MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a61d0524eb7a1749bb20253e78cc20f946506ec4804f18763042519a7b87c8d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a61d0524eb7a1749bb20253e78cc20f946506ec4804f18763042519a7b87c8d8
SHA3-384 hash: 7a4594f089353e163ba03e74169f918f16bf8dfecc35afc60902de981b7f5949069a0f81446eaf0cc9d7ba426f487c1a
SHA1 hash: 73ed0865e201b9a432ef774ba765cb2f62186dd0
MD5 hash: 9e794fc999f79a3378bd0efddfa01fa4
humanhash: golf-victor-butter-golf
File name:The_LauncherV1_patched.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'614'848 bytes
First seen:2025-03-28 14:39:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 97d43c23f14b3d755928606b6e44b7e2 (2 x LummaStealer)
ssdeep 24576:Y4XHvscnF/rEZOkZQQrvz5UUK53tYUgsZdK:7PscF/roOkZQu5VK5dYMK
TLSH T18675D01275A2E073E14A91B31935F668387BA66187324FE793C4EEBC76507C10F72A2D
TrID 49.9% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.6% (.EXE) OS/2 Executable (generic) (2029/13)
9.5% (.EXE) Generic Win/DOS Executable (2002/3)
9.4% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter aachum
Tags:de-pumped exe LummaStealer


Avatar
iamaachum
https://www.youtube.com/watch?v=J0EZe9kEt70 => https://lumenamoris.live/fortnite => https://www.mediafire.com/folder/znaqnupjf8xek/SoftV10.4

Intelligence

File Origin
# of uploads :
1
# of downloads :
644
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
The_LauncherV1_patched.exe
Verdict:
Malicious activity
Analysis date:
2025-03-28 14:40:07 UTC
Tags:
lumma stealer
Link:
https://app.any.run/tasks/a298af9b-9fa4-4339-8de9-63987c7c05ed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e6b4c5855e5ec524094e54
Tags:
injection obfusc virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint microsoft_visual_cc overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/67e6b49dd07c4c37a25ddbe6/reports/88fea160-de0c-4d25-9bad-0bff302df645/overview
Verdict:
Malicious
Labled as:
Adware.ConvertAd.Generic
Link:
https://www.hybrid-analysis.com/sample/a61d0524eb7a1749bb20253e78cc20f946506ec4804f18763042519a7b87c8d8
Malware family:
LummaC2 Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/534fe916-656e-43d8-b744-0ae23d13b0a9
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1651274
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a61d0524eb7a1749bb20253e78cc20f946506ec4804f18763042519a7b87c8d8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a61d0524eb7a1749bb20253e78cc20f946506ec4804f18763042519a7b87c8d8/
Threat name:
Win32.Adware.ConvertAd
Create hunting rule
Status:
Malicious
First seen:
2025-03-28 14:40:09 UTC
File Type:
PE (Exe)
AV detection:
14 of 24 (58.33%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uyoqkjhlpilutozaeu7hrtba7fdfa3weqbhrq5rqijizu64hzdma._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery spyware stealer
Link:
https://tria.ge/reports/250328-r1e2wsyqy3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Checks installed software on the system
Reads user/profile data of local email clients
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://ironproe.live/FLsapz
https://woreheatq.live/gsopp
https://castmaxw.run/ganzde
https://weldorae.digital/geds
https://7usteelixr.live/aguiz
https://advennture.top/GKsiio
https://targett.top/dsANGt
https://smeltingt.run/giiaus
https://ferromny.digital/gwpd
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a6edbef0-f135-4003-9e41-ceb92eee2d43
Unpacked files
SH256 hash:
a61d0524eb7a1749bb20253e78cc20f946506ec4804f18763042519a7b87c8d8
MD5 hash:
9e794fc999f79a3378bd0efddfa01fa4
SHA1 hash:
73ed0865e201b9a432ef774ba765cb2f62186dd0
Link:
https://www.unpac.me/results/43888e51-380f-47f1-949e-6537b40242f7/
SH256 hash:
2608e1ec06328833d30c26ea0e249785eab7de3941c29fedaf615168f2098a12
MD5 hash:
d00a514c4feba78b193c4180531a0579
SHA1 hash:
5362c6d55af53570497fc71afe1b49a3c862d472
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/43888e51-380f-47f1-949e-6537b40242f7/
SH256 hash:
0798856961d7aaae068fbd14c9886103739130837b0c1a93504fa8c88ee4aec0
MD5 hash:
0cd9aac5d1f2ab3d80bf6ffd103aaea2
SHA1 hash:
f7fb9f10a43318a44d12d7c188eae3c463ac71ae
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/43888e51-380f-47f1-949e-6537b40242f7/
SH256 hash:
7f9955f226a869b91e11ccf1c5210dbbcbc23822da00cf2fb18bf84a7f65dce7
MD5 hash:
bbf846d6eb9c33f003b841b5b4779bd2
SHA1 hash:
484d49735917526ccebef54c5d2605fe66200d98
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/43888e51-380f-47f1-949e-6537b40242f7/
SH256 hash:
8dfb0e03df8a207ec4d8668d1373d1f3d257fed7265e477350cddaf8785b6b4b
MD5 hash:
247a6dcd811191a96ce15ae96ab18ab7
SHA1 hash:
eb9140397280c945bf3b6e2489dc642c0650dbb6
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/43888e51-380f-47f1-949e-6537b40242f7/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a61d0524eb7a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

zip 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70

LummaStealer

Executable exe a61d0524eb7a1749bb20253e78cc20f946506ec4804f18763042519a7b87c8d8

(this sample)

  
Link
https://tria.ge/250328-rrkk1sypz8/behavioral1
  
Dropped by
SHA256 18168030a976b6b72dbb2123b00dafc6739c5c26e5e8fbfdff61ae65ee904f70
  
Delivery method
Distributed via web download
  
Dropped by
MD5 18217924c1d4fcb07af44a8201b7cc77

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThreadpoolWork
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments