MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9307c95e4501cadbb63f7b137cf9c289819c15126b4cd04e788aebe1e02044f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9307c95e4501cadbb63f7b137cf9c289819c15126b4cd04e788aebe1e02044f9
SHA3-384 hash: 367f220f02b0d419984612b7606eec5fcf61b92910efc815ba0e5b2e3c147802ce689e6bc9ef11a7956477e688f9a576
SHA1 hash: f7481d559b5349eb58057ab345142f018586b36c
MD5 hash: 4c017ee9203d4f39be446fae944be38d
humanhash: green-dakota-oklahoma-maryland
File name:9307c95e4501cadbb63f7b137cf9c289819c15126b4cd04e788aebe1e02044f9
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'820'160 bytes
First seen:2025-08-16 12:03:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:YO5Q5zNg/RsKOQCvbZKvz8C28z1O1q4/VKO:YeQ55Is8vQCXzeF/
Threatray 239 similar samples on MalwareBazaar
TLSH T16C8533CBFBAFF010C954E6BC7D699320F3EBA86724B90E050D56585C0D83A7993DC866
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Neiki
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
62
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
9a41f55c11c0da7dc27bf25b7a670fccf444e2853a3a1954517e5830494d0a34.exe
Verdict:
Malicious activity
Analysis date:
2025-08-16 11:37:18 UTC
Tags:
gcleaner loader lumma stealer autoit auto redline amadey botnet telegram inno installer auto-reg delphi themida rdp
Link:
https://app.any.run/tasks/ee177f66-a213-4617-b978-7937cc025c8a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/21657/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a07396c2f5296a1a277fbe
Tags:
vmdetect phishing emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm obfuscated overlay overlay packed packed themidawinlicense zero
Link:
https://www.filescan.io/uploads/68a0741aa4bdac9f5b9991c4/reports/1e5e7305-3f57-453a-8a1c-7fc33176f586/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/9307c95e4501cadbb63f7b137cf9c289819c15126b4cd04e788aebe1e02044f9
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/74407e1a-c0c6-4b8d-b22b-c907af399a9c
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9307c95e4501cadbb63f7b137cf9c289819c15126b4cd04e788aebe1e02044f9
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/4c017ee9203d4f39be446fae944be38d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9307c95e4501cadbb63f7b137cf9c289819c15126b4cd04e788aebe1e02044f9/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/9307c95e4501cadbb63f7b137cf9c289819c15126b4cd04e788aebe1e02044f9
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-08-16 11:56:58 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=smd4sxsfahfnxnr7pmjxz6ocrgazyfisnngnattyrlv6dybait4q._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
102c57004decd2173d86522467863123425f1ecccf37561fa34fca5c1de1c402
LummaStealer
15c4f381e82e4d4d24ddd1f3ca33cf16678933534da2e5c27f67ec7ece8b7509
LummaStealer
26e4ab8789bbb0abb65080b98e9da6717e3db46c0eee82a8e98d2cf4d1064725
LummaStealer
8cd2c50d76ca6672c8f99a66343af62f3a41c35a141f478f55044198ba8147c9
LummaStealer
9653fb267376aa1495996d935a8bb8b6d73b46aa372d814bfb3c91ba0ebbf7f3
LummaStealer
9d989913e9867ec5cc3935e9da9cc8d32a850b7c51fbc3f40b03913fb3d3668b
LummaStealer
c427c491f37071345076ef33db7bf74199d1a46a9a7d47e4b438e85624c27cda
LummaStealer
cdb8d74735fd803936cbb3f259418fa76aa5fa7ad03f8cba3b7d310006052e61
LummaStealer
d8c44f8a58899360bf30a527082c917bae7b564db5f129f2517a5deb39ba9ff2
LummaStealer
error
LummaStealer
f57764db1fdb67a38593290017ce65a9aa83a114b4e9b9c32a46129db38d2717
LummaStealer
+ 229 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250816-n78e8sdl7z/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Modifies trusted root certificate store through registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://vaganetka.ru/opza
https://mastwin.in/qsaz
https://ordinarniyvrach.ru/xiur
https://yamakrug.ru/lzka
https://vishneviyjazz.ru/neco
https://yrokistorii.ru/uqya
https://stolewnica.ru/xjuf
https://visokiywkaf.ru/mmtn
https://kletkamozga.ru/iwyq
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2e00beb8-721b-40ea-8990-28e52925ff0c
Unpacked files
SH256 hash:
9307c95e4501cadbb63f7b137cf9c289819c15126b4cd04e788aebe1e02044f9
MD5 hash:
4c017ee9203d4f39be446fae944be38d
SHA1 hash:
f7481d559b5349eb58057ab345142f018586b36c
Link:
https://www.unpac.me/results/fdc1a362-37cb-4598-b04e-1e098300a92a/
SH256 hash:
9b689b9cf67adc2c976491c85e57e2968781e15f775ba5a315f6ff7d6c205714
MD5 hash:
4de989611f3467ed87e437212ac61311
SHA1 hash:
21faaf64474c522decd4278a548f3b411f8f22aa
Link:
https://www.unpac.me/results/fdc1a362-37cb-4598-b04e-1e098300a92a/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9307c95e4501/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9307c95e4501cadbb63f7b137cf9c289819c15126b4cd04e788aebe1e02044f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lumma
Create hunting rule
Author:kevoreilly
Description:Lumma Payload
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_lumma_generic
Create hunting rule
Author:dubfib

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://tip.neiki.dev/file/9307c95e4501cadbb63f7b137cf9c289819c15126b4cd04e788aebe1e02044f9
Cape
Cape
https://www.capesandbox.com/analysis/21657/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments