MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83ab4ce9d4d7c71dbb36ffd1ddb78e4c3ef9befbdd0deb048aa1171679e62214. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 13 File information Comments

SHA256 hash:	83ab4ce9d4d7c71dbb36ffd1ddb78e4c3ef9befbdd0deb048aa1171679e62214
SHA3-384 hash:	d7282fa7ee72a08e616d110f7f0d034333bedc462c766936e3f7f7e872ecb6fa1dd9c3f6f030a90e46536a70771bf892
SHA1 hash:	fa7a2c107a7013307b4d1cf5f7f152e9a8340fb8
MD5 hash:	1a9ddf7e62952f4303c426bc1e2519bc
humanhash:	glucose-asparagus-rugby-march
File name:	Setup.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	7'200'841 bytes
First seen:	2025-06-05 22:08:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9825b4c9a35eb9a5c5e347cb9ca988ee (3 x LummaStealer, 1 x AsyncRAT)
ssdeep	98304:a92bz2cb6pd7B6bAGx7s333TxtTJ5FdFKbNw3fRol7+yXyRsP5RPzB2IAjH5B4:apQ576FKpw3fR4+yXyCP5lzB2IF
Threatray	45 similar samples on MalwareBazaar
TLSH	T1B076BF17FB84663EC01A5732573387D9993776307A164C1396FC380C8E7A6D22A3E6E6
TrID	84.9% (.EXE) Inno Setup installer (107240/4/30) 8.3% (.EXE) Win64 Executable (generic) (10522/11/4) 3.5% (.EXE) Win32 Executable (generic) (4504/4/1) 1.5% (.EXE) Generic Win/DOS Executable (2002/3) 1.5% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
dhash icon	5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter	toxicdss
Tags:	exe LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

466

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://www.yuumijungle.com/post/baldi-s-basics-plus-sin-virus-gratis-para-pc

Verdict:

Malicious activity

Analysis date:

2025-06-05 13:32:06 UTC

Tags:

inno installer delphi netreactor lumma

Link:

https://app.any.run/tasks/0cccd3c2-f7eb-49cf-b744-406122067b40

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/7587/

Detection(s):

SecuriteInfo.com.Trojan.Inject5.54987.2649.18128.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=684215df07b5e8c1cfe501db

Tags:

injection phishing dropper virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

DNS request

Connection attempt to an infection source

Connection attempt

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

Query of malicious DNS domain

Sending a TCP request to an infection source

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context embarcadero_delphi fingerprint genheur installer invalid-signature keylogger overlay overlay packed packed packer_detected signed

Link:

https://www.filescan.io/uploads/6842158b985349514e609382/reports/7e3ffbb8-0206-4d42-beda-0ef30fa72b60/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/83ab4ce9d4d7c71dbb36ffd1ddb78e4c3ef9befbdd0deb048aa1171679e62214

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/5e292add-30bf-4a05-a1d8-84bdffcc09bb

Result

Threat name:

LummaC Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1707707

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking computer name)

Found malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal from password manager

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

63%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/83ab4ce9d4d7c71dbb36ffd1ddb78e4c3ef9befbdd0deb048aa1171679e62214

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/83ab4ce9d4d7c71dbb36ffd1ddb78e4c3ef9befbdd0deb048aa1171679e62214/

Threat name:

Win32.Spyware.Lummastealer

Status:

Malicious

First seen:

2025-06-04 04:19:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qovuz2ou27dr3ozw77i53n4ojq7ptpx33ug6wbekuelrm6pgeika._file

Verdict:

malicious

Label(s):

lummastealer

LummaStealer

83ab4ce9d4d7c71dbb36ffd1ddb78e4c3ef9befbdd0deb048aa1171679e62214

LummaStealer

85100453bb292ca323b9737e73b7ae238d2773dbe547646fec35b6deb9888a3e

LummaStealer

ad044817d9a6c1b798001fbf0f769c0ac1d8486afb9dede03543b934be6df3c6

LummaStealer

e237760e3449c05a54c2ac9b36e8ec33201b6fff72240f90a28c6b34376e3018

LummaStealer

error

LummaStealer

fecc6d9c36fb1cfe6a2dd5cff0083f6980a72b5e7110f441d5e6ae32aee605c2

LummaStealer

+ 35 additional samples on MalwareBazaar

Result

Malware family:

lumma

Score:

10/10

Tags:

family:donutloader family:lumma discovery loader stealer

Link:

https://tria.ge/reports/250605-12ay1atwcv/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Detects DonutLoader

