MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b57fdf0cc3944d31a5cbf7727ef0702ec6ba8fd729cf14f7a8cbd6c6e0d4f56c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b57fdf0cc3944d31a5cbf7727ef0702ec6ba8fd729cf14f7a8cbd6c6e0d4f56c
SHA3-384 hash: 435731262f5a8993b15a60feae58f22b226b67a0527dd7d600e3d7521543b76bed628686be4a7af176c67b3e4d51a011
SHA1 hash: 671e0f4711ebe8b9a58681b911aa93227bd67131
MD5 hash: f2377c5c74a3ccb8c00327b0c457ea4a
humanhash: delta-eight-carolina-thirteen
File name:📅 𝐒𝐄𝐓𝐔𝐏 📅.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:99'614'741 bytes
First seen:2025-09-08 18:04:51 UTC
Last seen:2025-09-09 12:12:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b729b61eb1515fcf7b3e511e4e66258b (70 x LummaStealer, 16 x Rhadamanthys, 8 x Adware.Generic)
ssdeep 24576:WVDAAyz70FGleRp9JQGt1a4SiD/FRwHXDKmxhOpwH:Wkz7oGop9LzC3DtOaH
TLSH T1E82802930B31579AE1DE65538F6033C8ABA0944320B175FC27FA65F858943E606BF3B9
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter aachum
Tags:AutoIT CypherIT excesso-qpon exe LummaStealer


Avatar
iamaachum
https://www.file-shares.com/backup/proxy.jsp => https://mega.nz/file/L9IjgLrQ#rJ1MrjSfMmb4noCZY3ozE3k5IBq-HZejHC_QOOXM0rA

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
18e01ca6-9ba6-4e37-8940-d26248a5df43
Verdict:
Malicious activity
Analysis date:
2025-09-08 18:07:11 UTC
Tags:
autoit lumma stealer telegram
Link:
https://app.any.run/tasks/18e01ca6-9ba6-4e37-8940-d26248a5df43

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68bf1b526e66ba602d793763
Tags:
autoit emotet
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug blackhole installer microsoft_visual_cc nsis overlay
Link:
https://www.filescan.io/uploads/68bf1b321b52c70384b79c1f/reports/25618f59-dedf-4bde-8ca6-3dfcd4143534/overview
Verdict:
Malicious
Labled as:
Infostealer/LummaC2
Link:
https://www.hybrid-analysis.com/sample/b57fdf0cc3944d31a5cbf7727ef0702ec6ba8fd729cf14f7a8cbd6c6e0d4f56c
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-08T08:54:00Z UTC
Last seen:
2025-09-08T08:54:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/b57fdf0cc3944d31a5cbf7727ef0702ec6ba8fd729cf14f7a8cbd6c6e0d4f56c/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1773430
Signature
Detected CypherIt Packer
Drops PE files with a suspicious file extension
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1773430 Sample: #Ud83d#Udcc5 #Ud835#Udc12#U... Startdate: 08/09/2025 Architecture: WINDOWS Score: 72 32 SFTgBDCcxUQJnEBp.SFTgBDCcxUQJnEBp 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Sigma detected: Search for Antivirus process 2->36 38 Joe Sandbox ML detected suspicious sample 2->38 9 #Ud83d#Udcc5 #Ud835#Udc12#Ud835#Udc04#Ud835#Udc13#Ud835#Udc14#Ud835#Udc0f #Ud83d#Udcc5.exe 26 2->9         started        signatures3 process4 file5 28 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->28 dropped 12 cmd.exe 1 9->12         started        process6 signatures7 40 Detected CypherIt Packer 12->40 42 Drops PE files with a suspicious file extension 12->42 15 cmd.exe 4 12->15         started        18 conhost.exe 12->18         started        process8 file9 30 C:\Users\user\AppData\Local\...\Weblogs.pif, PE32 15->30 dropped 20 Weblogs.pif 15->20         started        22 extrac32.exe 19 15->22         started        24 tasklist.exe 1 15->24         started        26 2 other processes 15->26 process10
Score:
84%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b57fdf0cc3944d31a5cbf7727ef0702ec6ba8fd729cf14f7a8cbd6c6e0d4f56c
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-08 18:09:46 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wv756dgdsrgtdjol65zh54dqf3dlvd6xfhhrj55izplmnygu6vwa._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery spyware stealer
Link:
https://tria.ge/reports/250908-wprc1azygs/
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://t.me/famkfmkaij1312
https://excesso.qpon/xsaw
https://diadtuky.su/texz
https://sirhirssg.su/xzde
https://prebwle.su/xazd
https://rhussois.su/tatr
https://todoexy.su/xqts
https://acrislegt.su/tazd
https://averiryvx.su/zadr
https://cerasatvf.su/qtpd
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7043c355-e2fa-43a9-91f7-568e32eef1d7
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b57fdf0cc394/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe b57fdf0cc3944d31a5cbf7727ef0702ec6ba8fd729cf14f7a8cbd6c6e0d4f56c

(this sample)

  
Link
https://tria.ge/250908-v4xmwsgp9x/behavioral2
  
Delivery method
Distributed via web download

Comments