MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fc950aadfe73f097adcb76a2c4f9269aebf5849454daa3a3e31937445c37237. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6fc950aadfe73f097adcb76a2c4f9269aebf5849454daa3a3e31937445c37237
SHA3-384 hash: fd6dc7f35f41e3a88763b045d41ed5f9d983089bb2e106cc7ab6b3f571ee538652cb6a5858749bbb36fbb7d327cbf75c
SHA1 hash: 3fc7291b624669e2af9f91651dc09cedbedcd564
MD5 hash: 407e00c0bf76c2c409457f6147bd6a56
humanhash: gee-twenty-neptune-comet
File name:setup.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:93'323'280 bytes
First seen:2025-08-03 19:23:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32f3282581436269b3a75b6675fe3e08 (197 x LummaStealer, 122 x Rhadamanthys, 8 x CoinMiner)
ssdeep 24576:hLNyl0d6uh6Wxc6qHRH1JQxV/ahJ13Mz4UtwW6eh7ZS:5sqc6qxVJmSVgon
TLSH T16F1892892E7C93BD8E320717A9BDBF53DB196FEB22D4A289610107C5775042C879CE6C
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 8039e992a8f137a4 (1 x LummaStealer)
Reporter aachum
Tags:AutoIT CypherIT exe LummaStealer


Avatar
iamaachum
https://filesecuresources.xyz/?6SwTbtna4NpLo1eAO2lFUEJYViMsvr8GC5c7kPQ3=cAH1yWOaUGu4ilvq3LkmsoXS76bCF8xp9In5gRDPMJK=oUaergbYXNwh5RSOvEMq2Hjl6Isk9nTWQdL3AC7mB8cDxuG&h=171 => https://mega.nz/file/zQVTSayY#W-bVxUejWq0lqQDD222ze-OIJ8vZU9brmtgvD0tA46U

Intelligence

File Origin
# of uploads :
1
# of downloads :
355
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://crackedshares.org/tp/
Verdict:
Malicious activity
Analysis date:
2025-08-03 18:14:46 UTC
Tags:
autoit arch-exec lumma stealer
Link:
https://app.any.run/tasks/ab2b98a1-9886-4d6b-a224-f6b85e4f1afd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688fb7b0af3050dc8d33e761
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
Sending a custom TCP request
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer microsoft_visual_cc overlay overlay packed
Link:
https://www.filescan.io/uploads/688fb77e73b8ef6f4afc79b4/reports/af5c9f8a-520f-4989-868e-5cefa6aa3543/overview
Verdict:
Malicious
Labled as:
StartPage.OVJ
Link:
https://www.hybrid-analysis.com/sample/6fc950aadfe73f097adcb76a2c4f9269aebf5849454daa3a3e31937445c37237
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1749464
Signature
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Search for Antivirus process
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1749464 Sample: setup.exe Startdate: 03/08/2025 Architecture: WINDOWS Score: 100 34 mocadia.com 2->34 36 SLlPzpZUUYkZ.SLlPzpZUUYkZ 2->36 40 Found malware configuration 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected LummaC Stealer 2->44 46 4 other signatures 2->46 9 setup.exe 23 2->9         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->30 dropped 12 cmd.exe 1 9->12         started        process6 signatures7 52 Drops PE files with a suspicious file extension 12->52 15 cmd.exe 4 12->15         started        18 conhost.exe 12->18         started        process8 file9 32 C:\Users\user\AppData\Local\...\Abroad.pif, PE32 15->32 dropped 20 Abroad.pif 15->20         started        24 extrac32.exe 14 15->24         started        26 tasklist.exe 1 15->26         started        28 2 other processes 15->28 process10 dnsIp11 38 mocadia.com 45.61.165.8, 443, 49693, 49694 ASN-QUADRANET-GLOBALUS United States 20->38 48 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->48 50 Query firmware table information (likely to detect VMs) 20->50 signatures12
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6fc950aadfe73f097adcb76a2c4f9269aebf5849454daa3a3e31937445c37237
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-03 19:24:48 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n7evbkw7447qs6w4w5vcyt4sngxl6wcjivg2uor6ggjxirodoi3q._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery spyware stealer
Link:
https://tria.ge/reports/250803-x4q68a1mt6/
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://mocadia.com/iuew
https://mastwin.in/qsaz/api
https://precisionbiomeds.com/ikg
https://physicianusepeptides.com/opu
https://vishneviyjazz.ru/neco/api
https://htsfhtdrjbyy1bgxbv.cfd/vcd
https://xurekodip.com/qpdl
https://utvp1.net/zkaj
https://orienderi.com/xori
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a5b79777-19fe-4ff4-a985-4fa3a11bfeab
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 6fc950aadfe73f097adcb76a2c4f9269aebf5849454daa3a3e31937445c37237

(this sample)

  
Link
https://tria.ge/250803-xpjtlaxxgx/behavioral1
  
Delivery method
Distributed via web download

Comments