48

MD5 hash:

f513a2ed8a51b4b35685410cb50102be

SHA1 hash:

f17e749e2c637f1bd8318a3bf15473a2b7643c5e

Link:

https://www.unpac.me/results/70232a25-cb38-44d5-84c6-888ffb74f6ed/

SH256 hash:

4b4d7e15c59eff9c9ef722d7a0b3d3efb01c7f65d1645f4dacbe1e6c3bad82dd

MD5 hash:

19c56ac25634c8e8b34d99d9865ca2cb

SHA1 hash:

9eda6a2cb4b5e1beff1083bdba0ca037eef1f8f6

Link:

https://www.unpac.me/results/70232a25-cb38-44d5-84c6-888ffb74f6ed/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6bc1c41e0568a5d2d70731d75713da66273e1e541347e2bb42a20609acb9fa48

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SelfExtractingRAR Create hunting rule
Author:	Xavier Mertens
Description:	Detects an SFX archive with automatic script execution

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/21948/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (FORCE_INTEGRITY)	high

Reviews

ID	Capabilities	Evidence
GDI_PLUS_API	Interfaces with Graphics	gdiplus.dll::GdiplusStartup gdiplus.dll::GdiplusShutdown gdiplus.dll::GdipAlloc
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryExA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetSystemInfo KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::AllocConsole KERNEL32.dll::AttachConsole KERNEL32.dll::WriteConsoleW KERNEL32.dll::FreeConsole KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileW KERNEL32.dll::MoveFileExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample