MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a984838adfca847ec31f2aea0677b2e4ceb3a13a529ac2bbd20a7e78c981ba4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	a984838adfca847ec31f2aea0677b2e4ceb3a13a529ac2bbd20a7e78c981ba4d
SHA3-384 hash:	e12afd995308ca272b1203090640ffc0f62df65ed95abcc98b55fc285239d21b27f8b182d3280cbab8a5bb216ddae08c
SHA1 hash:	1296a68fa0c19244eff69cde655bd5bcf137d2f0
MD5 hash:	4d8d0e72e21d06871aa6d598e6712458
humanhash:	snake-eight-grey-idaho
File name:	𝕊𝔼𝕋𝕌ℙ.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	99'625'161 bytes
First seen:	2025-06-19 17:58:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bf95d1fc1d10de18b32654b123ad5e1f (327 x LummaStealer, 65 x Rhadamanthys, 25 x Vidar)
ssdeep	24576:W0aBxsA4IlwN4jADn0IVzASoYPfkiXpDd0Fgtp6W:WXx08ADn7VApYnkiXpD2GtpN
Threatray	599 similar samples on MalwareBazaar
TLSH	T1632812F257142307CEC3F5117FA9009C7AB52FAA742177AD94A9B8012BFEA18977B341
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	c3958f939195a989 (2 x LummaStealer)
Reporter	aachum
Tags:	AutoIT CypherIT exe LummaStealer

iamaachum

https://filedlx.store/?p=1085&enHash=BCcH7kaSevC3 => https://mega.nz/file/DRc0kBoD#qa9CMkYyIOZNUOEGOz8n4X6VbroaDSpNedpDTZrCLCk

Lumma C2: https://drafxc.xyz/gtiw

Intelligence

File Origin

# of uploads :

# of downloads :

446

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

31eb0bda-609c-444a-9d69-8f46cee7ff5a

Verdict:

Malicious activity

Analysis date:

2025-06-19 17:59:14 UTC

Tags:

autoit lumma stealer telegram

Link:

https://app.any.run/tasks/31eb0bda-609c-444a-9d69-8f46cee7ff5a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Result

Verdict:

Clean

Maliciousness:

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug blackhole installer invalid-signature microsoft_visual_cc overlay overlay packed packed packer_detected signed

Link:

https://www.filescan.io/uploads/68544fd366c4b5c0b99b1c98/reports/0752c00f-4179-42f4-be77-b8b8184d4db6/overview

Result

Threat name:

LummaC Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1718829

Signature

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found malware configuration

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal from password manager

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

80%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a984838adfca847ec31f2aea0677b2e4ceb3a13a529ac2bbd20a7e78c981ba4d

Gathering data

Threat name:

Win32.Trojan.LummaStealer

Status:

Malicious

First seen:

2025-06-19 18:01:56 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

12 of 24 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vgcihcw7zkch5qy7flvam55s4thlhij2kknmfo6sbj7hrsmbxjgq._file

Verdict:

malicious

Label(s):

lummastealer

LummaStealer

4207d30f41479ae09559119e340900780dfbff9df3dd3e6c576480326ef93903

LummaStealer

94d45402ef5c153a1bd8d0972f2e318b0fc1133ea4b93a8bf8d2a90b6b6b3c54

LummaStealer

98f49160a46ef3976ec83c7a2cddeae134cddfbe4f3ca00ebc0e5da7374b9953

LummaStealer

b7d8baf7b42e19c1a07a6e79de9fb53ebd899379d96cd2cfd5671f618e2d8a9c

LummaStealer

error

LummaStealer

fec1a04a5587a1d1ba5ed4296cc373836e8593c04c20c7193a2c5933d858e171

LummaStealer

+ 589 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/250619-wkhv3aymw6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Windows directory

Enumerates processes with tasklist

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/57960ca3-7c64-4033-8feb-68a11e9a3749

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

exe a984838adfca847ec31f2aea0677b2e4ceb3a13a529ac2bbd20a7e78c981ba4d

(this sample)

Link

https://tria.ge/250619-wb5cpsylw8/behavioral1

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample