MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8c9550f25194e51555669b14e2f104cc737374bc69750ac611cab46f09bf685. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8c9550f25194e51555669b14e2f104cc737374bc69750ac611cab46f09bf685
SHA3-384 hash: 148da9a397f461e92c1d73286e1b3a2ba12c9f96b2be707aabdfec8f32225dd8f5734093d4976a780909399575f24cce
SHA1 hash: ee0981d63d29408492d8ab745df90109bfa4bb0d
MD5 hash: 6ccc2c40ffdfb8896fdd16d365c1ce44
humanhash: arizona-undress-carolina-mexico
File name:Pro Setup.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:5'000'192 bytes
First seen:2025-11-28 21:08:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f59f489dc8a6b320fc2610220a2d02e (1 x LummaStealer)
ssdeep 98304:0B06Ltm0WQOEPjFbq+5CJDcduOutimMYvE+VXcPCF6hWm3GLcuIWt84w:qDhKzOx5bmMMNcPy6EJcI6
TLSH T1FF36DFA5966206B5F9BF523889721926E4703CAD4338D37B02D47A1A3F73360D33E799
TrID 30.2% (.EXE) Win64 Executable (generic) (10522/11/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4504/4/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter aachum
Tags:exe LummaStealer


Avatar
iamaachum
https://fastinstall.cfd/vortex-87/ => https://mega.nz/file/nZV2HBDB#y591AvhS9mKoM5hnMLHpLRZaYjhK3bz33Fo3rXwUAFo

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_b8c9550f25194e51555669b14e2f104cc737374bc69750ac611cab46f09bf685.exe
Verdict:
Malicious activity
Analysis date:
2025-11-28 21:34:21 UTC
Tags:
lumma stealer loader auto-reg evasion ip-check golang
Link:
https://app.any.run/tasks/cf47c39e-3ddc-4226-aab2-6e6a436fc3a8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/41748/
Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=692a0f7d6cb1dcd577822025
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug expired-cert genheur installer-heuristic keylogger overlay packed packed virus
Link:
https://www.filescan.io/uploads/692a0f7806363f28214fc37d/reports/70001c73-289e-4838-9c86-65add339c24d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/b8c9550f25194e51555669b14e2f104cc737374bc69750ac611cab46f09bf685
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-28T18:43:00Z UTC
Last seen:
2025-11-30T15:45:00Z UTC
Hits:
~100
Detections:
BSS:Trojan.Win32.Generic Trojan-PSW.Win32.Lumma.sb Trojan-PSW.Win32.Lumma.ygd
Link:
https://opentip.kaspersky.com/b8c9550f25194e51555669b14e2f104cc737374bc69750ac611cab46f09bf685/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/eb40d057-fa39-474e-9150-2e4915fb1d8b
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1822538
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1822538 Sample: Pro Setup.exe Startdate: 28/11/2025 Architecture: WINDOWS Score: 100 60 ip-api.com 2->60 62 dianubv.cyou 2->62 64 delledox.com 2->64 86 Suricata IDS alerts for network traffic 2->86 88 Found malware configuration 2->88 90 Antivirus detection for URL or domain 2->90 92 7 other signatures 2->92 10 Pro Setup.exe 2 2->10         started        signatures3 process4 dnsIp5 68 dianubv.cyou 85.214.119.11, 443, 49690, 49696 STRATOSTRATOAGDE Germany 10->68 70 delledox.com 217.21.84.160, 443, 49728, 49731 IPPLANET-ASIL United Kingdom 10->70 72 164.92.129.208, 49730, 80 ASN-DPSDUS United States 10->72 56 C:\...\VYWWX1DSSOTDJRA03YK52LANDFUAVXV.exe, PE32+ 10->56 dropped 58 C:\Users\...\50X8D3831OVHZSPSKCK6WG0NADI8.exe, PE32+ 10->58 dropped 108 Query firmware table information (likely to detect VMs) 10->108 110 Tries to harvest and steal ftp login credentials 10->110 112 Tries to harvest and steal browser information (history, passwords, etc) 10->112 114 2 other signatures 10->114 15 VYWWX1DSSOTDJRA03YK52LANDFUAVXV.exe 10->15         started        18 50X8D3831OVHZSPSKCK6WG0NADI8.exe 1 1 10->18         started        22 chrome.exe 10->22         started        24 3 other processes 10->24 file6 signatures7 process8 dnsIp9 116 Injects code into the Windows Explorer (explorer.exe) 15->116 118 Modifies the context of a thread in another process (thread injection) 15->118 26 explorer.exe 15->26         started        66 ip-api.com 208.95.112.1, 49733, 49734, 49737 TUT-ASUS United States 18->66 54 C:\Users\user\AppData\Local\Chromium.exe, PE32+ 18->54 dropped 120 Multi AV Scanner detection for dropped file 18->120 122 Tries to detect virtualization through RDTSC time measurements 18->122 124 Unusual module load detection (module proxying) 18->124 29 Chromium.exe 18->29         started        32 attrib.exe 1 18->32         started        34 chrome.exe 22->34         started        36 chrome.exe 22->36         started        38 chrome.exe 22->38         started        40 chrome.exe 24->40         started        42 chrome.exe 24->42         started        44 chrome.exe 24->44         started        file10 signatures11 process12 dnsIp13 94 Injects code into the Windows Explorer (explorer.exe) 26->94 96 Writes to foreign memory regions 26->96 98 Allocates memory in foreign processes 26->98 106 2 other signatures 26->106 46 explorer.exe 24 2 26->46 injected 74 77.73.131.137, 10443, 49735, 49736 AS43260TR Kazakhstan 29->74 100 Multi AV Scanner detection for dropped file 29->100 102 Tries to detect virtualization through RDTSC time measurements 29->102 104 Unusual module load detection (module proxying) 29->104 48 conhost.exe 32->48         started        76 192.168.2.5, 10443, 138, 443 unknown unknown 34->76 78 www.google.com 172.253.122.105, 443, 49707 GOOGLEUS United States 34->78 80 dianubv.cyou 34->80 82 173.194.77.104, 443, 49721 GOOGLEUS United States 40->82 84 dianubv.cyou 40->84 signatures14 process15 process16 50 Chromium.exe 46->50         started        52 Chromium.exe 46->52         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b8c9550f25194e51555669b14e2f104cc737374bc69750ac611cab46f09bf685
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/6ccc2c40ffdfb8896fdd16d365c1ce44
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8c9550f25194e51555669b14e2f104cc737374bc69750ac611cab46f09bf685/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/b8c9550f25194e51555669b14e2f104cc737374bc69750ac611cab46f09bf685
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2025-11-28 21:09:17 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
23 of 38 (60.53%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xdevkdzfdfhfcvkwngyu4lyqjtdton2ly2lvbldbdsvun4e362cq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery spyware stealer
Link:
https://tria.ge/reports/251128-zzjyfs1pbk/
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
System Location Discovery: System Language Discovery
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://dianubv.cyou/api
https://bendavo.su/asdsa
https://conxmsw.su/vcsf
https://narroxp.su/rewd
https://squeaue.su/qwe
https://ozonelf.su/asd
https://exposqw.su/casc
https://squatje.su/asdasd
https://vicareu.su/bcdf
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/66f53cd6-656a-424a-bb1e-17709ede88ba
Unpacked files
SH256 hash:
42b8b04e2e9ab541cb96e5e1180812da062dc865f433004e01ac59127bcf49a7
MD5 hash:
60ff7899a002813256de30c98f7e4dc0
SHA1 hash:
33a45dab2723bafd468446b2b1f9b11de82a9bca
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/a8d6360b-4e0e-4dac-aec3-4d268ca87af6/
SH256 hash:
40673e18af86c2d0a6c30aa94341be67fb1d014611100bcf19629788dae94a18
MD5 hash:
645d65aa4a64920edcaf6e5e45493b5a
SHA1 hash:
4e1bf66fb6fae4337ecc91a7ebd918896350774a
Link:
https://www.unpac.me/results/a8d6360b-4e0e-4dac-aec3-4d268ca87af6/
SH256 hash:
c3cdbbb895251b7d7e7013878002366f74eade46533c18e883cc960556076b70
MD5 hash:
0ccaf157e604fb25d93697f9e5527cd5
SHA1 hash:
658939ba1bbb7cbd94b650d7a37d6ba031a1c20a
Link:
https://www.unpac.me/results/a8d6360b-4e0e-4dac-aec3-4d268ca87af6/
SH256 hash:
d26c8659870e172777826ac02e9cb6c4ee6c817a82419df28e19537dc8e3d358
MD5 hash:
3acd7b3fc81bb8d4082ca3b02f675c44
SHA1 hash:
69620b575b0df3db69902076bc36e889c9d40ca4
Link:
https://www.unpac.me/results/a8d6360b-4e0e-4dac-aec3-4d268ca87af6/
SH256 hash:
b8c9550f25194e51555669b14e2f104cc737374bc69750ac611cab46f09bf685
MD5 hash:
6ccc2c40ffdfb8896fdd16d365c1ce44
SHA1 hash:
ee0981d63d29408492d8ab745df90109bfa4bb0d
Link:
https://www.unpac.me/results/a8d6360b-4e0e-4dac-aec3-4d268ca87af6/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b8c9550f2519/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b8c9550f25194e51555669b14e2f104cc737374bc69750ac611cab46f09bf685

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Lumma
Create hunting rule
Author:kevoreilly
Description:Lumma Payload
Rule name:Lumma_ChaCha20_KeyStub_v2
Create hunting rule
Author:pebwalker
Description:Detects Lumma Stealer ChaCha20 key setup and stub
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe b8c9550f25194e51555669b14e2f104cc737374bc69750ac611cab46f09bf685

(this sample)

  
Link
https://tria.ge/251128-zr6ggs1ncq/behavioral1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/41748/

Comments