MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73ca9bc319d447e03a717b4f781aca8dc11a5bec82ace59751f285341e4b137c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 5 File information Comments

SHA256 hash:	73ca9bc319d447e03a717b4f781aca8dc11a5bec82ace59751f285341e4b137c
SHA3-384 hash:	4170132e9a70ddf44f039e11cbb21bb1f63e8d053deac7a916cece6895bce44bdb8739cac653e5f11fbc0652db70f9a9
SHA1 hash:	05c80bd41c04331457374523d7ab896c96b45943
MD5 hash:	b53f9756f806ea836d98ff3dc92c8c84
humanhash:	minnesota-harry-december-cola
File name:	TbV75ZR.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	1'972'736 bytes
First seen:	2025-04-03 07:27:01 UTC
Last seen:	2025-04-05 13:38:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a0b72f709ebc465cfce6b6cf21367efe (33 x LummaStealer, 6 x Vidar, 2 x Rhadamanthys)
ssdeep	24576:XBPaEPGQ0kDly0a1bLn4AL2k86kzwSTdinsxX0zk/Hrya:XcyI11fhLjkUSTdisxkQHrya
Threatray	23 similar samples on MalwareBazaar
TLSH	T1D1953BBF71973549FE624C30AFECB660CB97287ACE2BEAF14591A03029350D2EC56517
TrID	63.5% (.EXE) Win64 Executable (generic) (10522/11/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	abuse_ch
Tags:	176-113-115-7 exe LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

514

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

TbV75ZR.exe

Verdict:

Malicious activity

Analysis date:

2025-04-03 07:42:33 UTC

Tags:

lumma stealer

Link:

https://app.any.run/tasks/9298050b-7df9-453b-b676-743a5ebd786f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/264/

Detection(s):

SecuriteInfo.com.Win64.CrypterX-gen.29128.9260.UNOFFICIAL

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67ee3bc2cfd0a37f830d0031

Tags:

malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

DNS request

Connection attempt

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

lolbin microsoft_visual_cc msbuild packed packed packer_detected

Link:

https://www.filescan.io/uploads/67ee385eeb7eb0aee040f30e/reports/df8fac20-3d3d-48cd-8d16-9adfd224ec6e/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/73ca9bc319d447e03a717b4f781aca8dc11a5bec82ace59751f285341e4b137c

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/00b7197e-d327-4fce-ae4f-5f9bfd103f6d

Result

Threat name:

LummaC Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1655378

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/73ca9bc319d447e03a717b4f781aca8dc11a5bec82ace59751f285341e4b137c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/73ca9bc319d447e03a717b4f781aca8dc11a5bec82ace59751f285341e4b137c/

Threat name:

Win64.Trojan.CrypterX

Status:

Malicious

First seen:

2025-04-03 07:27:28 UTC

File Type:

PE+ (Exe)

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=opfjxqyz2rd6aotrpnhxqgwkrxaruw7mqkwolf2r6kctihslcn6a._file

Verdict:

malicious

Label(s):

lummastealer

LummaStealer

585392ec23db6d24697c38aec92e87985a418587d55f6b8b4467d12423205e36

LummaStealer

679cd77725c32a0d630aa1599d683720d738c24148ebfb04b9509f561862906e

LummaStealer

73ca9bc319d447e03a717b4f781aca8dc11a5bec82ace59751f285341e4b137c

LummaStealer

7d80cbeee889e1489a2e6b2b7398368332b45dfbf1f7cddd0ad507712bf63ecb

LummaStealer

a9180506bccc383d2fbd08b71cf8f24f36827bae1fae11fbb62e5c1dbf77cea6

LummaStealer

error

LummaStealer

+ 13 additional samples on MalwareBazaar

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma discovery stealer

Link:

https://tria.ge/reports/250403-jaaqgsvms4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Lumma Stealer, LummaC

Lumma family

Malware Config

C2 Extraction:

https://xrfxcaseq.live/gspaz
https://jrxsafer.top/shpaoz
https://krxspint.digital/kendwz
https://rhxhube.run/pogrs
https://6grxeasyw.digital/xxepw
https://advennture.top/GKsiio
https://targett.top/dsANGt
https://ywmedici.top/noagis

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/424ce58d-b6c8-4e0e-8d75-0628fb1bf702

Unpacked files

SH256 hash:

73ca9bc319d447e03a717b4f781aca8dc11a5bec82ace59751f285341e4b137c

MD5 hash:

b53f9756f806ea836d98ff3dc92c8c84

SHA1 hash:

05c80bd41c04331457374523d7ab896c96b45943

Link:

https://www.unpac.me/results/538f4eca-898f-4959-9512-156c6803e8a3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/73ca9bc319d447e03a717b4f781aca8dc11a5bec82ace59751f285341e4b137c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

exe 73ca9bc319d447e03a717b4f781aca8dc11a5bec82ace59751f285341e4b137c

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3496076/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/264/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThreadpoolWork
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileA KERNEL32.dll::CreateFileW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample