MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97143bce5c41e517a7e6907829c7b2bf251f69b8a323b8037bc2fa50d4090b03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	97143bce5c41e517a7e6907829c7b2bf251f69b8a323b8037bc2fa50d4090b03
SHA3-384 hash:	5837f35327b57c2654e502ef48cc3097e3e8672396d85473dc27516be46b7d04aa7925b9104872005d521de8b00000f8
SHA1 hash:	3a08916eb471e133ffbd8cb57542a1aac17dfcf2
MD5 hash:	ba6ffdc372f7057e5569f14f9a4b1146
humanhash:	network-florida-spaghetti-single
File name:	SecuriteInfo.com.Win64.Evo-gen.108.18562
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	1'403'392 bytes
First seen:	2025-07-09 15:15:17 UTC
Last seen:	2025-07-09 16:14:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b87d8762e3d5bd13d9e6297f5a640b1d (5 x LummaStealer, 3 x Rhadamanthys, 1 x Stealc)
ssdeep	24576:gBTHQUdBGMjZJzi8qGBIsRWdoCbUsIgaZGZszlXUgaZGZszlX:STHQUdBG0+8qURWJUVGolXUGolX
Threatray	654 similar samples on MalwareBazaar
TLSH	T12355DF395582A2D6FC36507A45A136857472B733C62D2FFF41A0E337AE07AC40F6A359
TrID	63.5% (.EXE) Win64 Executable (generic) (10522/11/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win64.Evo-gen.108.18562

Verdict:

No threats detected

Analysis date:

2025-07-09 15:17:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/55947638-c830-4c6d-bf99-af26263120b2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/13690/

Detection(s):

SecuriteInfo.com.Variant.Zusy.593738.12724.21107.UNOFFICIAL

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=686e8796c9eb97473767eb99

Tags:

virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

DNS request

Connection attempt

Sending a custom TCP request

Connection attempt to an infection source

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

Query of malicious DNS domain

Sending a TCP request to an infection source

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context fingerprint microsoft_visual_cc obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/686e87970737c4165a9734f9/reports/ab30323d-a4de-4a20-a15b-f7393ee503fa/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/97143bce5c41e517a7e6907829c7b2bf251f69b8a323b8037bc2fa50d4090b03

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/35d4d164-98f9-4152-b313-557294f57aa2

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/97143bce5c41e517a7e6907829c7b2bf251f69b8a323b8037bc2fa50d4090b03

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) Win 64 Exe x64

Link:

https://app.malva.re/file/ba6ffdc372f7057e5569f14f9a4b1146

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/97143bce5c41e517a7e6907829c7b2bf251f69b8a323b8037bc2fa50d4090b03/

Threat name:

Win64.Trojan.LummacStealer

Status:

Malicious

First seen:

2025-07-09 14:35:15 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=s4kdxts4ihsrpj7gsb4ctr5sx4sr62nyumr3qa33yl5fbvajbmbq._file

Verdict:

malicious

Label(s):

lummastealer

LummaStealer

7d9f478da20a6cd2d8fcbbfe28efb66aef07d84d06429bf50d2626cef73d67dd

LummaStealer

8301936f439f43579cffe98e11e3224051e2fb890ffe9df680bbbd8db0729387

LummaStealer

97143bce5c41e517a7e6907829c7b2bf251f69b8a323b8037bc2fa50d4090b03

LummaStealer

a8dc216d02680550eef8373559c6c2cdc1531b4896fbb37cb9d038859b98d9ce

LummaStealer

c731c2800a007ae0e2f490984e6e341144432d7132308585a7bc6b3d80c27144

LummaStealer

error

LummaStealer

+ 644 additional samples on MalwareBazaar

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma discovery spyware stealer

Link:

https://tria.ge/reports/250709-sm5wtsyq13/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Browser Information Discovery

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Lumma Stealer, LummaC

Lumma family

Malware Config

C2 Extraction:

https://t.me/pizdenka202020
https://plapwf.top/agnb
https://lnofi.xyz/qoei
https://ryxpq.xyz/tpaz
https://dzyzb.xyz/anby
https://dkkig.xyz/xjau
https://lodib.xyz/towq
https://cexpxg.xyz/airq
https://urarfx.xyz/twox
https://genmkh.xyz/towq

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/185aa35f-df0c-4347-b6d8-f9314a773f1b

Unpacked files

SH256 hash:

97143bce5c41e517a7e6907829c7b2bf251f69b8a323b8037bc2fa50d4090b03

MD5 hash:

ba6ffdc372f7057e5569f14f9a4b1146

SHA1 hash:

3a08916eb471e133ffbd8cb57542a1aac17dfcf2

Link:

https://www.unpac.me/results/426856f8-cbec-4c33-b064-273b42444b45/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/97143bce5c41e517a7e6907829c7b2bf251f69b8a323b8037bc2fa50d4090b03

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

exe 97143bce5c41e517a7e6907829c7b2bf251f69b8a323b8037bc2fa50d4090b03

(this sample)

Cape

https://www.capesandbox.com/analysis/13690/

URLhaus

https://urlhaus.abuse.ch/url/3579690/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::FreeConsole KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW
WIN_USER_API	Performs GUI Actions	USER32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample