MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d297499c55bfd15701916371803aec8a41682bd399ecb1ff6245e11844dfa312. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d297499c55bfd15701916371803aec8a41682bd399ecb1ff6245e11844dfa312
SHA3-384 hash: 0b3af5886ec38134731dea961cc632e311d7e9de38deb256ca537289017a4f01a4f2588d7280302047b4644ac52a0538
SHA1 hash: 77a55ab7b8ed431261637244ee251e5cb994f881
MD5 hash: 98963a6ce76bcec1e7e256b00a3fafa9
humanhash: yankee-hot-vegan-white
File name:𝙎𝙀𝙏𝙐𝙋.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:94'371'836 bytes
First seen:2025-07-19 16:11:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf95d1fc1d10de18b32654b123ad5e1f (327 x LummaStealer, 65 x Rhadamanthys, 25 x Vidar)
ssdeep 24576:AzZbM0HRVsERm85sfx+RSIF1vtV5CGngHtjVgd5UIwEWuewsRxmiv88v31zYF8Pi:ARMmVskm8c+RmHtjVgPhMFAiEIlE8K
TLSH T19F2812A0B3517F28E69F60E583D4C82D0B6BF1475B9266370EBEF18BB94153211F8B94
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon e4e4e3cb9eeab2a6 (2 x LummaStealer)
Reporter aachum
Tags:AutoIT CypherIT exe LummaStealer


Avatar
iamaachum
https://plcbvisa.com/?=ijn&diu=66&sid=t0l => https://mega.nz/file/XcFn3AyQ#UsMzczjV_SkckYpLPkm9fOJsfIO4LeoUpp5sZaCRQkA

Intelligence

File Origin
# of uploads :
1
# of downloads :
717
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
948d9a24-a0d5-42aa-ac84-ad8251b89885
Verdict:
Malicious activity
Analysis date:
2025-07-19 16:14:03 UTC
Tags:
autoit telegram lumma stealer
Link:
https://app.any.run/tasks/948d9a24-a0d5-42aa-ac84-ad8251b89885

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=687bc3e184b37dd61eef9fb4
Tags:
autoit emotet
Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug blackhole installer microsoft_visual_cc overlay overlay packed
Link:
https://www.filescan.io/uploads/687bc3bc8a7d628a81b7b6c7/reports/ec60023d-d212-4a45-9b87-02ac051e8e22/overview
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1740166
Signature
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Drops PE files with a suspicious file extension
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Search for Antivirus process
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1740166 Sample: #Ud835#Ude4e#Ud835#Ude40#Ud... Startdate: 19/07/2025 Architecture: WINDOWS Score: 100 29 tZZhAvKYqJLHMEyFTCpKZcLhn.tZZhAvKYqJLHMEyFTCpKZcLhn 2->29 31 t.me 2->31 33 prezud.top 2->33 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected LummaC Stealer 2->49 51 4 other signatures 2->51 8 #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exe 26 2->8         started        signatures3 process4 file5 25 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->25 dropped 11 cmd.exe 4 8->11         started        process6 file7 27 C:\Users\user\AppData\Local\Temp\...\Joy.com, PE32 11->27 dropped 53 Uses ping.exe to sleep 11->53 55 Drops PE files with a suspicious file extension 11->55 57 Uses ping.exe to check the status of other devices and networks 11->57 15 Joy.com 11->15         started        19 extrac32.exe 15 11->19         started        21 conhost.exe 11->21         started        23 6 other processes 11->23 signatures8 process9 dnsIp10 35 t.me 149.154.167.99, 443, 49691 TELEGRAMRU United Kingdom 15->35 37 prezud.top 167.160.161.12, 443, 49692, 49693 ASN-QUADRANET-GLOBALUS United States 15->37 39 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->39 41 Query firmware table information (likely to detect VMs) 15->41 43 Deletes itself after installation 15->43 signatures11
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d297499c55bfd15701916371803aec8a41682bd399ecb1ff6245e11844dfa312
Gathering data
Verdict:
Malicious
Threat:
trojan.darkgate
Link:
https://tip.neiki.dev/file/d297499c55bfd15701916371803aec8a41682bd399ecb1ff6245e11844dfa312
Threat name:
Win32.Dropper.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-07-19 02:44:45 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
10 of 24 (41.67%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2kluthcvx7ivoamrmnyyaoxmrjawqk6tthwld73cixqrqrg7umja._file
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer trojan
Link:
https://tria.ge/reports/250719-tm918axsds/
Behaviour
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://t.me/dvsaedv21vasevas
https://prezud.top/xkaj
https://thoqp.lat/zidw
https://unxyng.top/zpld
https://trbxlj.top/atiw
https://cooawbi.top/dpla
https://ourkbpw.top/aoti
https://gehkmx.top/xkaj
https://sacrp.top/amnt
https://dktnd.top/xuqi
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9bd248ff-0954-41b5-9cb1-93012034d158
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe d297499c55bfd15701916371803aec8a41682bd399ecb1ff6245e11844dfa312

(this sample)

  
Link
https://tria.ge/250719-s1s47awzcw/behavioral1
  
Delivery method
Distributed via web download

Comments