MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76c9bd1b1a29a3505bf9362ad11c327ef6dc9f7c0cc686501a1bdc815f2fda17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76c9bd1b1a29a3505bf9362ad11c327ef6dc9f7c0cc686501a1bdc815f2fda17
SHA3-384 hash: ad32850025dfa150f4b2931fc245e083d6ac71f4d5cccd7abc05e51d3de878e660c5f4740a9a8a2afb0c2d5017b512ad
SHA1 hash: 058678da608f62ef01ab7c6460dc0f1261a253a4
MD5 hash: b443f7cf8e557e8d4de330de0ce6cc26
humanhash: tango-enemy-stream-triple
File name:w9WJfpWNM.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'035'880 bytes
First seen:2026-03-28 20:39:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1aae8bf580c846f39c71c05898e57e88 (153 x LummaStealer, 29 x SalatStealer, 18 x ValleyRAT)
ssdeep 24576:3FoEpn05mXxg/L05BNPwe7ZuY3WT7izn5ngS3H/ChjA8eO5aLY3nMKLirk4xPb31:3WKblweFnNahjxJn5irZbQmu+5
Threatray 1 similar samples on MalwareBazaar
TLSH T1CA954B01FECB54F1E417163669B763EF273898090F36AA97EA403A7DFD762D41922309
TrID 48.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.1% (.EXE) Win64 Executable (generic) (6522/11/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter aachum
Tags:77-238-236-29 ACRStealer dropped-by-RenPyLoader exe not-LummaStealer signed

Code Signing Certificate

Organisation:www.citrix.com
Issuer:GeoTrust TLS RSA CA G1
Algorithm:sha256WithRSAEncryption
Valid from:2025-07-05T00:00:00Z
Valid to:2026-07-07T23:59:59Z
Serial number: 0be940f6f612fe0ac8b8f19f28aba941
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 7746af8682ec313f7134fca561b7ace6f2d9f49e4f833bd249884bff32102b77
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
iamaachum
https://file165164.host70v.cfd/

ACRStealer C2: 77.238.236.29

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
w9WJfpWNM.exe
Verdict:
Suspicious activity
Analysis date:
2026-03-28 20:35:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5e4bc6b1-341c-4c47-b6e9-884cebb8316b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69c83ba1e137efff54f5216c
Tags:
injection trojan shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm golang krypt signed
Link:
https://www.filescan.io/uploads/69c83cb586ddcb4655e30a8f/reports/9911019a-1396-43cc-8a59-6b9c507fddb0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/76c9bd1b1a29a3505bf9362ad11c327ef6dc9f7c0cc686501a1bdc815f2fda17
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-03-28T08:53:00Z UTC
Last seen:
2026-03-29T12:16:00Z UTC
Hits:
~1000
Detections:
HEUR:Trojan.Win64.Generic HEUR:Trojan.Win64.Kryptik.gen
Link:
https://opentip.kaspersky.com/76c9bd1b1a29a3505bf9362ad11c327ef6dc9f7c0cc686501a1bdc815f2fda17/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9a717e93-e0bb-4f1f-b3a2-0b6d7b0f186b
Result
Threat name:
Amatera Stealer, Arechclient2, GO Steale
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1890591
Signature
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amatera Stealer
Yara detected Arechclient2
Yara detected GO Stealer
Yara detected HijackLoader
Yara detected Powershell decode and execute
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1890591 Sample: w9WJfpWNM.exe Startdate: 28/03/2026 Architecture: WINDOWS Score: 100 104 www.oracle.com 2->104 106 www.issuu.com 2->106 108 10 other IPs or domains 2->108 134 Suricata IDS alerts for network traffic 2->134 136 Found malware configuration 2->136 138 Malicious sample detected (through community Yara rule) 2->138 140 13 other signatures 2->140 11 w9WJfpWNM.exe 7 2->11         started        16 powershell.exe 2->16         started        18 powershell.exe 2->18         started        20 4 other processes 2->20 signatures3 process4 dnsIp5 120 77.238.236.29, 443, 49684, 49685 TELERU-ASRU Russian Federation 11->120 122 185.121.233.94, 49719, 80 IPCORE-ASES Spain 11->122 98 C:\Users\user\gp.exe\vcomp140.dll, PE32+ 11->98 dropped 100 C:\Users\user\gp.exe\amd_ags_x64.dll, PE32+ 11->100 dropped 102 C:\Users\user\gp.exe\CircuitPilot.exe, PE32+ 11->102 dropped 180 Found many strings related to Crypto-Wallets (likely being stolen) 11->180 182 Tries to harvest and steal browser information (history, passwords, etc) 11->182 184 Writes to foreign memory regions 11->184 190 6 other signatures 11->190 22 CircuitPilot.exe 11->22         started        26 powershell.exe 15 25 11->26         started        29 chrome.exe 11->29         started        31 elevation_service.exe 11->31         started        124 fp.dc3.dailymotion.com 188.65.124.90 DAILYMOTIONForpeeringrelatedbusinesspleasemailpeerin France 16->124 186 Early bird code injection technique detected 16->186 188 Loading BitLocker PowerShell Module 16->188 33 csc.exe 16->33         started        35 conhost.exe 16->35         started        37 MuiUnattend.exe 16->37         started        39 conhost.exe 18->39         started        126 127.0.0.1 unknown unknown 20->126 file6 signatures7 process8 dnsIp9 84 C:\ProgramData\MgrMaintain\vcomp140.dll, PE32+ 22->84 dropped 86 C:\ProgramData\MgrMaintain\amd_ags_x64.dll, PE32+ 22->86 dropped 88 C:\ProgramData\MgrMaintain\CircuitPilot.exe, PE32+ 22->88 dropped 142 Found direct / indirect Syscall (likely to bypass EDR) 22->142 41 CircuitPilot.exe 22->41         started        116 79.124.59.142, 49709, 49715, 49716 TAMATIYA-ASBG Bulgaria 26->116 118 e2581.dscx.akamaiedge.net 23.63.210.70, 443, 49714 AKAMAI-ASUS United States 26->118 144 Creates autostart registry keys with suspicious values (likely registry only malware) 26->144 146 Creates an autostart registry key pointing to binary in C:\Windows 26->146 148 Uses schtasks.exe or at.exe to add and modify task schedules 26->148 150 Found suspicious powershell code related to unpacking or dynamic code loading 26->150 45 powershell.exe 40 26->45         started        48 conhost.exe 26->48         started        50 schtasks.exe 1 26->50         started        52 schtasks.exe 1 26->52         started        90 C:\ProgramData\Koc\Hoposivi.dll, PE32 33->90 dropped 54 cvtres.exe 33->54         started        file10 signatures11 process12 dnsIp13 92 C:\Users\user\AppData\Roaming\...\XPFix.exe, PE32 41->92 dropped 94 C:\Users\user\AppData\Local\Temp\189985.tmp, PE32+ 41->94 dropped 96 C:\ProgramData\StreamA32.exe, PE32+ 41->96 dropped 164 Modifies the context of a thread in another process (thread injection) 41->164 166 Found hidden mapped module (file has been removed from disk) 41->166 168 Maps a DLL or memory area into another process 41->168 178 2 other signatures 41->178 56 StreamA32.exe 41->56         started        60 XPFix.exe 41->60         started        128 issuu.com 151.101.1.55 FASTLYUS United States 45->128 170 Early bird code injection technique detected 45->170 172 Writes to foreign memory regions 45->172 174 Queues an APC in another process (thread injection) 45->174 176 Loading BitLocker PowerShell Module 45->176 62 MuiUnattend.exe 45->62         started        64 csc.exe 45->64         started        file14 signatures15 process16 dnsIp17 110 5.8.248.245 WIDETELECOM-ASIQ Russian Federation 56->110 152 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 56->152 154 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 56->154 156 Tries to harvest and steal browser information (history, passwords, etc) 56->156 162 4 other signatures 56->162 67 chrome.exe 56->67         started        69 chrome.exe 56->69 injected 71 chrome.exe 56->71 injected 75 3 other processes 56->75 158 Switches to a custom stack to bypass stack traces 60->158 112 a8a00b7a27dd309f6.awsglobalaccelerator.com 15.197.198.189 TANDEMUS United States 62->112 114 mpla-clo.cc 104.21.39.223 CLOUDFLARENETUS United States 62->114 160 Unusual module load detection (module proxying) 62->160 82 C:\Users\user\Jonitewi\Funixumer.dll, PE32 64->82 dropped 73 cvtres.exe 64->73         started        file18 signatures19 process20 process21 77 chrome.exe 67->77         started        80 WerFault.exe 67->80         started        dnsIp22 130 googlehosted.l.googleusercontent.com 142.251.210.129 GOOGLEUS United States 77->130 132 clients2.googleusercontent.com 77->132
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/76c9bd1b1a29a3505bf9362ad11c327ef6dc9f7c0cc686501a1bdc815f2fda17
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76c9bd1b1a29a3505bf9362ad11c327ef6dc9f7c0cc686501a1bdc815f2fda17/
Verdict:
Malicious
Threat:
Trojan.Win64
Link:
https://tip.neiki.dev/file/76c9bd1b1a29a3505bf9362ad11c327ef6dc9f7c0cc686501a1bdc815f2fda17
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o3e32gy2fgrvaw7zgyvnchbsp33nzh34btdimua2dpoicxzp3ilq._file
Verdict:
malicious
Label(s):
amaterastealer
Create hunting rule
hijackloader
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader defense_evasion discovery execution loader persistence spyware stealer
Link:
https://tria.ge/reports/260328-zf13mahy8s/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Hide Artifacts: Hidden Window
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Detects HijackLoader (aka IDAT Loader)
HijackLoader, IDAT loader, Ghostulse,
Hijackloader family
Unpacked files
SH256 hash:
76c9bd1b1a29a3505bf9362ad11c327ef6dc9f7c0cc686501a1bdc815f2fda17
MD5 hash:
b443f7cf8e557e8d4de330de0ce6cc26
SHA1 hash:
058678da608f62ef01ab7c6460dc0f1261a253a4
Link:
https://www.unpac.me/results/9c76c406-0a1c-423f-bac3-96c680090028/
Malware family:
GHOSTPULSE
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/76c9bd1b1a29/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.08
Link:
https://yomi.yoroi.company/submissions/76c9bd1b1a29a3505bf9362ad11c327ef6dc9f7c0cc686501a1bdc815f2fda17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 76c9bd1b1a29a3505bf9362ad11c327ef6dc9f7c0cc686501a1bdc815f2fda17

(this sample)

  
Link
https://tria.ge/260328-y93b4sc12q/behavioral2
  
Dropped by
RenPyLoader
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/59631/

Comments