MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb321c5303e24fc22fe0b2f4f791dc4b60ce6e2110e798ca44908e308034eb6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb321c5303e24fc22fe0b2f4f791dc4b60ce6e2110e798ca44908e308034eb6c
SHA3-384 hash: cdc05ecd2e2ce71d0c213532d2faf3fe9321f8ea928a0004624f2819a5ecccbaa1c5e3a8ecad72256c732fbf30bfa285
SHA1 hash: b1304fcdfc8d4706f4d84ae1f029aa4feede7708
MD5 hash: 29ed81328d7efc9d277729ac92c94ef2
humanhash: ten-leopard-fillet-happy
File name:𝙎𝙀𝙏𝙐𝙋.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:94'383'190 bytes
First seen:2025-07-21 17:42:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf95d1fc1d10de18b32654b123ad5e1f (327 x LummaStealer, 65 x Rhadamanthys, 25 x Vidar)
ssdeep 24576:/zZWvRvi5e+XIOdExxkcmeoQpXOHH2Kei0R7OGb4LLS/x:/ci8+XIfQcmY+HH2DOXLmJ
Threatray 823 similar samples on MalwareBazaar
TLSH T17C2822C333B035E924ABCC350692651BC3EBF282B21A250BC99FC52CD91996359FB5F5
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 012124a628406301 (2 x LummaStealer)
Reporter aachum
Tags:AutoIT CypherIT exe LummaStealer


Avatar
iamaachum
https://plcbvisa.com/?=ijn&diu=66&sid=4FU => https://mega.nz/file/WwIwGL6T#KmXyB2NAnXGa6b5YIxPk5KPtwLbHpPhCZ-WGmqO0ZIA

Intelligence

File Origin
# of uploads :
1
# of downloads :
670
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1b8c5fb5-d9f6-4850-97e6-f2d6a2e4022d
Verdict:
Malicious activity
Analysis date:
2025-07-21 17:46:23 UTC
Tags:
autoit lumma stealer telegram
Link:
https://app.any.run/tasks/1b8c5fb5-d9f6-4850-97e6-f2d6a2e4022d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=687e7c472f623871a5f15ec7
Tags:
autoit emotet
Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
installer invalid-signature microsoft_visual_cc overlay signed
Link:
https://www.filescan.io/uploads/687e7c1b19132d98488436c9/reports/25c30c75-bba2-486e-af5f-6194863bb28d/overview
Verdict:
Malicious
Labled as:
Infostealer/LummaC2
Link:
https://www.hybrid-analysis.com/sample/cb321c5303e24fc22fe0b2f4f791dc4b60ce6e2110e798ca44908e308034eb6c
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1741493
Signature
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Drops PE files with a suspicious file extension
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Search for Antivirus process
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1741493 Sample: #Ud835#Ude4e#Ud835#Ude40#Ud... Startdate: 21/07/2025 Architecture: WINDOWS Score: 100 29 neocskfj.lol 2->29 31 t.me 2->31 33 RQZeIsPCetpNLUIsVIxaNjnybNNF.RQZeIsPCetpNLUIsVIxaNjnybNNF 2->33 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected LummaC Stealer 2->49 51 4 other signatures 2->51 8 #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe 26 2->8         started        signatures3 process4 file5 25 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->25 dropped 11 cmd.exe 4 8->11         started        process6 file7 27 C:\Users\user\AppData\Local\...27ails.com, PE32 11->27 dropped 53 Uses ping.exe to sleep 11->53 55 Drops PE files with a suspicious file extension 11->55 57 Uses ping.exe to check the status of other devices and networks 11->57 15 Nails.com 11->15         started        19 extrac32.exe 12 11->19         started        21 conhost.exe 11->21         started        23 6 other processes 11->23 signatures8 process9 dnsIp10 35 neocskfj.lol 167.160.161.12, 443, 49723, 49724 ASN-QUADRANET-GLOBALUS United States 15->35 37 t.me 149.154.167.99, 443, 49722 TELEGRAMRU United Kingdom 15->37 39 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->39 41 Query firmware table information (likely to detect VMs) 15->41 43 Deletes itself after installation 15->43 signatures11
Score:
44%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/cb321c5303e24fc22fe0b2f4f791dc4b60ce6e2110e798ca44908e308034eb6c
Gathering data
Verdict:
Malicious
Threat:
Trojan.Win32.Autoit
Link:
https://tip.neiki.dev/file/cb321c5303e24fc22fe0b2f4f791dc4b60ce6e2110e798ca44908e308034eb6c
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-07-21 12:12:21 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zmzbyuyd4jh4el7awl2ppeo4jnqm43rbcdtzrsseschdbabu5nwa._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
31c73da21862c01ecb0756a853404ea93ddf1db86ce2a6cb52ccd0ce1cfd01c3
LummaStealer
cae777f6d88874325a18a95690fbf16b3d2ef3a3eea9872a66f9276681532321
LummaStealer
d297499c55bfd15701916371803aec8a41682bd399ecb1ff6245e11844dfa312
LummaStealer
d4961daaa5ad74ff738009724a37c620f29b77466128c6f9904e980a27e477db
LummaStealer
d91fe8b3fa9a25a1ea150e318a454184c43c624052115d8e678f9b77cfc08c36
LummaStealer
e0a7d335923c17e8aa3a9d2a2470eab4c0c702fee4bc7ac68b8132ea3a8e9be7
LummaStealer
error
LummaStealer
+ 813 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer trojan
Link:
https://tria.ge/reports/250721-waeewshq7t/
Behaviour
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Checks installed software on the system
Deletes itself
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Lumma family
Lumma Stealer, LummaC
Malware Config
C2 Extraction:
https://t.me/hdjsuwhwbahzhsy
https://neocskfj.lol/atiw/api
https://tunenrnc.top/xodz
https://permwgp.xyz/xlak
https://recopcwr.top/atki
https://ultracpj.xyz/apgk
https://vegemuoe.top/xauy
https://seruneqy.live/akiz
https://siniavzv.life/xajz
https://strujqwn.xyz/xkkd
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c18275e5-52c8-46ba-90b7-865d747b231a
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe cb321c5303e24fc22fe0b2f4f791dc4b60ce6e2110e798ca44908e308034eb6c

(this sample)

  
Link
https://tria.ge/250721-vsfj8sxvby/behavioral1
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments