MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96ce37b257d068c8e67e50af8f52ef82afe7639346c1a44419b979eeaef840a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 2 File information Comments

SHA256 hash:	96ce37b257d068c8e67e50af8f52ef82afe7639346c1a44419b979eeaef840a0
SHA3-384 hash:	c5ca3c9c3a739eaaee06a8d9d9bdcc0ce39aad5ee05276a1b73bc8b0fa8fa81cd99045414972edc81c63e68b758b38c3
SHA1 hash:	09febd9c8677e04c91d9757dc4eff1ef28345593
MD5 hash:	903179b79bbca476694b0c480e034339
humanhash:	wyoming-sweet-three-maine
File name:	ws-Setup-Complete.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	2'927'616 bytes
First seen:	2026-02-14 10:53:22 UTC
Last seen:	2026-02-14 11:23:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	fc26bf23d6d19dd93692eae045c9fa64 (1 x LummaStealer)
ssdeep	49152:pT9jRm/1Q375tSbGASvzUxL0+x3x1VyPZrceNLuT14F/:pRle63qovzO1tMPZwKKTm1
Threatray	35 similar samples on MalwareBazaar
TLSH	T1C5D5CFE2F5FF6162E0CD15FBC080FB871866FB5A4AC5437BEA8CC4655C0E9913E9A025
TrID	21.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 21.2% (.EXE) Win64 Executable (generic) (6522/11/2) 16.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 14.6% (.EXE) Win32 Executable (generic) (4504/4/1) 6.6% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	aachum
Tags:	exe LummaStealer signed

Code Signing Certificate

Organisation:	CyberCore_Smart
Issuer:	CyberCore_Smart
Algorithm:	sha256WithRSAEncryption
Valid from:	2026-02-10T14:01:45Z
Valid to:	2028-02-11T14:01:45Z
Serial number:	e15b8887091d94ba
Thumbprint Algorithm:	SHA256
Thumbprint:	ff61981d3c77c123afa4a189f574308bcc20bbe222e88831682489bc2abce792
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

iamaachum

https://mega.nz/file/fh5yERbS#ENTHLDHa3-hu77-fnP0tXQUAOf2_Nu5uMwE6Gu2XJTA

Intelligence

File Origin

# of uploads :

# of downloads :

143

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

ws-Setup-Complete.exe

Verdict:

Malicious activity

Analysis date:

2026-02-14 10:54:03 UTC

Tags:

lumma stealer fingerprinting

Link:

https://app.any.run/tasks/ed836db9-fac5-46b5-b942-dc54772ab324

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/53322/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Lumma.3025.6099.11169.UNOFFICIAL

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=699054580d0369ff997947f8

Tags:

injection stealer virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Connection attempt

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-debug crypt infostealer installer-heuristic keylogger lumma packed signed stealer unsafe

Link:

https://www.filescan.io/uploads/69905455930564ff3ca0d8d0/reports/b09b7a94-817c-43a3-ae9c-520efccb7186/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/96ce37b257d068c8e67e50af8f52ef82afe7639346c1a44419b979eeaef840a0

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-02-11T20:48:00Z UTC

Last seen:

2026-02-13T15:05:00Z UTC

Hits:

~10

Detections:

BSS:Trojan.Win32.Generic Trojan-PSW.Win32.Lumma.sb Trojan-PSW.Win32.Lumma.aban

Link:

https://opentip.kaspersky.com/96ce37b257d068c8e67e50af8f52ef82afe7639346c1a44419b979eeaef840a0/results?tab=lookup

Malware family:

AtlasAgent

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a41f9e6e-9558-42fc-9742-9432aab224bf

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1869502

Signature

AI detected suspicious PE digital signature

Detected unpacking (creates a PE file in dynamic memory)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Unusual module load detection (module proxying)

Behaviour

Behavior Graph:

Download SVG

Score:

56%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/96ce37b257d068c8e67e50af8f52ef82afe7639346c1a44419b979eeaef840a0

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/903179b79bbca476694b0c480e034339

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/96ce37b257d068c8e67e50af8f52ef82afe7639346c1a44419b979eeaef840a0/

Verdict:

Malicious

Threat:

Family.LUMMA

Link:

https://tip.neiki.dev/file/96ce37b257d068c8e67e50af8f52ef82afe7639346c1a44419b979eeaef840a0

Threat name:

Win32.Spyware.Lummastealer

Status:

Malicious

First seen:

2026-02-13 00:39:51 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 36 (55.56%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=s3hdpmsx2bumrzt6kcxy6uxpqkx6oy4ti3a2irazxf465lxyicqa._file

Verdict:

malicious

Label(s):

lummastealer

LummaStealer

62739b475a41b2eb386aa7692dd37f64fc944b5857a59f646800efac3fa2916b

LummaStealer

96ce37b257d068c8e67e50af8f52ef82afe7639346c1a44419b979eeaef840a0

LummaStealer

ece645ddb7d6f50baf4df5443ea124aa3484f41617c6192b0a75d94f65f0aa9c

LummaStealer

error

LummaStealer

+ 25 additional samples on MalwareBazaar

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma discovery stealer

Link:

https://tria.ge/reports/260214-mzmm5aas4b/

Behaviour

System Location Discovery: System Language Discovery

Lumma Stealer, LummaC

Lumma family

Malware Config

C2 Extraction:

https://portuge.cyou/api
https://whitepepper.su/asds
https://hammernew.su/asdase
https://heavylussy.su/ccvfd
https://broguenko.su/asfase
https://homuncloud.su/ascasef
https://familyriwo.su/fssdaw
https://izzardtow.su/cascasc
https://basilicros.su/asdasq

Unpacked files

SH256 hash:

96ce37b257d068c8e67e50af8f52ef82afe7639346c1a44419b979eeaef840a0

MD5 hash:

903179b79bbca476694b0c480e034339

SHA1 hash:

09febd9c8677e04c91d9757dc4eff1ef28345593

Link:

https://www.unpac.me/results/824e457a-9183-44cf-8dae-8ea81c55dc9a/

SH256 hash:

4b7f850f974d0e87a20183f9068223495d52d824fe8f7140eeb963fc578a7e81

MD5 hash:

fecc22a3c39dff8b28c98d61d37b9e04

SHA1 hash:

451b7fef06568b5e5940ac09400f9e6f8e1a2a28

Detections:

LummaStealer

Link:

https://www.unpac.me/results/824e457a-9183-44cf-8dae-8ea81c55dc9a/

Malware family:

Lumma

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/96ce37b257d0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.17

Link:

https://yomi.yoroi.company/submissions/96ce37b257d068c8e67e50af8f52ef82afe7639346c1a44419b979eeaef840a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.