MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a61dddb469f669b6cc0520593ac23c9f54761070cf700dbe5c694cf34215538a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 20


Intelligence 20 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a61dddb469f669b6cc0520593ac23c9f54761070cf700dbe5c694cf34215538a
SHA3-384 hash: 19103a89fc6c1d92d0f12e253a43b7d888c9440fd4ef686f77490042eec24ef90b2cff29b4ec9f9f9d169ff915d2c206
SHA1 hash: b54956705156ad0cd4c9a86b886e7d69ff362523
MD5 hash: bac8f02dca8b63623a9b28eaad747813
humanhash: montana-venus-foxtrot-alpha
File name:Setup_Installer.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:14'556'240 bytes
First seen:2025-12-03 18:58:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e3701050005cd9a83704e63233d66c0 (1 x LummaStealer)
ssdeep 393216:CKzOx5UXEId+4AHWra9WPkjAvJpVssdQnzB:xySXndkHKk8rVssdQnd
TLSH T183E61294DB660472FA7727B58DB36693D03A3CED5230C26F42C87A1A26723217B1E35D
TrID 30.2% (.EXE) Win64 Executable (generic) (10522/11/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4504/4/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter aachum
Tags:exe LummaStealer


Avatar
iamaachum
https://cdweaq.it.com/ => https://mega.nz/file/bB9TER4D#nhagXBAOKhe1RGIiSyg58Fr4Pb3kvvnKDWjnEjIcM1U

