MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8cd2c50d76ca6672c8f99a66343af62f3a41c35a141f478f55044198ba8147c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 6 File information Comments

SHA256 hash:	8cd2c50d76ca6672c8f99a66343af62f3a41c35a141f478f55044198ba8147c9
SHA3-384 hash:	d9d58f9f3a95620ec8a8b131d3b5c7bc8c04012e6a9099c258426a89c3a3895d32d632502508ab6857aa18939a6e309f
SHA1 hash:	94f2b51980fdb2beeaccffc5ff02d97fb447becb
MD5 hash:	8c84aadd00107e3cd69446dd176028cb
humanhash:	emma-bravo-carolina-eleven
File name:	8cd2c50d76ca6672c8f99a66343af62f3a41c35a141f478f55044198ba8147c9
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	1'785'344 bytes
First seen:	2025-08-13 20:14:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep	24576:fIi8/OnUb2QrsMyNiQz29LDwVWuj+QwW1ARpcHP/5FxJE4+SnsLgebihTdSMvIw/:Kz2Q8OaizW1AYH33BHhxhD9shO
Threatray	168 similar samples on MalwareBazaar
TLSH	T1028533DFFC9738B4D8C078B35222EA34B474A3C651B6D9A41E473349CD3B6AD242CA65
TrID	42.7% (.EXE) Win32 Executable (generic) (4504/4/1) 19.2% (.EXE) OS/2 Executable (generic) (2029/13) 19.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.9% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Neiki
Tags:	exe lumma LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

119

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

8cd2c50d76ca6672c8f99a66343af62f3a41c35a141f478f55044198ba8147c9.bin.exe

Verdict:

Malicious activity

Analysis date:

2025-08-13 20:09:38 UTC

Tags:

lumma stealer themida loader amadey auto redline botnet auto-reg rdp telegram

Link:

https://app.any.run/tasks/574beb33-35ea-45e5-bc4c-d7a214fdc89a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Lumma

Link:

https://www.capesandbox.com/analysis/21215/

Detection(s):

SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL

Verdict:

Malicious

Score:

95.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=689cf27231e468d937249c06

Tags:

malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for analyzing tools

Connection attempt to an infection source

Using the Windows Management Instrumentation requests

Query of malicious DNS domain

Sending a TCP request to an infection source

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated overlay overlay packed packed themidawinlicense zero

Link:

https://www.filescan.io/uploads/689cf27a397fd3ce6fa827e5/reports/f23cca61-d783-4125-8d95-40d88912dab0/overview

Verdict:

Malicious

Labled as:

Symmi.Generic

Link:

https://www.hybrid-analysis.com/sample/8cd2c50d76ca6672c8f99a66343af62f3a41c35a141f478f55044198ba8147c9

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/daf4c378-b622-4142-8811-7e22b0aae2a7

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8cd2c50d76ca6672c8f99a66343af62f3a41c35a141f478f55044198ba8147c9

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) Win 32 Exe x86

Link:

https://app.malva.re/file/8c84aadd00107e3cd69446dd176028cb

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8cd2c50d76ca6672c8f99a66343af62f3a41c35a141f478f55044198ba8147c9/

Verdict:

Malicious

Threat:

Family.LUMMA

Link:

https://tip.neiki.dev/file/8cd2c50d76ca6672c8f99a66343af62f3a41c35a141f478f55044198ba8147c9

Threat name:

Win32.Trojan.LummaStealer

Status:

Malicious

First seen:

2025-08-13 20:09:39 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 38 (76.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rtjmkdlwzjthfshztjtdioxwf45edq22cqpupd2varazroubi7eq._file

Verdict:

malicious

Label(s):

lummastealer

LummaStealer

1384a60414f7ff5ce19194fd0dd0b2d62cd7f4635711e9b00cac7ac95550a614

LummaStealer

1ca0c8ba7ffba20fb77ade5cb38ee12d6f06e17c326f915b1649918a9732b957

LummaStealer

27281a80300ffe0a103880c950b04bfd542415b55ec986ea4aac5d6edfec529d

LummaStealer

511f54d8a2373fc10c30e362a31cad57c95347e96ceca59b886def3ea01b87b4

LummaStealer

5b83cbd627b5f25bfbe2dcfc7dd9a8d0ce85ba9c61352c43b02dcc54e5798c32

LummaStealer

6a9e61320fd3b4c459bfea9266a6aa177526ba659d64279d2c3a541180fa317c

LummaStealer

8a2382778c53adae67a25ea06585e33381dd0e067527bc5ee700dbc6496efc36

LummaStealer

9407bc26aa506e98d3ca4c82f00bf3b26f6270b2925844e94653a7ee0b7d6759

LummaStealer

aca023c46e88d842d9cf0702ff8c4a09854ef67c41dec500e7d5dbf1c6be0d70

LummaStealer

error

LummaStealer

+ 158 additional samples on MalwareBazaar

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma defense_evasion discovery spyware stealer

Link:

https://tria.ge/reports/250813-y1xp9sgr2y/

Behaviour

Suspicious behavior: EnumeratesProcesses

System Location Discovery: System Language Discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks installed software on the system

Checks BIOS information in registry

Identifies Wine through registry keys

Reads user/profile data of local email clients

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Lumma Stealer, LummaC

Lumma family

Malware Config

C2 Extraction:

https://vaganetka.ru/opza/api
https://mastwin.in/qsaz/api
https://ordinarniyvrach.ru/xiur/api
https://yamakrug.ru/lzka/api
https://vishneviyjazz.ru/neco/api
https://yrokistorii.ru/uqya/api
https://stolewnica.ru/xjuf/api
https://visokiywkaf.ru/mmtn/api
https://kletkamozga.ru/iwyq/api

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/0341b5cf-b850-4bad-9540-931388e3c703

Unpacked files

SH256 hash:

8cd2c50d76ca6672c8f99a66343af62f3a41c35a141f478f55044198ba8147c9

MD5 hash:

8c84aadd00107e3cd69446dd176028cb

SHA1 hash:

94f2b51980fdb2beeaccffc5ff02d97fb447becb

Link:

https://www.unpac.me/results/63e6703d-4b26-4739-b5e5-c84f68138edc/

SH256 hash:

29ed78a3f55ffeff225025bde9c2e38706c7445cd4a8fa6f76560dc5a3bd17f5

MD5 hash:

549ac403632e4bb3d38f16369dde235a

SHA1 hash:

3bf7f02269612986ac56ea51dd2260350a2f0dae

Link:

https://www.unpac.me/results/63e6703d-4b26-4739-b5e5-c84f68138edc/

Malware family:

Amadey

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8cd2c50d76ca/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8cd2c50d76ca6672c8f99a66343af62f3a41c35a141f478f55044198ba8147c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Lumma Create hunting rule
Author:	kevoreilly
Description:	Lumma Payload

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	win_lumma_generic Create hunting rule
Author:	dubfib

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://tip.neiki.dev/file/8cd2c50d76ca6672c8f99a66343af62f3a41c35a141f478f55044198ba8147c9

Cape

https://www.capesandbox.com/analysis/21215/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample