MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c131b8eca9719eb18946467a127b46f79d20975beb2e329f5e99e03bcb995bab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c131b8eca9719eb18946467a127b46f79d20975beb2e329f5e99e03bcb995bab
SHA3-384 hash: e0b29dafd491ad5fed2a7eec45341b2bacfda17b332aee3255d2a1b897a7dcd8389f98865b3a69dbd11b0f97c1a5d643
SHA1 hash: 0a27d7fe8dc50960a06db850b608b7f7901da52a
MD5 hash: 167d7f81c5a9c4b0341746bb467bf2e1
humanhash: georgia-comet-bluebird-sad
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'831'936 bytes
First seen:2025-05-30 08:20:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:WSVBey4hbGyEyUOwaBCBTX39ECTblnTmHhy7pYOKB:h7lWcOaTNE8BUy7dKB
Threatray 10 similar samples on MalwareBazaar
TLSH T19A853392FE4B8367DC8E64736E23D099B61D2F04146A91B634C72ABD04775BEC146CBC
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
431
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-05-30 09:24:41 UTC
Tags:
lumma stealer
Link:
https://app.any.run/tasks/9a117067-559a-4a2f-9c62-a3f61b57fe75

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6354/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68396d53668438e362e86914
Tags:
vmdetect phishing
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Connection attempt to an infection source
DNS request
Connection attempt
Behavior that indicates a threat
Sending a custom TCP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt packed packed packer_detected xpack
Link:
https://www.filescan.io/uploads/68396a54171e01f9593166d7/reports/03dd4f29-5728-4d4e-968f-a0b37d1165bf/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/c131b8eca9719eb18946467a127b46f79d20975beb2e329f5e99e03bcb995bab
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ca7dbb42-a6b8-465d-8f79-581a16d9d856
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1702171
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c131b8eca9719eb18946467a127b46f79d20975beb2e329f5e99e03bcb995bab
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c131b8eca9719eb18946467a127b46f79d20975beb2e329f5e99e03bcb995bab/
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-05-30 01:41:57 UTC
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yey3r3fjogpldckgiz5be62g66osbf235mxdfh26thqdxs4zlovq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
059a0a5f8ab02faae85536a23a83f9224c4ec60055ec5a1067fa0a026f72a1b4
LummaStealer
0b8ee89e13fc9964e7a84dc0978cead50510898b96a0666bb44cd535ee0741cf
LummaStealer
2a571c59ffbf801083d9ba971d4b52cee9661f19086283cfb1d59235d1e0f08c
LummaStealer
378d6707539f040ea05d9ce7a3accf6a410f8c2c4afc1f0b366211e25072237b
LummaStealer
3c0fafc0f46add0e045e4eb4f0d6ce3ec7471c9101a67eb48c628cbc607507d9
LummaStealer
3c992ef8543faef845cb3c48bb713273246091870919b746ac316f778bb3e5f7
LummaStealer
8b0b20727462c5f3d5a4ace630d9690528dcefa79407480db3abde2455f700d8
LummaStealer
a66ad1178645f946e6e9b98c181e660df8bf87c38c88b220a24f35f0406cc107
LummaStealer
c131b8eca9719eb18946467a127b46f79d20975beb2e329f5e99e03bcb995bab
LummaStealer
cd89f99567dd598809fa2055774b7f18fc3676c6547f0d3083e192f119b2cf14
LummaStealer
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery stealer
Link:
https://tria.ge/reports/250530-j8pbjatzft/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://greengwjz.top/zdka
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://localixbiw.top/zlpa
https://korxddl.top/qidz
https://harumseeiw.top/tqmn
https://diecam.top/laur/api
https://citellcagt.top/gjtu
https://thundeqqbw.bet/aznd
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4db7e9a6-8894-4afb-82e3-e1840ac38ed1
Unpacked files
SH256 hash:
c131b8eca9719eb18946467a127b46f79d20975beb2e329f5e99e03bcb995bab
MD5 hash:
167d7f81c5a9c4b0341746bb467bf2e1
SHA1 hash:
0a27d7fe8dc50960a06db850b608b7f7901da52a
Link:
https://www.unpac.me/results/17533f08-2b8b-479a-bf1b-37a2c11e7fa7/
SH256 hash:
c595ae728df269072f19f0ff9d873f8ff98a4ef663681a7a625560fd793962a2
MD5 hash:
696758e9fe80be93ec7a608d93f92b37
SHA1 hash:
fee66037144be3ff47bac13b31598b84118dc5ec
Link:
https://www.unpac.me/results/17533f08-2b8b-479a-bf1b-37a2c11e7fa7/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c131b8eca971/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c131b8eca9719eb18946467a127b46f79d20975beb2e329f5e99e03bcb995bab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe c131b8eca9719eb18946467a127b46f79d20975beb2e329f5e99e03bcb995bab

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/6354/
  
URLhaus
https://urlhaus.abuse.ch/url/3542096/
  
Delivery method
Distributed via web download

Comments