MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f300878883a85fd1ad352a40ecb9b015fdd4f423603a90c1509df8a39464bdd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	f300878883a85fd1ad352a40ecb9b015fdd4f423603a90c1509df8a39464bdd3
SHA3-384 hash:	af9ac524705628ce6f596829f9741b50ede57c307eaf496504b10b087acd7d508c7d04138fc293e1b638e02c15a7ec46
SHA1 hash:	ab4a0cd73b572d2f6873d880d442d3320e1d9649
MD5 hash:	2d149fd2571e365a07e71f6c5c2b090e
humanhash:	happy-alanine-william-arizona
File name:	≈🈚 𝐒𝐄𝐓𝐔𝐏.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	99'614'695 bytes
First seen:	2025-08-22 16:01:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c32ba42c73a2bc24d2788f7750d87edb (45 x LummaStealer, 37 x Rhadamanthys, 3 x Vidar)
ssdeep	24576:4t6vrix0USTyhFi7G2Z4DoY8SR+HSUyHIVxwnTtwDRL1:Q6vr8DhE7P8DRcioVxuBwDH
Threatray	557 similar samples on MalwareBazaar
TLSH	T1E528111923DAA209819F0BC9001CEC76247DFE9F3348C02E69FE7A94A363FE95576553
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	f1f1707171314968 (2 x LummaStealer)
Reporter	aachum
Tags:	AutoIT CypherIT exe LummaStealer

iamaachum

https://www.download-setup.com/ => https://mega.nz/file/qVtgBABD#jabSavbK8QftEKwqFQrYaVzbvwwdTxPOCIg0Px8uZWI

Intelligence

File Origin

# of uploads :

# of downloads :

616

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ad3cb6b9-dfe7-44dc-b4b4-4bf52f422ac7

Verdict:

Malicious activity

Analysis date:

2025-08-22 16:25:35 UTC

Tags:

autoit lumma stealer qrcode

Link:

https://app.any.run/tasks/ad3cb6b9-dfe7-44dc-b4b4-4bf52f422ac7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68a895136eed937d746d1bf4

Tags:

phishing autoit emotet

Result

Verdict:

Clean

Maliciousness:

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug blackhole installer microsoft_visual_cc overlay overlay

Link:

https://www.filescan.io/uploads/68a894e64a87ed79676869b4/reports/c42476d5-d93e-402c-a140-496d94d45d8b/overview

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-08-22T09:23:00Z UTC

Last seen:

2025-08-22T09:23:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/f300878883a85fd1ad352a40ecb9b015fdd4f423603a90c1509df8a39464bdd3/results?tab=lookup

Result

Threat name:

LummaC Stealer

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1763095

Signature

C2 URLs / IPs found in malware configuration

Detected CypherIt Packer

Drops PE files with a suspicious file extension

Found malware configuration

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f300878883a85fd1ad352a40ecb9b015fdd4f423603a90c1509df8a39464bdd3

Gathering data

Threat name:

Win32.Trojan.LummaStealer

Status:

Malicious

First seen:

2025-08-22 11:44:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

12 of 24 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6maipcedvbp5dljvfjaozonqcx65j5bdma5jbqkqtx4khfdexxjq._file

Verdict:

malicious

Label(s):

unc_loader_058

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma defense_evasion discovery spyware stealer

Link:

https://tria.ge/reports/250822-thrdbaar4w/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Enumerates processes with tasklist

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Modifies trusted root certificate store through registry

Lumma Stealer, LummaC

Lumma family

Malware Config

C2 Extraction:

https://mastwin.in/qsaz
https://tiltyufaz.ru/tlxa
https://runmgov.ru/tixd
https://semipervaz.ru/xued
https://capitalior.ru/akts
https://retrofik.ru/jgur
https://shagkeg.ru/xkzd
https://copulardi.ru/xhza

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

exe f300878883a85fd1ad352a40ecb9b015fdd4f423603a90c1509df8a39464bdd3

(this sample)

Link

https://tria.ge/250822-s473hsap8z/behavioral2

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW KERNEL32.dll::OpenProcess KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDiskFreeSpaceW KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileW KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuW USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::OpenClipboard USER32.dll::PeekMessageW USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample