MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb774e320ab20fb9cbe2eb4ae7796b033823c5a20e15ac32ef254ac0a08c1a17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb774e320ab20fb9cbe2eb4ae7796b033823c5a20e15ac32ef254ac0a08c1a17
SHA3-384 hash: 73ada84f3542461b44d32de348f5b50d4c6aa2d90e4e365638d99d2a1612f495081fa05403158a933212040757a60828
SHA1 hash: 57f6d1da790265dc729ecbd999e2f8677be6e890
MD5 hash: 73e76b3cb5323035e288cc50ae2b1c58
humanhash: solar-low-wolfram-idaho
File name:Setup.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:93'323'259 bytes
First seen:2025-08-05 15:59:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32f3282581436269b3a75b6675fe3e08 (198 x LummaStealer, 123 x Rhadamanthys, 8 x CoinMiner)
ssdeep 24576:bs45v54rvRzUIOriX5c8SknPmFZyGr2UUj7dov5vidh2c3zSUxpUw/tJzT5zoW:Q95zUIOrY5cW2r2UUqvJidhpTPZHCW
Threatray 287 similar samples on MalwareBazaar
TLSH T11F1822C83F1C233C8ECE47254F38781F6BF86087B126A26C569FD1226925B8553DDA76
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon b27168d4e869e8f0 (1 x LummaStealer)
Reporter aachum
Tags:AutoIT CypherIT exe LummaStealer


Avatar
iamaachum
https://mytan.click/?file=fH7ocVZYDNjRM4aOrChqwpuFIznxmkU3&sajpnRKGU7ZDT=EahKyUw5lQcDTA7n3kOBgprFXtjWGRCvbSZoNi9deJzIq4M => https://mega.nz/file/hUZzhBIQ#xCYqQSc11QQAByvb-HSeGLXIXC5idyjlCw3qDRS_brI

Intelligence

File Origin
# of uploads :
1
# of downloads :
52
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2025-08-04 22:11:22 UTC
Tags:
autoit lumma stealer
Link:
https://app.any.run/tasks/659bf19f-74e1-42ec-9668-2ea98e712cef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6891302c0b4775fb213651b7
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer microsoft_visual_cc overlay overlay packed startpage
Link:
https://www.filescan.io/uploads/68922ab7167d60d98ab58d42/reports/6c877441-5a7a-4c11-833f-6c9848712d09/overview
Verdict:
Malicious
Labled as:
Infostealer/LummaC2
Link:
https://www.hybrid-analysis.com/sample/cb774e320ab20fb9cbe2eb4ae7796b033823c5a20e15ac32ef254ac0a08c1a17
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1750638
Signature
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Search for Antivirus process
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1750638 Sample: Setup.exe Startdate: 05/08/2025 Architecture: WINDOWS Score: 100 34 tkdEVgSuDYKx.tkdEVgSuDYKx 2->34 36 mocadia.com 2->36 40 Found malware configuration 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected LummaC Stealer 2->44 46 4 other signatures 2->46 9 Setup.exe 24 2->9         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->30 dropped 12 cmd.exe 1 9->12         started        process6 signatures7 52 Drops PE files with a suspicious file extension 12->52 15 cmd.exe 4 12->15         started        18 conhost.exe 12->18         started        process8 file9 32 C:\Users\user\AppData\Local\...pinions.pif, PE32 15->32 dropped 20 Epinions.pif 15->20         started        24 extrac32.exe 21 15->24         started        26 tasklist.exe 1 15->26         started        28 3 other processes 15->28 process10 dnsIp11 38 mocadia.com 172.86.89.51, 443, 49705, 49706 M247GB United States 20->38 48 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->48 50 Query firmware table information (likely to detect VMs) 20->50 signatures12
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cb774e320ab20fb9cbe2eb4ae7796b033823c5a20e15ac32ef254ac0a08c1a17
Gathering data
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/cb774e320ab20fb9cbe2eb4ae7796b033823c5a20e15ac32ef254ac0a08c1a17
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-04 22:11:24 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zn3u4mqkwih3ts7c5nfoo6llam4chrncbyk2ymxpevfmbiemdilq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
2c6af2cfe2a961163587ef77363fa6b8e575616af9e8765c04a4dd80e0ad3eb5
LummaStealer
2e13d573b457b30b459d7597c46dd2e69e0288fdb08b0e392e6ad3bbe38f9112
LummaStealer
5ddcf793e48d757154c7cbf8cf69ee95eed74201aef3b1fcbce6c5b7d915ef99
LummaStealer
8adf33ebbbc331a1bb28ec9d1076f60b9416a15c9c7ed491104bead512049814
LummaStealer
9578bb12bb4e8e02682d5debdaca71c7b8d74d1ffdaf5f00bc8e701b5b773dc7
LummaStealer
9bfbf455319d2708851fc80207b23758debf9d2e27e79a37eab61bdce97ec77f
LummaStealer
abe1bcbfb945b632bfbf343cd60d20e6059db4fa63f13727cac9187337107e54
LummaStealer
cb774e320ab20fb9cbe2eb4ae7796b033823c5a20e15ac32ef254ac0a08c1a17
LummaStealer
d50564939caa156776eb0dc91e5f07c3a4ea2ad84d846d9081221a51d782da72
LummaStealer
error
LummaStealer
+ 277 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery spyware stealer
Link:
https://tria.ge/reports/250805-tf4wmadq4z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://mocadia.com/iuew
https://mastwin.in/qsaz/api
https://precisionbiomeds.com/ikg
https://physicianusepeptides.com/opu
https://vishneviyjazz.ru/neco/api
https://yrokistorii.ru/uqya/api
https://xurekodip.com/qpdl
https://utvp1.net/zkaj
https://orienderi.com/xori
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4686a1fa-8b4b-47e5-a2d0-672f4cb43d36
Malware family:
GHOSTPULSE
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cb774e320ab2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe cb774e320ab20fb9cbe2eb4ae7796b033823c5a20e15ac32ef254ac0a08c1a17

(this sample)

  
Link
https://tria.ge/250805-s3sansxkt4/behavioral2
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments