MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 903b077014c4652752cff3db65e05572096fbb16386b4c7ac10c5d951bf4bbf0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	903b077014c4652752cff3db65e05572096fbb16386b4c7ac10c5d951bf4bbf0
SHA3-384 hash:	6b9a4ead87d850c4364dbf851a4351a9a73d09f4b105caeb68d069a5bab71444e1788bd267919833664902b26bddbe3f
SHA1 hash:	4ed882c4a3882217c943d9bc1d3abb5ca81804ad
MD5 hash:	fc8e4b258c552d475107241775168573
humanhash:	foxtrot-blossom-pennsylvania-october
File name:	Setup.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	96'468'996 bytes
First seen:	2025-07-22 13:32:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	32f3282581436269b3a75b6675fe3e08 (197 x LummaStealer, 122 x Rhadamanthys, 8 x CoinMiner)
ssdeep	24576:/lcTaUHHRdkL8+GGYC1uHk0zDvkA/L/prxs+4GbzEy0YXNQn:bUnvkLZ8Hk0zDvkAHs+4ry0YXNQn
TLSH	T11328226026133D71A3FA38B0841B71E2F7B4E62F15F555BA6B6F895F04E2588326F342
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	000003090c263000 (2 x LummaStealer)
Reporter	aachum
Tags:	AutoIT CypherIT exe LummaStealer

iamaachum

https://zulmie.cfd/cspeed/?eH2dixo?utm=14kbhz => https://mega.nz/file/PVtHzYrb#XqE1UsznI8GSq49agXHlpOHMVaTXrr-EHmcyn3AxdTE

Intelligence

File Origin

# of uploads :

# of downloads :

811

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Setup.exe

Verdict:

Malicious activity

Analysis date:

2025-07-22 13:37:22 UTC

Tags:

lumma stealer autoit telegram qrcode

Link:

https://app.any.run/tasks/1eabb173-8379-4b20-b2a6-31f9bcde91f9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=687f935984b37dd61ef09a6a

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Launching cmd.exe command interpreter

Creating a process with a hidden window

Moving a file to the %temp% directory

Launching a process

Using the Windows Management Instrumentation requests

Searching for synchronization primitives

Creating a window

Creating a process from a recently created file

DNS request

Connection attempt

Sending a custom TCP request

Сreating synchronization primitives

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug blackhole installer microsoft_visual_cc overlay overlay

Link:

https://www.filescan.io/uploads/687f93318a7d628a81bc9e9a/reports/bd15adf1-e2ad-4524-bcf0-fb708443c476/overview

Verdict:

Malicious

Labled as:

Malware_

Link:

https://www.hybrid-analysis.com/sample/903b077014c4652752cff3db65e05572096fbb16386b4c7ac10c5d951bf4bbf0

Result

Threat name:

LummaC Stealer

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1742042

Signature

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found malware configuration

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Search for Antivirus process

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/903b077014c4652752cff3db65e05572096fbb16386b4c7ac10c5d951bf4bbf0

Gathering data

Verdict:

Malicious

Threat:

Backdoor.Agent.UDP

Link:

https://tip.neiki.dev/file/903b077014c4652752cff3db65e05572096fbb16386b4c7ac10c5d951bf4bbf0

Threat name:

Win32.Dropper.Generic

Status:

Suspicious

First seen:

2025-07-22 13:33:41 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

13 of 35 (37.14%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sa5qo4auyrssouwp6pnwlycvoiew7oywhbvuy6wbbrozkg7uxpya._file

Verdict:

malicious

Label(s):

lummastealer

Similar samples:

error

LummaStealer

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma defense_evasion discovery spyware stealer trojan

Link:

https://tria.ge/reports/250722-qttq2awvfz/

Behaviour

Modifies system certificate store

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Drops file in Windows directory

Enumerates processes with tasklist

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of local email clients

Lumma Stealer, LummaC

Lumma family

Malware Config

C2 Extraction:

https://t.me/lylajuipo
https://ummact.top/aktr
https://worlejrc.xyz/xaiw
https://permwgp.xyz/xlak
https://corronxu.xyz/xowq
https://ultracpj.xyz/apgk
https://vegemuoe.top/xauy
https://seruneqy.live/akiz
https://siniavzv.life/xajz
https://strujqwn.xyz/xkkd

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/4792fe7c-56d5-427d-aeca-8f57ea1de4e9

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/903b077014c4652752cff3db65e05572096fbb16386b4c7ac10c5d951bf4bbf0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

exe 903b077014c4652752cff3db65e05572096fbb16386b4c7ac10c5d951bf4bbf0

(this sample)

Link

https://tria.ge/250722-p8f8tack3w/behavioral1

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample