MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a15d238500c8fc7e2db05cd893a13b1dfe3f54626498cfe57ded9781f00d4d6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 7

Intelligence 7 IOCs YARA 8 File information Comments

SHA256 hash:	a15d238500c8fc7e2db05cd893a13b1dfe3f54626498cfe57ded9781f00d4d6b
SHA3-384 hash:	e64f14f3b1c50eb42a1662a9e65ca0c7be7702431dbe325f6ab54082a8432e940ce03c7c7eb257b96f1a4957b4dbf96f
SHA1 hash:	5038631803f288c502d6c0c93e697d3a3eac362e
MD5 hash:	47002dfa2d2d600daa4e3183b9cbec4d
humanhash:	bacon-august-carolina-high
File name:	Setup.zip
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	15'455'367 bytes
First seen:	2025-03-11 15:23:24 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	393216:CdVt95MMfbQhEQxaSI2KVH8N5Bsda7Q5lINESpWqk7:CdVOMkhg8NKa7YSESLk7
TLSH	T17EF6338E8D189424C7BB0BA022BC8399D7FBB9147920F74CFE47D5C4E96D591B42A38D
Magika	zip
Reporter	aachum
Tags:	file-pumped LummaStealer zip

iamaachum

https://filecr.cfd/?MydbALi05KseNRmYE6xaZJlU4B7Vr9DhW3cO2FtI=ovCpKBb9rgjVq1inkPX5Qc3a6wSEYTDmM7HOle2GZRN=FLQMbXvN8hY30tBAK9Vu1PTWcrIH5psz7UEaJxjqoOygeiR&p_title=Adobe-Premiere-Pro-2024-Build-24-2-Crack---Serial-Key-Download&h=40 => https://mega.nz/file/QII1SCaA#o9cX-em75yhUkUzVW09cU0HxdPjJCQzGOmh2XorxJA0

Lumma C2:
https://cuddlypifllow.life/api
https://featureccus.shop/api
https://qmrodularmall.top/api
https://jowinjoinery.icu/api
https://legenassedk.top/api
https://htardwarehu.icu/api
https://cjlaspcorne.icu/api
https://bugildbett.top/api
https://latchclan.shop/api

Intelligence

File Origin

# of uploads :

# of downloads :

189

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Setup.exe
Pumped file	This file is pumped. MalwareBazaar has de-pumped it.
File size:	694'323'435 bytes
SHA256 hash:	52bab11bbaca42a156276889ffac368534c9b77611bcfa341104f75ea2c08be1
MD5 hash:	8b6e607785276564b9c676d353220da4
De-pumped file size:	11'655'680 bytes (Vs. original size of 694'323'435 bytes)
De-pumped SHA256 hash:	f3d0d3f441f11c9dac99ee9e44b0df25fb424ad8fa13584a917aca56261c2a54
De-pumped MD5 hash:	4ab9ca3e9f0c23abc31ea8c54962f2aa
MIME type:	application/x-dosexec
Signature	LummaStealer

Vendor Threat Intelligence

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67d0531edff6bd92190836cd

Tags:

shellcode phishing

Result

Verdict:

Malicious

File Type:

ZIP File - Malicious

Link:

https://app.docguard.net/a15d238500c8fc7e2db05cd893a13b1dfe3f54626498cfe57ded9781f00d4d6b/results/dashboard

Behaviour

SuspiciousEmbeddedObjects detected

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context bloated embarcadero_delphi exploit explorer fingerprint invalid-signature keylogger large-file lolbin overlay packed remote signed

Link:

https://www.filescan.io/uploads/67d055ba4a3011c802cd5d8b/reports/3df77f34-9d57-448f-9b30-f42dbaafef66/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/a15d238500c8fc7e2db05cd893a13b1dfe3f54626498cfe57ded9781f00d4d6b

Result

Verdict:

UNKNOWN

Link:

https://labs.inquest.net/dfi/sha256/a15d238500c8fc7e2db05cd893a13b1dfe3f54626498cfe57ded9781f00d4d6b

Score:

58%

Verdict:

Susipicious

File Type:

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma discovery spyware stealer

Link:

https://tria.ge/reports/250311-yrnq1atzes/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Browser Information Discovery

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Executes dropped EXE

Loads dropped DLL

Lumma Stealer, LummaC

Lumma family

Malware Config

C2 Extraction:

https://cuddlypifllow.life/api
https://featureccus.shop/api
https://qmrodularmall.top/api
https://jowinjoinery.icu/api
https://legenassedk.top/api
https://htardwarehu.icu/api
https://cjlaspcorne.icu/api
https://bugildbett.top/api
https://latchclan.shop/api

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	HUNTING_SUSP_TLS_SECTION Create hunting rule
Author:	chaosphere
Description:	Detect PE files with .tls section that can be used for anti-debugging
Reference:	Practical Malware Analysis - Chapter 16

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)