MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea37de23a99f57a12361c094bfedc9cb91356f1d729a313ae68fcb86febf5701. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea37de23a99f57a12361c094bfedc9cb91356f1d729a313ae68fcb86febf5701
SHA3-384 hash: 1250407d3368f9eb1634ab2c2319fad7076b446944c6a8eb793b9721f3954b1da466ee071e01be9f3a976a89da8a7398
SHA1 hash: 76e394765c623822809486f1ae3700a68b4f6a98
MD5 hash: 0398c8a64ff46f31791463c83669f396
humanhash: timing-fish-double-diet
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'536'728 bytes
First seen:2025-09-05 04:01:35 UTC
Last seen:2025-09-05 04:03:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c7269d59926fa4252270f407e4dab043 (45 x Hive, 23 x ServHelper, 22 x CobaltStrike)
ssdeep 24576:9ku1gtH+2CcLLvof0/uAoLWpeV7L//o/johAx5DsXTSM7ugT2:2fbjCRAx5DsjSM75
Threatray 5 similar samples on MalwareBazaar
TLSH T161658EE0FCDB50F1E55A023509BB929F3735F9090736EEC7DB04AE7EB9266811832616
gimphash 04ccc75a5d995d4e406ac3b7abff888a34c6753de16bbd377259d6db6c60c888
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe LummaStealer


Avatar
Bitsight
url: http://178.16.55.189/files/8061402479/xO50QoO.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
83
Origin country :
US US
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
Synaptics.exe
Verdict:
Malicious activity
Analysis date:
2025-09-04 23:15:31 UTC
Tags:
xred backdoor hausbomber phishing delphi loader telegram lumma stealer github evasion snake keylogger python dyndns xworm miner auto rat quasar anydesk rmm-tool meterpreter vidar remcos ultravnc generic auto-sch-xml agenttesla metasploit redline arch-exec njrat bladabindi exfiltration smtp ims-api asyncrat remote stealc iqvw64-sys vuln-driver jigsaw ransomware coinminer amadey botnet arch-scr xmrig inno installer ftp m0yv
Link:
https://app.any.run/tasks/2737bf6d-aa5b-430d-8ef4-e810a14e304c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/25130/
Detection(s):
Win.Exploit.Deepscan-9951944-0
Create hunting rule

Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ba60d2eb163e0ec184648e
Tags:
injection emotet virus core
Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm exploit golang infostealer invalid-signature mingw obfuscated packed signed stealer threat unsafe
Link:
https://www.filescan.io/uploads/68ba60d014a3b51cba506e71/reports/9bc3cde7-a43c-47ed-895a-61fde9ab0154/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/ea37de23a99f57a12361c094bfedc9cb91356f1d729a313ae68fcb86febf5701
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-05T11:09:00Z UTC
Last seen:
2025-09-05T11:09:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Win32.Lumma.sb Trojan-PSW.Win32.Lumma.vqw
Link:
https://opentip.kaspersky.com/ea37de23a99f57a12361c094bfedc9cb91356f1d729a313ae68fcb86febf5701/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/21c2b712-3f89-4893-9515-e96bd70a1ce6
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ea37de23a99f57a12361c094bfedc9cb91356f1d729a313ae68fcb86febf5701
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/0398c8a64ff46f31791463c83669f396
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea37de23a99f57a12361c094bfedc9cb91356f1d729a313ae68fcb86febf5701/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/ea37de23a99f57a12361c094bfedc9cb91356f1d729a313ae68fcb86febf5701
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2025-09-04 21:34:55 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5i354i5jt5l2ci3byckl73ojzoitk3y5okndcoxgr7fyn7v7k4aq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
31294603a887756a97d1f8b3b5f8a0f3ece03907448ea717dfc8b4d017be5897
LummaStealer
ea37de23a99f57a12361c094bfedc9cb91356f1d729a313ae68fcb86febf5701
LummaStealer
error
LummaStealer
f37b9940d7ab8158b62bd0ca600cde35dffc36d64f5820931de7da9626fbe478
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery stealer
Link:
https://tria.ge/reports/250905-elzrjabn7s/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://t.me/wfqasg2131
https://islamil.bet/eiow
https://mastwin.in/qsaz
https://digitbasket.com/pqox
https://voando26.com/iwnn
https://iaed.link/ndbh
https://pyscalp.com/iqop
https://lzh.fr/mnsn
https://streamin.style/iqzb
https://phoenix-brands.dev/qyzb
Verdict:
Malicious
Tags:
Win.Exploit.Deepscan-9951944-0
YARA:
n/a
Link:
https://app.threat.zone/submission/20799eea-8dee-489c-b26d-f46e1fd146d5
Unpacked files
SH256 hash:
ea37de23a99f57a12361c094bfedc9cb91356f1d729a313ae68fcb86febf5701
MD5 hash:
0398c8a64ff46f31791463c83669f396
SHA1 hash:
76e394765c623822809486f1ae3700a68b4f6a98
Link:
https://www.unpac.me/results/58153354-0842-4f78-9d2d-a3c0d223fd9a/
SH256 hash:
cb23d7ec43b17c8205eb2f75fb2bfd1dec61191f1ba3c942a6cb713db8796aed
MD5 hash:
89cdf6f7777df521f20876b663e14b90
SHA1 hash:
061435dadd164add02f72292e5ecc0e1b3cae155
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/58153354-0842-4f78-9d2d-a3c0d223fd9a/
Parent samples :
ea37de23a99f57a12361c094bfedc9cb91356f1d729a313ae68fcb86febf5701
d20503a6c683c4cfddc10051531db2ab1b43be7d1b786d71f65938ce84812bbe
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ea37de23a99f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lumma
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea37de23a99f57a12361c094bfedc9cb91356f1d729a313ae68fcb86febf5701

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe ea37de23a99f57a12361c094bfedc9cb91356f1d729a313ae68fcb86febf5701

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3615935/
Cape
Cape
https://www.capesandbox.com/analysis/25130/

Comments