MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8044ef90039da44bd84ba788ca28ee0648e0672b2b6531af0c1f2961c1ae0ad3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8044ef90039da44bd84ba788ca28ee0648e0672b2b6531af0c1f2961c1ae0ad3
SHA3-384 hash: 60a9b1c7ab26a0a621566ab2850a2675df1faba18033663191efe71fc08dfca3870604bb918e22ffb2b9c5978c016619
SHA1 hash: 87671bf95de254d1570b8a1394dbfaf4f7b66628
MD5 hash: 15fdf5c68e5c097492317c0c22dc58bd
humanhash: skylark-queen-don-victor
File name:15fdf5c68e5c097492317c0c22dc58bd.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:326'144 bytes
First seen:2025-03-25 07:02:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 261b2bf5d3e981c1d4ef0b71f10a899a (8 x LummaStealer)
ssdeep 3072:u1bVRHspduBsm7QSgHjkMvMO6r2I8LluWBiNYB0K0PAJ+KZz6r/cmyjptOZ6/OAI:u7Hpgtv36rfQluawYB0fYglPX2y/
Threatray 15 similar samples on MalwareBazaar
TLSH T16D647D15F7A814F5E5A7827CC8424906EA72BC5747A0E7CF23E04A963F276E09E3E711
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
438
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6d7eff84e9676222857183c31fdc005a.exe
Verdict:
Malicious activity
Analysis date:
2025-03-25 14:46:58 UTC
Tags:
github stealer lumma loader
Link:
https://app.any.run/tasks/d8f33c6e-c97d-4c7c-8c27-a4dbaefaefc0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen31.3980.21727.16515.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e2550fbb84e066269ee867
Tags:
enigmaprotector phishing delphi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint microsoft_visual_cc obfuscated packed
Link:
https://www.filescan.io/uploads/67e25502de7b23ce17213ff5/reports/688a2aa1-a38b-4da7-880b-e0dc1178953a/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/8044ef90039da44bd84ba788ca28ee0648e0672b2b6531af0c1f2961c1ae0ad3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/08468f52-a691-42fb-b6d0-7f853ed08c88
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1647748
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found API chain indicative of debugger detection
Found malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Powershell drops PE file
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Invoke-WebRequest Execution
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1647748 Sample: m3gyyctL5A.exe Startdate: 25/03/2025 Architecture: WINDOWS Score: 100 38 targett.top 2->38 40 raw.githubusercontent.com 2->40 42 github.com 2->42 64 Found malware configuration 2->64 66 Antivirus detection for URL or domain 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 8 other signatures 2->70 9 m3gyyctL5A.exe 3 2->9         started        12 svchost.exe 1 1 2->12         started        signatures3 process4 dnsIp5 72 Found API chain indicative of debugger detection 9->72 74 Adds a directory exclusion to Windows Defender 9->74 15 xeyuzhcmj.exe 9->15         started        19 cmd.exe 1 9->19         started        21 cmd.exe 1 9->21         started        23 conhost.exe 9->23         started        44 127.0.0.1 unknown unknown 12->44 signatures6 process7 dnsIp8 50 targett.top 172.67.183.183, 443, 49683, 49686 CLOUDFLARENETUS United States 15->50 52 Antivirus detection for dropped file 15->52 54 Multi AV Scanner detection for dropped file 15->54 56 Detected unpacking (changes PE section rights) 15->56 62 4 other signatures 15->62 25 WerFault.exe 22 16 15->25         started        58 Suspicious powershell command line found 19->58 60 Adds a directory exclusion to Windows Defender 19->60 27 powershell.exe 23 19->27         started        30 powershell.exe 14 16 21->30         started        signatures9 process10 dnsIp11 76 Loading BitLocker PowerShell Module 27->76 78 Powershell drops PE file 27->78 34 WmiPrvSE.exe 27->34         started        46 github.com 140.82.113.4, 443, 49681 GITHUBUS United States 30->46 48 raw.githubusercontent.com 185.199.110.133, 443, 49682 FASTLYUS Netherlands 30->48 36 C:\Users\user\AppData\Local\...\xeyuzhcmj.exe, PE32 30->36 dropped file12 signatures13 process14
Score:
91%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8044ef90039da44bd84ba788ca28ee0648e0672b2b6531af0c1f2961c1ae0ad3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8044ef90039da44bd84ba788ca28ee0648e0672b2b6531af0c1f2961c1ae0ad3/
Threat name:
Win64.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2025-03-24 23:10:00 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
17 of 36 (47.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qbco7eadtwsexwclu6emukhoazeoazzlfnstdlymd4uwdqnobljq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
26acb88b05439d450a3808fae487065a77bbe3fe9942eb89c43ed1857b4962e5
LummaStealer
2f3f2828c3a7ddb8e315987ae344bcaeb36187af761e541cfdfbf5ff18f6ac70
LummaStealer
8044ef90039da44bd84ba788ca28ee0648e0672b2b6531af0c1f2961c1ae0ad3
LummaStealer
b5115444c88a5dd53ec3b7f295c48123fac115c6dd6fe0608fe7eb2c7678cd50
LummaStealer
e90600c048ae799dcd4ea3bc45fb3593a8816a7e4af2264ceca6d473dbd7e11a
LummaStealer
error
LummaStealer
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution spyware stealer
Link:
https://tria.ge/reports/250325-ht1kkssway/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f67b9574-fe5c-45c9-afc8-019cb134f458
Unpacked files
SH256 hash:
8044ef90039da44bd84ba788ca28ee0648e0672b2b6531af0c1f2961c1ae0ad3
MD5 hash:
15fdf5c68e5c097492317c0c22dc58bd
SHA1 hash:
87671bf95de254d1570b8a1394dbfaf4f7b66628
Link:
https://www.unpac.me/results/d4013d1d-2bb1-44cb-9e4e-99938b21a110/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8044ef90039d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8044ef90039da44bd84ba788ca28ee0648e0672b2b6531af0c1f2961c1ae0ad3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 8044ef90039da44bd84ba788ca28ee0648e0672b2b6531af0c1f2961c1ae0ad3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3423144/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::CheckTokenMembership
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleWindow
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::GetUserNameW

Comments