MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77facc800e777349b28aad9d4bcc30b373fa3d97cb6b00731fbb815034d04618. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77facc800e777349b28aad9d4bcc30b373fa3d97cb6b00731fbb815034d04618
SHA3-384 hash: 8756d5fb425f01e21fa412f5f259a5da197e5a881dacef1ebc15e36c559750bd7d560220807614a65aa2f171258f43fc
SHA1 hash: 6c0b9152f6e0ec4406e79cd7d947cdb678492dc0
MD5 hash: 5583f0230b407bf516f60bcb36d72cea
humanhash: mango-aspen-virginia-south
File name:Setup_Installer_patched.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:2'878'974 bytes
First seen:2026-03-16 23:10:37 UTC
Last seen:2026-03-17 20:05:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (98 x LummaStealer, 85 x RedLineStealer, 62 x Rhadamanthys)
ssdeep 49152:w6OMIAY5vS3sWnlD2OMkuXysXXa+RmGYNZ8On0:w6OMDcus4lDik7cRCt0
TLSH T129D52287B7C432E1E821D2B257BB36535B33FC2543614FEB2584F2354E532A19636B1A
TrID 45.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
18.0% (.EXE) Win64 Executable (generic) (6522/11/2)
13.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.6% (.ICL) Windows Icons Library (generic) (2059/9)
5.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter user35335
Tags:de-pumped exe LummaStealer


Avatar
user35335
https://dwnlods.onl -> https://disk.yandex.com/d/Uf4CRvgkZF44DQ

Intelligence

File Origin
# of uploads :
2
# of downloads :
301
Origin country :
CA CA
Vendor Threat Intelligence
Malware configuration found for:
Archives
Details
Archives
an extracted Cabinet archive from the resources and SFX parameters
Link:
https://research.acce.ciphertechsolutions.com/results/58af41c9-cc57-4da9-ba8a-9d5a1eab9355/
Malware family:
n/a
ID:
1
File name:
Setup_Installer_patched.exe
Verdict:
Malicious activity
Analysis date:
2026-03-16 22:46:17 UTC
Tags:
autoit lumma stealer fingerprinting
Link:
https://app.any.run/tasks/de2d6056-9be9-450d-8082-8bfab7d1c7af

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57689/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b88e1388c80c01586af28e
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Launching a process
DNS request
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
Creating a window
Launching the process to create tasks for the scheduler
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context at autoit CAB explorer installer installer installer-heuristic lolbin microsoft_visual_cc overlay packed rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/69b88e104ec2f522cc4bc115/reports/4fec491c-31eb-441b-87a0-ed0ced3b42fb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/77facc800e777349b28aad9d4bcc30b373fa3d97cb6b00731fbb815034d04618
Verdict:
Malicious
File Type:
exe x64
Detections:
Trojan.Win32.Autoit.sb Trojan-PSW.Stealerc.HTTP.C&C Trojan-PSW.Lumma.TCP.C&C Backdoor.Win32.Agent.myxega Backdoor.Agent.UDP.C&C
Link:
https://opentip.kaspersky.com/77facc800e777349b28aad9d4bcc30b373fa3d97cb6b00731fbb815034d04618/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/fdedc40e-36de-48fd-a866-3ee4d2d6cfa4
Score:
87%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/77facc800e777349b28aad9d4bcc30b373fa3d97cb6b00731fbb815034d04618
Verdict:
Malware
YARA:
5 match(es)
Tags:
AutoIt CAB:COMPRESSION:LZX Decompiled Executable PDB Path PE (Portable Executable) PE File Layout Suspect Win 64 Exe x64
Link:
https://app.malva.re/file/5583f0230b407bf516f60bcb36d72cea
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77facc800e777349b28aad9d4bcc30b373fa3d97cb6b00731fbb815034d04618/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/77facc800e777349b28aad9d4bcc30b373fa3d97cb6b00731fbb815034d04618
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o75mzaaoo5zutmukvwouxtbqwnz7upmxznvqa4y7xoavangqiyma._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery persistence stealer
Link:
https://tria.ge/reports/260316-26ch3aav4x/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Enumerates processes with tasklist
Adds Run key to start application
Deletes itself
Executes dropped EXE
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://followw.cyou
https://egyptnf.click/xxx
https://familbg.club/help
https://genusne.click/caccc
https://mobbyyt.club/info
https://lumpeem.quest/main
https://thundut.biz/create
https://workltt.quest/owner
https://watchhr.biz/manifest
Unpacked files
SH256 hash:
77facc800e777349b28aad9d4bcc30b373fa3d97cb6b00731fbb815034d04618
MD5 hash:
5583f0230b407bf516f60bcb36d72cea
SHA1 hash:
6c0b9152f6e0ec4406e79cd7d947cdb678492dc0
Link:
https://www.unpac.me/results/8dacea4a-1a28-4ca8-bea0-af439d2f3c8e/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/77facc800e77/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/77facc800e777349b28aad9d4bcc30b373fa3d97cb6b00731fbb815034d04618

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

zip 1733c1d12e4b799ac0165a933b3bbf246ad078883be359749510b44d2eb775cb

LummaStealer

Executable exe 77facc800e777349b28aad9d4bcc30b373fa3d97cb6b00731fbb815034d04618

(this sample)

  
Dropped by
SHA256 1733c1d12e4b799ac0165a933b3bbf246ad078883be359749510b44d2eb775cb
  
Delivery method
Distributed via web download
  
Dropped by
MD5 f897788e12be9d7c9d7477c946d1bdaf
Cape
Cape
https://www.capesandbox.com/analysis/57689/

Comments