MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0a2ea4c8b0f5ceed8f4c61e2be29169f1a103cb48208ef823927fb7156cf9c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0a2ea4c8b0f5ceed8f4c61e2be29169f1a103cb48208ef823927fb7156cf9c7
SHA3-384 hash: c354e47a29335a98a42fd7579fd85caac143666d03db8f85ad5eb45e4d454e6288655c8d393d8ae7bb9d47c9baf8f3db
SHA1 hash: 4e05a46eb42dea68501cfb6a3f664d80d4fed6b0
MD5 hash: 5c27b9a22da97c1afe06d2ef4b0755fe
humanhash: mango-sierra-massachusetts-emma
File name:┅🔽 setup.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:99'614'711 bytes
First seen:2025-09-07 18:23:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b729b61eb1515fcf7b3e511e4e66258b (70 x LummaStealer, 16 x Rhadamanthys, 8 x Adware.Generic)
ssdeep 24576:IVD9EraMcnNxjat+HJPBOyXqFyu99H9V5MjK5KZoNKY1rt//:IVjNOyXqFyu9SjJoNRhd
TLSH T1AE281290C6C7B0F349CA0214160249AE483CAAD693581DE66E06376CE6D7BC4F67DF6F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter aachum
Tags:AutoIT CypherIT exe LummaStealer


Avatar
iamaachum
https://www.file-hosters.com/ => https://disk.yandex.com/d/EyfuHpUp7AOGPg

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
525a9d8f-3c4e-4f3e-b50c-dc3fb977f099
Verdict:
Malicious activity
Analysis date:
2025-09-07 18:24:10 UTC
Tags:
autoit lumma stealer telegram qrcode
Link:
https://app.any.run/tasks/525a9d8f-3c4e-4f3e-b50c-dc3fb977f099

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68bdce00b20052598878c08f
Tags:
autoit emotet
Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug blackhole installer microsoft_visual_cc nsis overlay
Link:
https://www.filescan.io/uploads/68bdcdfaa64010de766f3939/reports/5a202623-97cc-4b5f-a0ed-943a5eab460f/overview
Verdict:
Suspicious
Labled as:
Malware_47.3
Link:
https://www.hybrid-analysis.com/sample/b0a2ea4c8b0f5ceed8f4c61e2be29169f1a103cb48208ef823927fb7156cf9c7
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-07T15:53:00Z UTC
Last seen:
2025-09-07T15:53:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/b0a2ea4c8b0f5ceed8f4c61e2be29169f1a103cb48208ef823927fb7156cf9c7/results?tab=lookup
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1772711
Signature
C2 URLs / IPs found in malware configuration
Detected CypherIt Packer
Drops PE files with a suspicious file extension
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b0a2ea4c8b0f5ceed8f4c61e2be29169f1a103cb48208ef823927fb7156cf9c7
Gathering data
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-09-07 18:32:18 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wcroutelb5oo5whuyypcxyurnhy2ca6ljaqi56bdsj73oflm7hdq._file
Verdict:
malicious
Label(s):
unc_loader_058
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery spyware stealer
Link:
https://tria.ge/reports/250907-w2havsv1bv/
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://t.me/vhutdfghytrd
https://facilin.qpon/asdk
https://tetrwoo.asia/niuo
https://figueqhk.xin/qyvv
https://hffiahz.asia/pppm
https://plataukz.xin/nbvg
https://sprimvd.my/zcbh
https://renohhde.xin/nvhu
https://lithfzx.my/bvcg
https://titlexy.my/bavg
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dd698d66-6fb0-489a-9bee-f25a3f13f1ee
Malware family:
CypherIt
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b0a2ea4c8b0f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe b0a2ea4c8b0f5ceed8f4c61e2be29169f1a103cb48208ef823927fb7156cf9c7

(this sample)

  
Link
https://tria.ge/250907-wk6xwsem71/behavioral2
  
Delivery method
Distributed via web download

Comments