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
https://github.com/topics/fl-studio-free-setup
Verdict:
Malicious activity
Analysis date:
2025-12-03 17:44:21 UTC
Tags:
lumma stealer arch-exec
Link:
https://app.any.run/tasks/156055d9-136c-4ab4-8ef1-1d478fd869f7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/42355/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6930888e264b106bd646a4d2
Tags:
virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug babar expired-cert genheur installer-heuristic invalid-signature overlay packed packed signed virus
Link:
https://www.filescan.io/uploads/69308886189af9fec66ba35f/reports/92f783fd-7fc7-4b03-8ef3-9f68aa00c7a6/overview
Verdict:
Malicious
Labled as:
Application.Babar.Generic
Link:
https://www.hybrid-analysis.com/sample/a61dddb469f669b6cc0520593ac23c9f54761070cf700dbe5c694cf34215538a
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-02T17:38:00Z UTC
Last seen:
2025-12-05T12:46:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Lumma.sb Trojan-PSW.Win32.Lumma.yki
Link:
https://opentip.kaspersky.com/a61dddb469f669b6cc0520593ac23c9f54761070cf700dbe5c694cf34215538a/results?tab=lookup
Malware family:
AtlasAgent
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b3069be5-f812-41e0-ac55-a5de385a75b7
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1825730
Signature
AI detected suspicious PE digital signature
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Unusual module load detection (module proxying)
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1825730 Sample: Setup_Installer.exe Startdate: 03/12/2025 Architecture: WINDOWS Score: 100 37 ketelmeester.nl 2->37 39 handpaw.click 2->39 41 delledox.com 2->41 57 Suricata IDS alerts for network traffic 2->57 59 Found malware configuration 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 4 other signatures 2->63 8 Setup_Installer.exe 2 2->8         started        signatures3 process4 dnsIp5 53 handpaw.click 145.223.118.108, 443, 49691, 49697 VBA-ASNL Netherlands 8->53 55 delledox.com 217.21.84.160, 443, 49739 IPPLANET-ASIL United Kingdom 8->55 35 C:\Users\user\...\3G31OOLQVDEAMRK5GTMHNZ.exe, PE32+ 8->35 dropped 65 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->65 67 Query firmware table information (likely to detect VMs) 8->67 69 Creates HTML files with .exe extension (expired dropper behavior) 8->69 71 5 other signatures 8->71 13 3G31OOLQVDEAMRK5GTMHNZ.exe 8->13         started        16 chrome.exe 8->16         started        18 chrome.exe 8->18         started        20 2 other processes 8->20 file6 signatures7 process8 signatures9 73 Multi AV Scanner detection for dropped file 13->73 22 chrome.exe 16->22         started        25 chrome.exe 16->25         started        27 chrome.exe 16->27         started        29 chrome.exe 18->29         started        31 chrome.exe 18->31         started        33 chrome.exe 18->33         started        process10 dnsIp11 43 192.168.2.5, 138, 443, 49675 unknown unknown 22->43 45 www.google.com 142.250.105.105, 443, 49711 GOOGLEUS United States 22->45 47 handpaw.click 22->47 49 173.194.219.103, 443, 49729 GOOGLEUS United States 29->49 51 handpaw.click 29->51
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a61dddb469f669b6cc0520593ac23c9f54761070cf700dbe5c694cf34215538a
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/bac8f02dca8b63623a9b28eaad747813
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a61dddb469f669b6cc0520593ac23c9f54761070cf700dbe5c694cf34215538a/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/a61dddb469f669b6cc0520593ac23c9f54761070cf700dbe5c694cf34215538a
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2025-12-03 05:11:59 UTC
File Type:
PE (Exe)
Extracted files:
66
AV detection:
20 of 36 (55.56%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uyo53ndj6zu3ntafebmtvqr4t5khmedqz5ya3ps4nfgpgqqvkofa._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery stealer
Link:
https://tria.ge/reports/251203-xm8pyavkan/
Behaviour
System Location Discovery: System Language Discovery
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://handpaw.click/api
https://bendavo.su/asdsa
https://conxmsw.su/vcsf
https://narroxp.su/rewd
https://squeaue.su/qwe
https://ozonelf.su/asd
https://exposqw.su/casc
https://squatje.su/asdasd
https://vicareu.su/bcdf
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8f92d7e5-806e-4328-a035-c827c064c5ac
Unpacked files
SH256 hash:
a61dddb469f669b6cc0520593ac23c9f54761070cf700dbe5c694cf34215538a
MD5 hash:
bac8f02dca8b63623a9b28eaad747813
SHA1 hash:
b54956705156ad0cd4c9a86b886e7d69ff362523
Link:
https://www.unpac.me/results/56c15f64-ebe0-4fba-9d02-78f44d435845/
SH256 hash:
ec1ca41637a84c533ae7fd0e6843a6b9e41c0d50685676706b9598ddc48fdb09
MD5 hash:
15cd70747b8115136e7d757b17b19c53
SHA1 hash:
ac4bafe6c81e1a010110e2a1fbcce58bbc911199
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/56c15f64-ebe0-4fba-9d02-78f44d435845/
SH256 hash:
3c31764128ac374c9c5f98baa4cf5d668cf9278833c9247d12ab991b5094b89c
MD5 hash:
67faaf77c07aedb57f9490660d2591b9
SHA1 hash:
b7c4585520c63b6fc5c5ccf6b4e694feb911b42e
Link:
https://www.unpac.me/results/56c15f64-ebe0-4fba-9d02-78f44d435845/
SH256 hash:
40673e18af86c2d0a6c30aa94341be67fb1d014611100bcf19629788dae94a18
MD5 hash:
645d65aa4a64920edcaf6e5e45493b5a
SHA1 hash:
4e1bf66fb6fae4337ecc91a7ebd918896350774a
Link:
https://www.unpac.me/results/56c15f64-ebe0-4fba-9d02-78f44d435845/
SH256 hash:
426322250d807f4347080c11d8231cca0c7fec6a5b14f473030fd7a3c9cdef3d
MD5 hash:
a870cd5b7f3943de8935d8018c54d186
SHA1 hash:
8544988735ae5c83b3696c198ae7249c0b740f7e
Link:
https://www.unpac.me/results/56c15f64-ebe0-4fba-9d02-78f44d435845/
SH256 hash:
7fc884e5265ef2e6aa970e2c668433be8fd39bcfdaf068483dab7c33eeabe497
MD5 hash:
1f5ce9f14b8432b7171ba0004ee62e33
SHA1 hash:
a18937362b6299dae659db86b61b1976f4a8c29e
Link:
https://www.unpac.me/results/56c15f64-ebe0-4fba-9d02-78f44d435845/
SH256 hash:
c3cdbbb895251b7d7e7013878002366f74eade46533c18e883cc960556076b70
MD5 hash:
0ccaf157e604fb25d93697f9e5527cd5
SHA1 hash:
658939ba1bbb7cbd94b650d7a37d6ba031a1c20a
Link:
https://www.unpac.me/results/56c15f64-ebe0-4fba-9d02-78f44d435845/
SH256 hash:
d26c8659870e172777826ac02e9cb6c4ee6c817a82419df28e19537dc8e3d358
MD5 hash:
3acd7b3fc81bb8d4082ca3b02f675c44
SHA1 hash:
69620b575b0df3db69902076bc36e889c9d40ca4
Link:
https://www.unpac.me/results/56c15f64-ebe0-4fba-9d02-78f44d435845/
SH256 hash:
da0817e6b3c503a9c40ce5edff2ff2488b1f22a92e2d13ce72f8aa8906e4cc45
MD5 hash:
0d9252407c2ae62f00a9657c07c51915
SHA1 hash:
a554ebf6a5d790685b0f90d3625dc7f15d6ad31e
Link:
https://www.unpac.me/results/56c15f64-ebe0-4fba-9d02-78f44d435845/
SH256 hash:
a7340cb1e21e8c9b25e9a833b6b86653948c7d821d98ceae07061f6120f11a4b
MD5 hash:
4c13905fe9ee259797426f4e8d2a1c1d
SHA1 hash:
9e2a2385f8a5b8a8bb657291e21f791d62019b71
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/56c15f64-ebe0-4fba-9d02-78f44d435845/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a61dddb469f6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DriveBy Activity
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/a61dddb469f669b6cc0520593ac23c9f54761070cf700dbe5c694cf34215538a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Lumma
Create hunting rule
Author:kevoreilly
Description:Lumma Payload
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe a61dddb469f669b6cc0520593ac23c9f54761070cf700dbe5c694cf34215538a

(this sample)

  
Link
https://tria.ge/251203-xcr97sfk9x/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/42355/

Comments