MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a50d536f779d7e724c8cacfa746d031bae38956c81a191824410614b1ec4bfd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a50d536f779d7e724c8cacfa746d031bae38956c81a191824410614b1ec4bfd4
SHA3-384 hash: 95bfde4216c8f9a6dc508a0b4269659f4101b6753d82a7aeaf8c15f701dd239fcd9adf97e682e8c9e798c10c61bfaeff
SHA1 hash: d082c71f28649637948af7df7c1349366e1e6cea
MD5 hash: 8c0bae23adc812b51bc15e80ea1e66d9
humanhash: king-nebraska-helium-south
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'202'688 bytes
First seen:2025-09-01 16:36:24 UTC
Last seen:2025-09-01 16:38:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6209bbfe3114af4a5214392d486d765f (5 x LummaStealer, 1 x Amadey, 1 x Rhadamanthys)
ssdeep 24576:7pzw7OzJyp7giHQR/hN/oEGSE8AZHHiuuOSj2IJY:7pzwS8hbHQTN/oEGhZI9/G
Threatray 836 similar samples on MalwareBazaar
TLSH T12C45D01CA97590DAFCD344716B568111B422BD77CF286ADB42E487A13A17EFC0A3F326
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:exe LummaStealer


Avatar
Bitsight
url: http://178.16.55.189/files/fate/random.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
74
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
6bea76c9a54dbcabbb452eb83fde33c496a7545b2b5a31883e5ee2b58d49008b.exe
Verdict:
Malicious activity
Analysis date:
2025-09-01 02:03:14 UTC
Tags:
lumma stealer themida amadey botnet loader auto redline telegram rdp auto-reg delphi anti-evasion purelogsstealer stealc screenconnect rmm-tool
Link:
https://app.any.run/tasks/63674e17-8b4c-4033-bf1c-6ca9e5aee591

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/24602/
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b5cb99eb163e0ec1841960
Tags:
stealer virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint microsoft_visual_cc packed similar-threat
Link:
https://www.filescan.io/uploads/68b5cb9a6212e2f74266e77a/reports/173c4948-79e3-4c90-8bcb-85c8e8bfa9fa/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/a50d536f779d7e724c8cacfa746d031bae38956c81a191824410614b1ec4bfd4
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-08-31T07:37:00Z UTC
Last seen:
2025-08-31T07:37:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Inject.sb PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Lumma.sb Trojan-PSW.Stealerc.HTTP.C&C Trojan-PSW.Lumma.TCP.C&C Trojan.Win32.InjectorNetT.cco
Link:
https://opentip.kaspersky.com/a50d536f779d7e724c8cacfa746d031bae38956c81a191824410614b1ec4bfd4/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2a8750cd-a439-4bfc-ade3-dc3c244fc7ce
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a50d536f779d7e724c8cacfa746d031bae38956c81a191824410614b1ec4bfd4
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/8c0bae23adc812b51bc15e80ea1e66d9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a50d536f779d7e724c8cacfa746d031bae38956c81a191824410614b1ec4bfd4/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/a50d536f779d7e724c8cacfa746d031bae38956c81a191824410614b1ec4bfd4
Threat name:
Win64.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-08-31 10:23:59 UTC
File Type:
PE+ (Exe)
AV detection:
31 of 38 (81.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uugvg33xtv7hetemvt5hi3iddoxdrflmqgqzdasecbquwhwex7ka._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
30213afdf2bd336c8042c5bff0243460f283ae69b0416434812346842e5a770d
LummaStealer
31ba8080813690f32ff5cb3ad9c09a20129f81f0f4f11ed99d6cac35cb1d7c4d
LummaStealer
66714b3368a2365b0ac7cb6a09bf95dc6fb98989a74bcd2e274971b4237e6df7
LummaStealer
729249d83d242afe8bb90b891a1b0bee9f40b864d72a4c680c0479d02d9c3c61
LummaStealer
a50d536f779d7e724c8cacfa746d031bae38956c81a191824410614b1ec4bfd4
LummaStealer
b303e5fa63277691ab5249294772aed02d0f294fe2d69dc5dfe2cc77a15a4e7a
LummaStealer
cb9bd04a140f01165856fc726e03801c3d757a63bfda2b8b4638d2bfb726d089
LummaStealer
error
LummaStealer
+ 826 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery stealer
Link:
https://tria.ge/reports/250901-t4jwcsbq7w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://t.me/raztazrom
https://washerv.ru/qygd
https://mastwin.in/qsaz
https://noggs.ru/yopd
https://georgej.ru/plnb
https://oneflof.ru/tids
https://epitherd.ru/zadw
https://backab.ru/lkdo
https://eigwos.ru/wqex
https://kimmenkiz.ru/zldw
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4003e9a0-8847-4246-9c13-7087a6a29541
Unpacked files
SH256 hash:
a50d536f779d7e724c8cacfa746d031bae38956c81a191824410614b1ec4bfd4
MD5 hash:
8c0bae23adc812b51bc15e80ea1e66d9
SHA1 hash:
d082c71f28649637948af7df7c1349366e1e6cea
Link:
https://www.unpac.me/results/fc2a2961-9db8-4c58-aea6-cf620084fe4c/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a50d536f779d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a50d536f779d7e724c8cacfa746d031bae38956c81a191824410614b1ec4bfd4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe a50d536f779d7e724c8cacfa746d031bae38956c81a191824410614b1ec4bfd4

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3607393/
Cape
Cape
https://www.capesandbox.com/analysis/24602/

Comments