MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5e11cca0e36bf736cbaf690a0f14bab5177aee6729edc902ea8165110272f3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5e11cca0e36bf736cbaf690a0f14bab5177aee6729edc902ea8165110272f3a
SHA3-384 hash: 31e6a3aaa8415e6d63c809b64f89c9ff2dd5d9e5ad3ab01e669c4f5b464ac4ceb73db03c6a72e0df60ce7152e79402e4
SHA1 hash: 6168368c063af86eb85c941751cff0d29da9a611
MD5 hash: f645d85725e85342d812090c30abec4a
humanhash: black-alabama-solar-twenty
File name:xQ4gNK9auvFo4.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:878'592 bytes
First seen:2025-09-08 20:02:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b2c81b106d11ae81264a5fbcab0aae8b (11 x LummaStealer, 4 x Rhadamanthys, 1 x Stealc)
ssdeep 12288:9wA6FrDXahfNJ1sRDkL8PtcPqD/SN2cYPiGauawNG416HJ4I/BNOXG:9vU0J1yFjdkud841iTV
Threatray 237 similar samples on MalwareBazaar
TLSH T12015E115916263EAE5AA44729A055540F827F8A787386FFF42E4E7372E17ED00F3E312
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter burger
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://www.mediafire.com/file/pofn6vsrcfi4gf6/xQ4gNK9auvFo4.zip/file
Verdict:
Malicious activity
Analysis date:
2025-09-08 04:36:35 UTC
Tags:
lumma stealer qrcode
Link:
https://app.any.run/tasks/d7bbf5af-b064-4d7b-b6ba-44947ad48c54

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26353/
Detection(s):
Win.Packed.Lazy-10057857-0
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68bf36966e66ba602d793c3f
Tags:
injector virus agent
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context fingerprint microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/68bf36aea1a41633174dad72/reports/d85ee1a5-958f-4fa3-9248-6264258bde64/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/d5e11cca0e36bf736cbaf690a0f14bab5177aee6729edc902ea8165110272f3a
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-07T15:48:00Z UTC
Last seen:
2025-09-07T15:48:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Lumma.TCP.C&C Trojan.Win32.Inject.sb PDM:Trojan.Win32.Generic Trojan.Win32.InjectorNetT.cha Trojan-PSW.Win32.Lumma.sb Trojan-PSW.Stealerc.HTTP.C&C
Link:
https://opentip.kaspersky.com/d5e11cca0e36bf736cbaf690a0f14bab5177aee6729edc902ea8165110272f3a/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/63742b03-d4d5-4fa0-8aea-3465e6713c17
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1773517
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1773517 Sample: xQ4gNK9auvFo4.exe Startdate: 08/09/2025 Architecture: WINDOWS Score: 100 32 consnbx.su 2->32 34 bg.microsoft.map.fastly.net 2->34 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 4 other signatures 2->48 9 xQ4gNK9auvFo4.exe 2->9         started        signatures3 process4 signatures5 50 Writes to foreign memory regions 9->50 52 Allocates memory in foreign processes 9->52 54 Injects a PE file into a foreign processes 9->54 12 MSBuild.exe 9->12         started        process6 dnsIp7 40 consnbx.su 134.209.165.152, 443, 49681, 49711 DIGITALOCEAN-ASNUS United States 12->40 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->56 58 Query firmware table information (likely to detect VMs) 12->58 60 Tries to harvest and steal ftp login credentials 12->60 62 3 other signatures 12->62 16 chrome.exe 12->16         started        19 chrome.exe 12->19         started        21 chrome.exe 12->21         started        23 chrome.exe 12->23         started        signatures8 process9 dnsIp10 30 192.168.2.7, 138, 443, 49672 unknown unknown 16->30 25 chrome.exe 16->25         started        28 chrome.exe 19->28         started        process11 dnsIp12 36 www.google.com 142.251.40.132, 443, 49686, 49690 GOOGLEUS United States 25->36 38 142.251.40.164, 443, 49709, 49710 GOOGLEUS United States 28->38
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d5e11cca0e36bf736cbaf690a0f14bab5177aee6729edc902ea8165110272f3a
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/f645d85725e85342d812090c30abec4a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d5e11cca0e36bf736cbaf690a0f14bab5177aee6729edc902ea8165110272f3a/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/d5e11cca0e36bf736cbaf690a0f14bab5177aee6729edc902ea8165110272f3a
Threat name:
Win64.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-09-08 01:31:17 UTC
File Type:
PE+ (Exe)
AV detection:
31 of 38 (81.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2xqrzsqog27xg3f262ikb4klvnixplxgokpnzebovalfcebhf45a._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
0dc12b8f2fcc5dd26a83d0700b7f58711511b4ae1b7307c5895742944c467736
LummaStealer
5f578c386807ae516a8b1557d6ce4ff4675c22cfbec0f721ea08249cffe7dd0d
LummaStealer
779cd78bfa84b99aada5e385d088eabbf1696512bf005a836cac31ddf0366012
LummaStealer
8fdb2fd689e93b893774d1cb93c88682c69b5d4dd255ed877354086acfdf7e88
LummaStealer
a159bad8ee3b65a8549b706678c0ae411a60739a58042a9c6aec713a899ca330
LummaStealer
d5e11cca0e36bf736cbaf690a0f14bab5177aee6729edc902ea8165110272f3a
LummaStealer
error
LummaStealer
+ 227 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery stealer
Link:
https://tria.ge/reports/250908-ysxqas1jw8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://consnbx.su/sawo
https://diadtuky.su/texz
https://sirhirssg.su/xzde
https://prebwle.su/xazd
https://rhussois.su/tatr
https://todoexy.su/xqts
https://acrislegt.su/tazd
https://averiryvx.su/zadr
https://cerasatvf.su/qtpd
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/41d2e7ce-7980-465d-9453-a35d26070315
Unpacked files
SH256 hash:
d5e11cca0e36bf736cbaf690a0f14bab5177aee6729edc902ea8165110272f3a
MD5 hash:
f645d85725e85342d812090c30abec4a
SHA1 hash:
6168368c063af86eb85c941751cff0d29da9a611
Link:
https://www.unpac.me/results/104f20a5-6764-45f1-9491-a3e56ecaf3b3/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d5e11cca0e36/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HUNTING_SUSP_TLS_SECTION
Create hunting rule
Author:chaosphere
Description:Detect PE files with .tls section that can be used for anti-debugging
Reference:Practical Malware Analysis - Chapter 16
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/26353/

Comments