MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 900459b3a10b535eece51d001210663cd2475c2a8e4ce9b8d63fc2b957b4a020. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 900459b3a10b535eece51d001210663cd2475c2a8e4ce9b8d63fc2b957b4a020
SHA3-384 hash: 65144fd7249cc316a9f412e34c032a2b0ab24cb6df9e45f3eba52d911cd1f55d24215a099853bae5ff3a32375dfc6f9e
SHA1 hash: 25d7b727ba33558f2e03eafa2dd1a1f8b2fb7496
MD5 hash: 52abdf4a498941c39bf839e07524c9b1
humanhash: tango-four-kentucky-washington
File name:howeptjasdryhg.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'311'232 bytes
First seen:2025-03-19 19:31:32 UTC
Last seen:2025-03-21 20:29:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 71cc5af9daad65e58c6f29c42cdf9201 (140 x LummaStealer)
ssdeep 24576:Wfs7K9amTqr/SSf/HvUEDID6dEbNw7lMCY9j5LAwykgWCAnc3lxq:+se9amTHq/PUEw/bG7lMCY9jqjWCAncT
Threatray 111 similar samples on MalwareBazaar
TLSH T12F55332365376B51D38D183FA5AE4F12E0426D35AAD5C224BDB78DCF0D7A3AD30B8648
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter aachum
Tags:exe LummaStealer


Avatar
iamaachum
https://github.com/deripascod/romawer/raw/refs/heads/main/howeptjasdryhg.exe

Lumma C2: https://t.me/wermnjgk34
https://jetsetgo.life/ASIozn

Intelligence

File Origin
# of uploads :
3
# of downloads :
409
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
howeptjasdryhg.exe
Verdict:
Malicious activity
Analysis date:
2025-03-19 20:54:52 UTC
Tags:
telegram lumma stealer
Link:
https://app.any.run/tasks/dff77f41-1f88-4041-a241-bea5d77c2fac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67db1bbb115e7b48b48ed279
Tags:
enigmaprotector delphi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
enigma obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67db1bbb1dd35ee4a0e879ba/reports/b1aeaabf-eb58-402a-b3db-e3e1975a56ab/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/900459b3a10b535eece51d001210663cd2475c2a8e4ce9b8d63fc2b957b4a020
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Spark
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/79757ee3-c4bc-414b-9d83-3939d8932191
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1643462
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/900459b3a10b535eece51d001210663cd2475c2a8e4ce9b8d63fc2b957b4a020
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/900459b3a10b535eece51d001210663cd2475c2a8e4ce9b8d63fc2b957b4a020/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-03-19 19:32:12 UTC
File Type:
PE (Exe)
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sacftm5bbnjv53hfduabeedghtjeoxbkrzgotogwh7blsv5uuaqa._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
3520d8fc19fd27c13cef6414b4cf5004a5daa1598a455f10b51688ca4e4be0d9
LummaStealer
40be170151f76d5b4f17094abb9817d5b8686a33fad6e92a4974904450d544c9
LummaStealer
47268fe68e22b14bfccf2d53d8ec55d72100774430f1504f49b088f04d93b2e5
LummaStealer
65babd32307b6ab12ac27ff6355d55d37c059f21df0401f0963a91111ad009b4
LummaStealer
69af611bea457fc1c372bf333b2da65c9a0b5de828afe79d918458e67a70ab4a
LummaStealer
9a2163b925e9ba9aa6e17b0e6c813c36f0dbc3f2b8c6e74d1005553aca99e22c
LummaStealer
d5acf2451a1683b2e702f8da1dee3c0c908f6683b899e5ebe8b4614f1870a410
LummaStealer
eda503252b71d8e453b1c18f9f81fac90ad8af7a4c285a4899c8301df39081b5
LummaStealer
error
LummaStealer
+ 101 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/250319-x81apavky2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Reads user/profile data of local email clients
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d54ca4db-47ab-46be-b25e-d29f9a2bfe98
Unpacked files
SH256 hash:
900459b3a10b535eece51d001210663cd2475c2a8e4ce9b8d63fc2b957b4a020
MD5 hash:
52abdf4a498941c39bf839e07524c9b1
SHA1 hash:
25d7b727ba33558f2e03eafa2dd1a1f8b2fb7496
Link:
https://www.unpac.me/results/35c6d4e7-7310-4cae-902d-48dded1e37f2/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/900459b3a10b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/900459b3a10b535eece51d001210663cd2475c2a8e4ce9b8d63fc2b957b4a020

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:EnigmaProtector11X13XSukhovVladimirSergeNMarkin
Create hunting rule
Author:malware-lu
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:Lumma
Create hunting rule
Author:kevoreilly
Description:Lumma Payload
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_lumma_generic
Create hunting rule
Author:dubfib

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 900459b3a10b535eece51d001210663cd2475c2a8e4ce9b8d63fc2b957b4a020

(this sample)

  
Link
https://tria.ge/250319-xzc4ssz1gz/behavioral9
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
WIN_BASE_IO_APICan Create Filesversion.dll::GetFileVersionInfoA

Comments