MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d06c4afaa3653547c5b106a53fd57783381ee52cb9762d681712e5ac858526f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d06c4afaa3653547c5b106a53fd57783381ee52cb9762d681712e5ac858526f4
SHA3-384 hash: 616f7054bf323cdae6b73e605d8b98583b8edffae73698ddb8c168b58f5fcdc95b6b05b4cf3d7e03b09810b395f8c328
SHA1 hash: 8a8bd3b4fe4baaba90d999230a009ddb0d868970
MD5 hash: e412f4e4cadc4e1a974df63fadec1210
humanhash: red-sixteen-ink-north
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'348'608 bytes
First seen:2026-01-04 18:04:47 UTC
Last seen:2026-01-04 21:09:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:/1xQ3YSbmOAf2SVWoV68MAzbjZzrcaPKbJGqfDTJ7rf9rjPPa3I:/1iblAf2SV7YJAV5nolVn
TLSH T1BE552353A3DA8573E8F64B741CF16BD3163A7D628879C6AF1A09648C0A73388DC71367
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-Stealc exe LummaStealer sosokenota


Avatar
Bitsight
url: https://servachok.space/release/FewerAngola.exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
141
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/fd2ab995-4907-4626-a284-3cb43000cc3b/
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2026-01-04 18:05:38 UTC
Tags:
autoit lumma stealer fingerprinting
Link:
https://app.any.run/tasks/e3e88df8-7038-4b86-8282-ec692161917c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/47624/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=695aabe9d2357cccc3df6296
Tags:
phishing autoit emotet
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Creating a process from a recently created file
Creating a window
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm autoit CAB installer installer installer-heuristic lolbin microsoft_visual_cc packed rundll32 runonce sc sfx
Link:
https://www.filescan.io/uploads/695aabe48d1aa9829e2a3612/reports/7227a345-9721-41fa-90ae-ff298a196775/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/d06c4afaa3653547c5b106a53fd57783381ee52cb9762d681712e5ac858526f4
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-04T11:34:00Z UTC
Last seen:
2026-01-05T15:23:00Z UTC
Hits:
~100
Detections:
Backdoor.Win32.Agent.myxckk Backdoor.Agent.UDP.C&C
Link:
https://opentip.kaspersky.com/d06c4afaa3653547c5b106a53fd57783381ee52cb9762d681712e5ac858526f4/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/05d137ca-a29c-445b-882a-03f580e27062
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d06c4afaa3653547c5b106a53fd57783381ee52cb9762d681712e5ac858526f4
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
AutoIt CAB:COMPRESSION:LZX Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/e412f4e4cadc4e1a974df63fadec1210
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d06c4afaa3653547c5b106a53fd57783381ee52cb9762d681712e5ac858526f4/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/d06c4afaa3653547c5b106a53fd57783381ee52cb9762d681712e5ac858526f4
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2bwev6vdmu2uprnra2st7vlxqm4b5zjmxf3c22axcls2zbmfe32a._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery persistence spyware stealer
Link:
https://tria.ge/reports/260106-jdv6laev8d/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
System Location Discovery: System Language Discovery
System Time Discovery
Launches sc.exe
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://annonalc.cyou/api
https://whitepepper.su/asds
https://hammernew.su/asdase
https://heavylussy.su/ccvfd
https://broguenko.su/asfase
https://homuncloud.su/ascasef
https://familyriwo.su/fssdaw
https://izzardtow.su/cascasc
https://basilicros.su/asdasq
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7de6bf50-c498-457e-9a66-8eac1da09636
Unpacked files
SH256 hash:
d06c4afaa3653547c5b106a53fd57783381ee52cb9762d681712e5ac858526f4
MD5 hash:
e412f4e4cadc4e1a974df63fadec1210
SHA1 hash:
8a8bd3b4fe4baaba90d999230a009ddb0d868970
Link:
https://www.unpac.me/results/fd792a0a-983c-4f4a-963d-c0eea82175c0/
Malware family:
CypherIt
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d06c4afaa365/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe d06c4afaa3653547c5b106a53fd57783381ee52cb9762d681712e5ac858526f4

(this sample)

  
Dropped by
StealC
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/47624/
  
URLhaus
https://urlhaus.abuse.ch/url/3750220/

Comments