MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 def8f6f353bf6df2793667ed16294253a6ecebb378a2b0f0fcc95be10f115c80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: def8f6f353bf6df2793667ed16294253a6ecebb378a2b0f0fcc95be10f115c80
SHA3-384 hash: c815b6327470765443a8c0134f98c31778a42a0eb65a19f0b666cf88664b712ce718ea88b73d4a4cb222d99006e14ce7
SHA1 hash: f4bbe87b4638b47542ffbeca02924bdc0ce5c12d
MD5 hash: 37e490924cc7d25899183fe7c096f48d
humanhash: friend-venus-mexico-fourteen
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'808'384 bytes
First seen:2025-08-18 06:52:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:gCHNC4UsepEAISo2Yhc6KpdjdRqkq89t14y0lyav:gCveOiTYhcPLf0lH
Threatray 261 similar samples on MalwareBazaar
TLSH T1C88533E4FA63A514DD4D0C7D10C797A8FBB3048B08490AE8E7AC255C9D4F9AE572C86F
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-08-17 19:58:49 UTC
Tags:
auto redline stealer lumma amadey botnet arch-exec themida rdp loader
Link:
https://app.any.run/tasks/5686a3b8-ff50-41ed-ae59-037c99fe808d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/21905/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a2cdf8c2f5296a1a2807e6
Tags:
phishing virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Connection attempt to an infection source
Sending a custom TCP request
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68a2cdeb419c816a6e8a0d6f/reports/18310dd2-e2fa-4ba1-862f-3961350d49da/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/def8f6f353bf6df2793667ed16294253a6ecebb378a2b0f0fcc95be10f115c80
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/72023747-840f-4b5e-8cfb-c9bf699a4739
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1759074
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Hides threads from debuggers
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/def8f6f353bf6df2793667ed16294253a6ecebb378a2b0f0fcc95be10f115c80
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/37e490924cc7d25899183fe7c096f48d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/def8f6f353bf6df2793667ed16294253a6ecebb378a2b0f0fcc95be10f115c80/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/def8f6f353bf6df2793667ed16294253a6ecebb378a2b0f0fcc95be10f115c80
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-08-17 23:42:18 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=334pn42tx5w7e6jwm7wrmkkckotoz25tpcrlb4h4zfn6cdyrlsaa._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
102c57004decd2173d86522467863123425f1ecccf37561fa34fca5c1de1c402
LummaStealer
15c4f381e82e4d4d24ddd1f3ca33cf16678933534da2e5c27f67ec7ece8b7509
LummaStealer
8cd2c50d76ca6672c8f99a66343af62f3a41c35a141f478f55044198ba8147c9
LummaStealer
9307c95e4501cadbb63f7b137cf9c289819c15126b4cd04e788aebe1e02044f9
LummaStealer
9653fb267376aa1495996d935a8bb8b6d73b46aa372d814bfb3c91ba0ebbf7f3
LummaStealer
9d989913e9867ec5cc3935e9da9cc8d32a850b7c51fbc3f40b03913fb3d3668b
LummaStealer
c427c491f37071345076ef33db7bf74199d1a46a9a7d47e4b438e85624c27cda
LummaStealer
cb1ee7fa3edcc9795877868ad56cf32b9d6c3d95ea59d348e55c2b5caf87a180
LummaStealer
d8c44f8a58899360bf30a527082c917bae7b564db5f129f2517a5deb39ba9ff2
LummaStealer
error
LummaStealer
f57764db1fdb67a38593290017ce65a9aa83a114b4e9b9c32a46129db38d2717
LummaStealer
+ 251 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery stealer
Link:
https://tria.ge/reports/250818-hnxxhadl3z/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://vaganetka.ru/opza
https://mastwin.in/qsaz
https://ordinarniyvrach.ru/xiur
https://yamakrug.ru/lzka
https://vishneviyjazz.ru/neco
https://yrokistorii.ru/uqya
https://stolewnica.ru/xjuf
https://visokiywkaf.ru/mmtn
https://kletkamozga.ru/iwyq
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/289842af-b983-4ce7-a44d-41e56409fe5e
Unpacked files
SH256 hash:
def8f6f353bf6df2793667ed16294253a6ecebb378a2b0f0fcc95be10f115c80
MD5 hash:
37e490924cc7d25899183fe7c096f48d
SHA1 hash:
f4bbe87b4638b47542ffbeca02924bdc0ce5c12d
Link:
https://www.unpac.me/results/58f39c90-8c4e-4771-9f16-7f76311703d9/
SH256 hash:
28bf8a79295bd54d2859523b8ba686d77001a8027991d0c7dbbea41e3e7744cb
MD5 hash:
f57413acb772a163138be7a53e450537
SHA1 hash:
61a4d48fcc2031fec47255295288d81c0e583fa8
Link:
https://www.unpac.me/results/58f39c90-8c4e-4771-9f16-7f76311703d9/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/def8f6f353bf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/def8f6f353bf6df2793667ed16294253a6ecebb378a2b0f0fcc95be10f115c80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe def8f6f353bf6df2793667ed16294253a6ecebb378a2b0f0fcc95be10f115c80

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3594022/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/21905/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments