MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84fc025eeacaeebfd9c07116ecb45ff699bceaed3fc39cbe595249c60db7ef2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84fc025eeacaeebfd9c07116ecb45ff699bceaed3fc39cbe595249c60db7ef2c
SHA3-384 hash: 1e2072ac620182d8d03e110a6b2056e6d585914106afe56db18b7cff3c2e8196aa4c2365dc29f4f31e7b56ca6cf21606
SHA1 hash: 01a62a6b2b22f62ee696e42293d73e2fa7a3b99d
MD5 hash: 623a61edc99df7f1f9613c51ed864340
humanhash: golf-mobile-yankee-yellow
File name:setup.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:97'528'132 bytes
First seen:2025-06-24 16:28:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf95d1fc1d10de18b32654b123ad5e1f (327 x LummaStealer, 65 x Rhadamanthys, 25 x Vidar)
ssdeep 24576:H0awgtQw9sKD1Xe9HUtEL9GsQOZmuB0gUzPQ23yZTbSn:HaqnZXe9HxUuB2d3yZe
Threatray 645 similar samples on MalwareBazaar
TLSH T1932892F2C3843345C4923257F8521B7525B9908DEA3368E736ADB1D99628D21F38E36F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 6062d2d8ccccfc3c (1 x LummaStealer)
Reporter aachum
Tags:AutoIT CypherIT exe LummaStealer


Avatar
iamaachum
https://filepiratedlink.pro/?MmjvZ6NzxP1pC3LQXRIc5nBOEtWeTfbrdFosDy4V=zSIZfJACEqu2M3hmBOltce9vXrKyonsTY0PxiwR6jap=rYif50oEsv1ya8BdMGgqAweFOT9LucNjk4KnU3xbHJWSIPD&h=159 => https://mega.nz/file/VFJhxKqK#YaHtPzlujbYA2j1iJBH9I_Kq4EOW8LSu6HpJ2Ssf_8M

LummaStealer C2: https://silvyg.xyz/bybi

Intelligence

File Origin
# of uploads :
1
# of downloads :
802
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2025-06-24 16:29:19 UTC
Tags:
autoit telegram lumma stealer
Link:
https://app.any.run/tasks/8608c0b7-7fd4-4285-938a-b3adaee65313

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=685ad46932ed47a3a8d6c3d6
Tags:
infosteal spawn shell sage
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug blackhole entropy installer invalid-signature microsoft_visual_cc overlay overlay packed packed packer_detected signed virtual
Link:
https://www.filescan.io/uploads/685ad39e3faf8fcd7d3f8576/reports/98e6d839-7459-4aef-b274-2f10cee9164b/overview
Verdict:
Malicious
Labled as:
Infostealer/LummaC2
Link:
https://www.hybrid-analysis.com/sample/84fc025eeacaeebfd9c07116ecb45ff699bceaed3fc39cbe595249c60db7ef2c
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1722079
Signature
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Search for Antivirus process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1722079 Sample: setup.exe Startdate: 24/06/2025 Architecture: WINDOWS Score: 100 34 silvyg.xyz 2->34 36 t.me 2->36 38 kZdccCAhvGkoeNLzTPFZSqXJzM.kZdccCAhvGkoeNLzTPFZSqXJzM 2->38 52 Found malware configuration 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected LummaC Stealer 2->56 60 4 other signatures 2->60 8 setup.exe 16 2->8         started        signatures3 58 Performs DNS queries to domains with low reputation 34->58 process4 file5 28 C:\Users\user\AppData\...\Reproduced.vsdx, DOS 8->28 dropped 11 cmd.exe 5 8->11         started        process6 file7 30 C:\Users\user\AppData\Local\...lite.com, PE32 11->30 dropped 32 C:\Users\user\AppData\Local\Temp\377990\p, DOS 11->32 dropped 62 Drops PE files with a suspicious file extension 11->62 15 Elite.com 11->15         started        19 extrac32.exe 21 11->19         started        22 conhost.exe 11->22         started        24 6 other processes 11->24 signatures8 process9 dnsIp10 40 t.me 149.154.167.99, 443, 49692 TELEGRAMRU United Kingdom 15->40 42 silvyg.xyz 144.172.115.212, 443, 49693, 49694 QUICKPACKETUS United States 15->42 44 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->44 46 Query firmware table information (likely to detect VMs) 15->46 48 Tries to harvest and steal ftp login credentials 15->48 50 3 other signatures 15->50 26 C:\Users\user\AppData\Local\Temp\Clarity, COM 19->26 dropped file11 signatures12
Score:
25%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/84fc025eeacaeebfd9c07116ecb45ff699bceaed3fc39cbe595249c60db7ef2c
Gathering data
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/84fc025eeacaeebfd9c07116ecb45ff699bceaed3fc39cbe595249c60db7ef2c
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-06-24 16:37:37 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qt6aexxkzlxl7woaoeloznc762m3z2xnh7bzzpszkje4mdnx54wa._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
127f4e6f6cb323d0f7b71ea817e352392fb7bc24199281bad008708994d888c9
LummaStealer
1717f135b5854ecc4dfc8230c30234a2ab60020954d7c5e44ea4dcf268d52b13
LummaStealer
63c1511bdd68d12623147ed555454d75c15e437e5897417d7c2974eac2887777
LummaStealer
94d45402ef5c153a1bd8d0972f2e318b0fc1133ea4b93a8bf8d2a90b6b6b3c54
LummaStealer
b7d8baf7b42e19c1a07a6e79de9fb53ebd899379d96cd2cfd5671f618e2d8a9c
LummaStealer
error
LummaStealer
fec1a04a5587a1d1ba5ed4296cc373836e8593c04c20c7193a2c5933d858e171
LummaStealer
+ 635 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/250624-t2g9rawvdx/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Enumerates processes with tasklist
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/76dda2f5-a6ea-4958-8c7b-c1dac4660174
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84fc025eeacaeebfd9c07116ecb45ff699bceaed3fc39cbe595249c60db7ef2c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 84fc025eeacaeebfd9c07116ecb45ff699bceaed3fc39cbe595249c60db7ef2c

(this sample)

  
Link
https://tria.ge/250624-tr5masvkz9/behavioral1
  
Delivery method
Distributed via web download

Comments