DonutLoader

Donutloader family

Lumma Stealer, LummaC

Lumma family

Malware Config

C2 Extraction:

https://eastwahljc.live/tajs
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://localixbiw.top/zlpa
https://korxddl.top/qidz
https://tinklertjp.bet/nzaf
https://diecam.top/laur/api
https://citellcagt.top/gjtu
https://witchdbhy.run/pzal

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/07077d32-864b-4bc8-90b4-879c7a9b23d8

Unpacked files

SH256 hash:

83ab4ce9d4d7c71dbb36ffd1ddb78e4c3ef9befbdd0deb048aa1171679e62214

MD5 hash:

1a9ddf7e62952f4303c426bc1e2519bc

SHA1 hash:

fa7a2c107a7013307b4d1cf5f7f152e9a8340fb8

Link:

https://www.unpac.me/results/dd93fd5b-d14d-4df8-ab0c-9ccf44f18b4f/

SH256 hash:

76c94ab3d204b4013603e19497a925a519b9fce77d7e650ec5a1ebf87d04085c

MD5 hash:

855587a01d6979ce07afa7cade332226

SHA1 hash:

eb08b50d5451f7919a7f9c0ad9ca5f97075eb4ab

Link:

https://www.unpac.me/results/dd93fd5b-d14d-4df8-ab0c-9ccf44f18b4f/

SH256 hash:

388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

MD5 hash:

e4211d6d009757c078a9fac7ff4f03d4

SHA1 hash:

019cd56ba687d39d12d4b13991c9a42ea6ba03da

Link:

https://www.unpac.me/results/dd93fd5b-d14d-4df8-ab0c-9ccf44f18b4f/

SH256 hash:

69f9c9d458bb476d457d90dda8b385e774e2191524407c37c7f6bc0f608c11d3

MD5 hash:

260f0d63ec6c44603119667a3292f259

SHA1 hash:

ce7254a39e4d1405cba4bad6e5b879561805aae5

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/dd93fd5b-d14d-4df8-ab0c-9ccf44f18b4f/

Malware family:

DonutLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/83ab4ce9d4d7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/83ab4ce9d4d7c71dbb36ffd1ddb78e4c3ef9befbdd0deb048aa1171679e62214

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/7587/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	advapi32.dll::AllocateAndInitializeSid advapi32.dll::EqualSid advapi32.dll::FreeSid advapi32.dll::InitializeSecurityDescriptor
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoFreeUnusedLibraries
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::AdjustTokenPrivileges advapi32.dll::GetTokenInformation advapi32.dll::SetSecurityDescriptorDacl
SHELL_API	Manipulates System Shell	shell32.dll::ShellExecuteW shell32.dll::ShellExecuteExW shell32.dll::SHGetFileInfoW
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateProcessW advapi32.dll::OpenProcessToken kernel32.dll::OpenProcess advapi32.dll::OpenThreadToken winhttp.dll::WinHttpCloseHandle kernel32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	kernel32.dll::TerminateProcess kernel32.dll::LoadLibraryA kernel32.dll::LoadLibraryExW kernel32.dll::LoadLibraryW kernel32.dll::GetDriveTypeW kernel32.dll::GetSystemInfo
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CopyFileW kernel32.dll::CreateDirectoryW kernel32.dll::CreateFileW kernel32.dll::DeleteFileW kernel32.dll::MoveFileW kernel32.dll::MoveFileExW
WIN_BASE_USER_API	Retrieves Account Information	kernel32.dll::GetComputerNameW advapi32.dll::GetUserNameW advapi32.dll::LookupPrivilegeValueW
WIN_HTTP_API	Uses HTTP services	winhttp.dll::WinHttpAddRequestHeaders winhttp.dll::WinHttpConnect winhttp.dll::WinHttpGetIEProxyConfigForCurrentUser winhttp.dll::WinHttpGetProxyForUrl winhttp.dll::WinHttpOpenRequest winhttp.dll::WinHttpOpen
WIN_NETWORK_API	Supports Windows Networking	mpr.dll::WNetEnumResourceW mpr.dll::WNetGetUniversalNameW mpr.dll::WNetOpenEnumW
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegCreateKeyExW advapi32.dll::RegDeleteKeyW advapi32.dll::RegOpenKeyExW advapi32.dll::RegQueryInfoKeyW advapi32.dll::RegQueryValueExW advapi32.dll::RegSetValueExW
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::AppendMenuW user32.dll::CreateMenu user32.dll::FindWindowExW user32.dll::FindWindowW user32.dll::PeekMessageA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample