MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fa51e4f34b368e8590ef9fcdb46d3d87a7e89ff440874e8e1e6d68c8e4e5010. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	6fa51e4f34b368e8590ef9fcdb46d3d87a7e89ff440874e8e1e6d68c8e4e5010
SHA3-384 hash:	0d22a42371369174dcf77edba469ab5ff5053115cf0600a31d9f74bc4730a8968a71f9aa30550e898132958fff620094
SHA1 hash:	30b54d67476bb532b12dfde6fc46285116963263
MD5 hash:	b65d78b4fc76ba986d2207ae21de2160
humanhash:	nineteen-shade-ohio-texas
File name:	setup.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	99'614'716 bytes
First seen:	2025-08-23 06:46:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c32ba42c73a2bc24d2788f7750d87edb (45 x LummaStealer, 37 x Rhadamanthys, 3 x Vidar)
ssdeep	24576:bLXJZAju6jeKUNsMdfY0fIu7HvqBqZs7j1D91apxS3/ys2aTVMLYV8BCbEHw9:LA30ZzbwqpxZtmVwYUJ8
Threatray	934 similar samples on MalwareBazaar
TLSH	T191282BB0EB2C7774087728C7F9427267B033D0FDE19362421ABEE81C717A62F195A659
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	0878607170747070 (1 x LummaStealer)
Reporter	4k95m
Tags:	exe LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

291

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://geeky-gadgets.cc/dv/

Verdict:

Malicious activity

Analysis date:

2025-08-22 18:27:28 UTC

Tags:

lumma stealer autoit arch-exec

Link:

https://app.any.run/tasks/78e54a9e-b15f-411b-b10e-542029cf7278

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68a9641ee9d9dbcfd96d30e8

Tags:

phishing autoit emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a file

Searching for the window

Searching for the Windows task manager window

Running batch commands

Creating a process with a hidden window

Launching cmd.exe command interpreter

Launching a process

Using the Windows Management Instrumentation requests

Searching for synchronization primitives

Creating a process from a recently created file

DNS request

Connection attempt to an infection source

Сreating synchronization primitives

Query of malicious DNS domain

Sending a TCP request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-debug blackhole installer microsoft_visual_cc overlay overlay

Link:

https://www.filescan.io/uploads/68a963f94a87ed796768edd7/reports/06ae5af8-4458-423b-8292-3559f04970d3/overview

Verdict:

Suspicious

Labled as:

NSIS_Runner_RT

Link:

https://www.hybrid-analysis.com/sample/6fa51e4f34b368e8590ef9fcdb46d3d87a7e89ff440874e8e1e6d68c8e4e5010

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-08-22T11:47:00Z UTC

Last seen:

2025-08-22T11:47:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/6fa51e4f34b368e8590ef9fcdb46d3d87a7e89ff440874e8e1e6d68c8e4e5010/results?tab=lookup

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6fa51e4f34b368e8590ef9fcdb46d3d87a7e89ff440874e8e1e6d68c8e4e5010

Gathering data

Verdict:

Malicious

Threat:

Family.LUMMA

Link:

https://tip.neiki.dev/file/6fa51e4f34b368e8590ef9fcdb46d3d87a7e89ff440874e8e1e6d68c8e4e5010

Threat name:

Win32.Trojan.LummaStealer

Status:

Malicious

First seen:

2025-08-22 20:02:01 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

9 of 24 (37.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=n6sr4tzuwnuoqwio7h6nwrwt3b5h5cp7iqehj2hb43lizdsokaia._file

Verdict:

malicious

Label(s):

unc_loader_058

LummaStealer

1695039099cdff9bf78f8314bf8b64788b020b5547993ec2c9ec524ad2a4a497

LummaStealer

27a03db1d81c43e4841b70ac590b3d7d6550b1a578f0edd99fbbf164a748390f

LummaStealer

2d04c13fd74da6be1a58c55a30a2b753656d6a1aa1b0c6d426fe861f37de47c3

LummaStealer

6a232c8c2bbdc5d00a6d2aad9e9d748b9f2b02fe0bb158da3ba41f0563ecf54f

LummaStealer

9d1fb3557af008bd1c383ef15f5870f78c6f299ea23781c6b5326d602644fe68

LummaStealer

c3564545a61a551a4438e7aab2513047fbbd9ea057adfaac995f4e5df974d5b3

LummaStealer

ca7a1bd1d8a5514ec743b1a43663a2a4eacefb4aea8c31ef6cfc682c3f3a69df

LummaStealer

d39520d54541c0a880a213d06a6892c14a1b62c0ad482ad5427ee409b29ec218

LummaStealer

e97817e3aab6079cc0ecdd4c10d3e056e9a20af2bb91555608490c61af27b31e

LummaStealer

error

LummaStealer

+ 924 additional samples on MalwareBazaar

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma defense_evasion discovery spyware stealer

Link:

https://tria.ge/reports/250823-hj451stjt6/

Behaviour

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Windows directory

Enumerates processes with tasklist

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Modifies trusted root certificate store through registry

Lumma Stealer, LummaC

Lumma family

Malware Config

C2 Extraction:

https://shagkeg.ru/xkzd
https://mastwin.in/qsaz
https://tiltyufaz.ru/tlxa
https://runmgov.ru/tixd
https://semipervaz.ru/xued
https://capitalior.ru/akts
https://retrofik.ru/jgur
https://copulardi.ru/xhza

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

exe 6fa51e4f34b368e8590ef9fcdb46d3d87a7e89ff440874e8e1e6d68c8e4e5010

(this sample)

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample