MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e00d637d9e7b41edc470cd643547115268e0b6cf84ce96a60d9451ad1c1fa8fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e00d637d9e7b41edc470cd643547115268e0b6cf84ce96a60d9451ad1c1fa8fc
SHA3-384 hash: 25993b89e22e657e4df9e4a03ac34231d6e5fe9d2152a27fe0f59b8f2a3d8bdb1932a5d2d34fb95178ea8230d9789b2b
SHA1 hash: 0aec75bd146073d682798bc8fea5f00e9e972c3b
MD5 hash: 9dbff2f8f3e653c945fec3d8439eb87f
humanhash: robert-connecticut-minnesota-delta
File name:ZSt2rter.zip
Download: download sample
Signature LummaStealer
Create hunting rule
File size:4'316'245 bytes
First seen:2025-08-08 21:47:02 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 24576:UsF1Gm1wF0Z+7/bDkjpukm1jq75Bbyp2Hxn:UscCZ+7EC8gkHxn
TLSH T10C1609762BC1A348627EB2385EC17C236757DFD9DE332EDEB196C016E2148E4D90CA52
Magika zip
Reporter burger
Tags:file-pumped LummaStealer vinsodg-top zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
NL NL
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:ZSt2rter.exe
Pumped file This file is pumped. MalwareBazaar has de-pumped it.
File size:1'001'212'474 bytes
SHA256 hash: 1af081ab71f2f15e0c0a664b29e27e9076e8a4bc27b8c5f173ff29de8f4bac8a
MD5 hash: f6ff9993b4ecf711607be4cd5ec0b6ee
De-pumped file size:1'889'280 bytes (Vs. original size of 1'001'212'474 bytes)
De-pumped SHA256 hash: 495b4e96ce5256185fea0dc1003e5750925b5fdaeca3cb7fc2ad65700e39a644
De-pumped MD5 hash: b6010346cc3d427f2ae9848e0a61a952
MIME type:application/x-dosexec
Signature LummaStealer
Vendor Threat Intelligence
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689670891e8a59ee04e7a6b2
Tags:
n/a
Result
Verdict:
Malicious
File Type:
ZIP File - Malicious
Link:
https://app.docguard.net/e00d637d9e7b41edc470cd643547115268e0b6cf84ce96a60d9451ad1c1fa8fc/results/dashboard
Behaviour
SuspiciousEmbeddedObjects detected
Gathering data
Verdict:
Suspicious
Labled as:
HEUR/Pumpar.Generic
Link:
https://www.hybrid-analysis.com/sample/e00d637d9e7b41edc470cd643547115268e0b6cf84ce96a60d9451ad1c1fa8fc
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/e00d637d9e7b41edc470cd643547115268e0b6cf84ce96a60d9451ad1c1fa8fc
Score:
91%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/e00d637d9e7b41edc470cd643547115268e0b6cf84ce96a60d9451ad1c1fa8fc
Verdict:
Malware
YARA:
3 match(es)
Tags:
CVE-2019-13232 CVE-2019-9674 CVE-2022-29225 CVE-2022-36114 CVE-2023-46104 CVE-2024-0450 Executable Malicious PE (Portable Executable) Zip Archive Zip Bomb
Link:
https://app.malva.re/file/9dbff2f8f3e653c945fec3d8439eb87f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e00d637d9e7b41edc470cd643547115268e0b6cf84ce96a60d9451ad1c1fa8fc/
Verdict:
Malicious
Threat:
Binary.Trojan.Hulk
Link:
https://tip.neiki.dev/file/e00d637d9e7b41edc470cd643547115268e0b6cf84ce96a60d9451ad1c1fa8fc
Threat name:
Binary.Trojan.Pumpar
Create hunting rule
Status:
Malicious
First seen:
2025-08-08 21:47:42 UTC
File Type:
Binary (Archive)
Extracted files:
11
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4agwg7m6pna63rdqzvsdkryrkjuobnwpqthjnjqnsri22ha7vd6a._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.15
Link:
https://yomi.yoroi.company/submissions/e00d637d9e7b41edc470cd643547115268e0b6cf84ce96a60d9451ad1c1fa8fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Golang_Binary
Create hunting rule
Author:Andrew Morrow
Description:Detects binaries compiled with Go
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:Lumma
Create hunting rule
Author:kevoreilly
Description:Lumma Payload
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:PK_PUMP_AND_DUMP
Create hunting rule
Author:Will Metcalf @node5
Description:Walks Zip Central Directory filename entries looking for abused extension then checks for a file that's at least 25M and then check to see how much uncompressed size is vs compressed size
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:weird_zip_high_compression_ratio
Create hunting rule
Author:Maxime THIEBAUT (@0xThiebaut)
Description:Detects single-entry ZIP files with a suspiciously high compression ratio (>100:1) and decompressed size above the 500MB AV limit
Reference:https://twitter.com/Cryptolaemus1/status/1633099154623803394
Rule name:win32_lumma_stealer
Create hunting rule
Author:Reedus0
Description:Rule for detecting LummaStealer malware
Rule name:win_lumma_generic
Create hunting rule
Author:dubfib

File information

The table below shows additional information about this malware sample such as delivery method and external references.

LummaStealer

zip e00d637d9e7b41edc470cd643547115268e0b6cf84ce96a60d9451ad1c1fa8fc

(this sample)

LummaStealer

Executable exe dea94a939fcb81eb85c74fcdb3e6bd9d4d7a6631dcf0ef531cf6e08966e7033d

  
Dropping
SHA256 dea94a939fcb81eb85c74fcdb3e6bd9d4d7a6631dcf0ef531cf6e08966e7033d
  
Dropping
MD5 1b521a13c1a6230ee129d3988f917bc2
  
Dropping
SHA256 495b4e96ce5256185fea0dc1003e5750925b5fdaeca3cb7fc2ad65700e39a644
  
Dropping
MD5 b6010346cc3d427f2ae9848e0a61a952

Comments