MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f101fbff61dc348471308979d353f77b6fc241576d540910ba8e884de3f1fe61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 4 File information Comments

SHA256 hash:	f101fbff61dc348471308979d353f77b6fc241576d540910ba8e884de3f1fe61
SHA3-384 hash:	74fa72d7272affb753bf6ebd102b2f45e31f3c3157ad5ee4c7d60ec958eabc8a6bbe04c430556856e9e03c4e6ef5dda5
SHA1 hash:	42d48cb270e4ead1d4321d328a88b76345dcf1a3
MD5 hash:	b2a233ec42c7887d0d4feb423656f8c9
humanhash:	wolfram-rugby-nine-london
File name:	Setup.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	1'499'136 bytes
First seen:	2025-08-17 12:41:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	83f7b78217399a53bfe6705fb71ec96a (9 x LummaStealer, 2 x Stealc, 2 x CoinMiner)
ssdeep	24576:2TvU/wLT5C0XRgsH7Fuisa7IdwRPkFwkIsthaduF8b:+JT4uLH7FuisUR+qM4
Threatray	453 similar samples on MalwareBazaar
TLSH	T14565D018E879D0DBFCDB00B17B555211A423BE3B8F3C6A9B50E4DB50164BDED1A3A236
TrID	63.5% (.EXE) Win64 Executable (generic) (10522/11/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	AntiSkidding
Tags:	exe fake-cheat LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

_f101fbff61dc348471308979d353f77b6fc241576d540910ba8e884de3f1fe61.exe

Verdict:

Malicious activity

Analysis date:

2025-08-17 12:43:02 UTC

Tags:

lumma stealer

Link:

https://app.any.run/tasks/04685561-d006-4f27-9ea2-6a3175f83c13

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Lumma

Link:

https://www.capesandbox.com/analysis/21825/

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68a1ce068fd55a79c5286bed

Tags:

virus krypt

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

Launching a process

Connection attempt to an infection source

Query of malicious DNS domain

Sending a TCP request to an infection source

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

fingerprint microsoft_visual_cc packed

Link:

https://www.filescan.io/uploads/68a1ce0dabfbaec318243f1c/reports/60d4fc9d-27e9-4e04-8a67-5fc338da3f24/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/f101fbff61dc348471308979d353f77b6fc241576d540910ba8e884de3f1fe61

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/db6a7a9a-86e8-4cb1-9a0d-3cd4c8368ac2

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f101fbff61dc348471308979d353f77b6fc241576d540910ba8e884de3f1fe61

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/b2a233ec42c7887d0d4feb423656f8c9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f101fbff61dc348471308979d353f77b6fc241576d540910ba8e884de3f1fe61/

Verdict:

Malicious

Threat:

Family.LUMMA

Link:

https://tip.neiki.dev/file/f101fbff61dc348471308979d353f77b6fc241576d540910ba8e884de3f1fe61

Threat name:

Win64.Trojan.Kepavll

Status:

Malicious

First seen:

2025-08-17 12:41:37 UTC

File Type:

PE+ (Exe)

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6ea7x73b3q2ii4jqrf45gu7xpnx4eqkxnvkasef2r2ee3y7r7zqq._file

Verdict:

malicious

Label(s):

lummastealer

LummaStealer

2d01575d06b8e921be8059c7c478a38867b6e8454863f347395cd2efda006506

LummaStealer

31ba8080813690f32ff5cb3ad9c09a20129f81f0f4f11ed99d6cac35cb1d7c4d

LummaStealer

66714b3368a2365b0ac7cb6a09bf95dc6fb98989a74bcd2e274971b4237e6df7

LummaStealer

7754ad557bf2361b75840a14169b6980dea9723714b031a448e23487bb5609f7

LummaStealer

b303e5fa63277691ab5249294772aed02d0f294fe2d69dc5dfe2cc77a15a4e7a

LummaStealer

error

LummaStealer

f101fbff61dc348471308979d353f77b6fc241576d540910ba8e884de3f1fe61

LummaStealer

+ 443 additional samples on MalwareBazaar

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma defense_evasion discovery spyware stealer

Link:

https://tria.ge/reports/250817-pw4hksvny2/

Behaviour

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Browser Information Discovery

System Location Discovery: System Language Discovery

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates connected drives

Modifies trusted root certificate store through registry

Lumma Stealer, LummaC

Lumma family

Malware Config

C2 Extraction:

https://vaganetka.ru/opza
https://mastwin.in/qsaz
https://ordinarniyvrach.ru/xiur
https://yamakrug.ru/lzka
https://vishneviyjazz.ru/neco
https://yrokistorii.ru/uqya
https://stolewnica.ru/xjuf
https://visokiywkaf.ru/mmtn
https://kletkamozga.ru/iwyq

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/9d653141-3425-4cdd-a5af-8f87f5ed0bb3

Unpacked files

SH256 hash:

f101fbff61dc348471308979d353f77b6fc241576d540910ba8e884de3f1fe61

MD5 hash:

b2a233ec42c7887d0d4feb423656f8c9

SHA1 hash:

42d48cb270e4ead1d4321d328a88b76345dcf1a3

Link:

https://www.unpac.me/results/b2140079-45c7-4bba-a2d1-e6d51aa52890/

Malware family:

Lumma

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f101fbff61dc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f101fbff61dc348471308979d353f77b6fc241576d540910ba8e884de3f1fe61

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/59c6973c-22a6-438e-b0b1-931cb467edc0

Cape

https://www.capesandbox.com/analysis/21825/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDriveTypeA KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetDiskFreeSpaceExA KERNEL32.dll::GetCommandLineA KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::FreeConsole KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW
WIN_USER_API	Performs GUI Actions	USER32.dll::EmptyClipboard USER32.dll::OpenClipboard USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample