MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f30be67ab6688aec314704baa698e798893771eb12acb087e7a19abe70ff0ed6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 8 File information Comments

SHA256 hash:	f30be67ab6688aec314704baa698e798893771eb12acb087e7a19abe70ff0ed6
SHA3-384 hash:	f42f0939b70472ca8f4ad0c632a3989c51e1c4b50fb0153562693e0c2e2046a94c01b8058cf3e6caba9af8cd1f314110
SHA1 hash:	b9db4eddd629262f9a0ee5862bd374711fa317eb
MD5 hash:	5d45c93f5e66557659408662431c5455
humanhash:	tennis-michigan-pasta-double
File name:	setup.exe
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	13'788'128 bytes
First seen:	2025-08-24 06:16:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	33742414196e45b8b306a928e178f844 (16 x Efimer, 5 x BlankGrabber, 4 x XWorm)
ssdeep	196608:APPuglgRWUeR24iMqWNo2mtKVzurHm5POMP/XRL234tSoz2/Tsj+51nOxdZ:EPuhRW1R2JtWNhqKVzuC5zXA34tSQV
TLSH	T185D63338236406E7F4F6D734E940C4B6D6ABAD161B57C28383F8D56B2D232C16A373A5
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	45-141-87-195 45tys exe LummaStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

setup.exe

Verdict:

Malicious activity

Analysis date:

2025-08-22 11:38:15 UTC

Tags:

python github vidar stealer telegram anti-evasion xenorat rat phishing xtinyloader loader auto agenttesla generic meterpreter backdoor payload metasploit tinynuke asyncrat anydesk tool havoc quasar cobaltstrike lumma koadic framework xworm purelogsstealer redline coinminer miner remote gh0st gh0stcringe masslogger nanocore formbook sliver rhadamanthys evasion njrat remcos whitesnakestealer bruteratel stealc koistealer koiloader koi pyinstaller vipkeylogger keylogger possible-phishing storm1747 tycoon arch-scr donutloader pastebin dbatloader xred azorult clipper diamotrix stealerium stormkitty arechclient2 n-w0rm worm rmm-tool neshta snake bladabindi metastealer valley whitesnake auto-sch-xml dcrat adware gcleaner svc jigsaw ransomware

Link:

https://app.any.run/tasks/fb2cd6a8-e263-40f9-b4d2-fbf365f9742d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/23214/

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68a854b6c2f5296a1a28da51

Tags:

phishing autorun dridex

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Restart of the analyzed sample

Creating a window

Delayed reading of the file

Running batch commands

Creating a process with a hidden window

Launching a process

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Сreating synchronization primitives

Creating a file

Sending an HTTP GET request to an infection source

Creating a file in the system32 directory

Creating a process from a recently created file

Searching for synchronization primitives

Launching a service

Unauthorized injection to a recently created process

Connection attempt to an infection source

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

expand lolbin lumma microsoft_visual_cc overlay overlay packed packed pyinstaller pyinstaller python threat unsafe vidar

Link:

https://www.filescan.io/uploads/68aaae532a70220b68d8d94e/reports/eccc6c7e-5a6d-45e2-b7bf-c398044de11f/overview

Verdict:

Malicious

Labled as:

Tedy.Generic

Link:

https://www.hybrid-analysis.com/sample/f30be67ab6688aec314704baa698e798893771eb12acb087e7a19abe70ff0ed6

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-08-22T08:35:00Z UTC

Last seen:

2025-08-22T08:35:00Z UTC

Hits:

~100000

Detections:

Backdoor.Agent.HTTP.C&C Trojan-Downloader.Bitmin.TCP.ServerRequest Trojan-Downloader.Agent.HTTP.ServerRequest Trojan-Downloader.Stralo.HTTP.C&C Trojan-Downloader.Bitmin.TCP.C&C Trojan.Agent.TCP.C&C Trojan-PSW.PureLogs.TCP.C&C Trojan-PSW.Lumma.HTTP.C&C Trojan.Yakes.HTTP.ServerRequest Trojan.Agent.UDP.C&C Trojan.Python.Agent.sb Trojan-Banker.ClipBanker.TCP.C&C Backdoor.XClient.HTTP.C&C Trojan-PSW.Win32.Disco.sb PDM:Trojan.Win32.Generic Backdoor.Win64.Stelega.sb Trojan.Scar.HTTP.C&C Trojan.APosT.UDP.C&C Backdoor.MSIL.XWorm.b Backdoor.MSIL.VenomRAT.a Trojan.Win64.Lunar.sb Trojan.Scar.UDP.C&C Trojan.Miner.TCP.Download Trojan-Downloader.PsDownload.HTTP.C&C Trojan-Banker.ClipBanker.HTTP.C&C Trojan.Win32.Agent.sb Trojan-PSW.Win32.Vidar.sb Trojan-PSW.Win32.Stealerc.sb Trojan-Downloader.Tiny.HTTP.Download Trojan-Downloader.Miner.HTTP.Download Trojan-PSW.Mimikatz.TCP.C&C Trojan-Downloader.ZippyLoader.HTTP.C&C Trojan-Downloader.Agent.TCP.C&C Trojan.Snojan.HTTP.C&C Trojan.Shelma.TCP.C&C Trojan.Agent.HTTP.C&C Worm.Win32.Cridex.sb Trojan-Banker.Win32.TinyNuke.sb Trojan.Miner.HTTP.ServerRequest Backdoor.MSIL.XWorm.a Trojan.Agentb.TCP.C&C Trojan-Downloader.Agent.HTTP.C&C Trojan.Swrort.TCP.C&C Trojan.MSIL.Xeno.sb Trojan.MSIL.Xeno.kk Trojan.Patched.HTTP.ServerRequest RemoteAdmin.LiteManager.TCP.C&C NetTool.Sysinternals.TCP.ServerRequest Downloader.Snojan.HTTP.C&C HackTool.PowerSploit.TCP.C&C HackTool.PowerSploit.HTTP.ServerRequest Downloader.Snojan.HTTP.ServerRequest NetTool.Mshta.HTTP.C&C HackTool.ReconScan.TCP.ServerRequest HackTool.VulnScan.HTTP.C&C HackTool.Meterpreter.TCP.C&C

Link:

https://opentip.kaspersky.com/f30be67ab6688aec314704baa698e798893771eb12acb087e7a19abe70ff0ed6/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/3a0a476a-e61a-476a-8acf-d2e8f845b8eb

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f30be67ab6688aec314704baa698e798893771eb12acb087e7a19abe70ff0ed6

Verdict:

inconclusive

YARA:

3 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/5d45c93f5e66557659408662431c5455

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f30be67ab6688aec314704baa698e798893771eb12acb087e7a19abe70ff0ed6/

Verdict:

Malicious

Threat:

Family.LUMMA

Link:

https://tip.neiki.dev/file/f30be67ab6688aec314704baa698e798893771eb12acb087e7a19abe70ff0ed6

Threat name:

Win64.Trojan.Alevaul

Status:

Malicious

First seen:

2025-08-22 11:29:58 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6mf6m6vwncfoymkhas5knghhtceto4plckwlbb7hugnl44h7b3la._file

Result

Malware family:

xworm

Score:

10/10

Tags:

family:asyncrat family:athenahttp family:koiloader family:lumma family:metasploit family:modiloader family:neshta family:quasar family:redline family:vipkeylogger family:xworm botnet:default botnet:jajaja botnet:office04 backdoor botnet credential_access defense_evasion discovery execution infostealer keylogger loader persistence phishing privilege_escalation pyinstaller rat spyware stealer trojan upx

Link:

https://tria.ge/reports/250824-g1xxla1ye1/

Behaviour

Runs net.exe

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Views/modifies file attributes

Access Token Manipulation: Create Process with Token

Detects Pyinstaller

Event Triggered Execution: Installer Packages

Program crash

Detected phishing page

Launches sc.exe

SmartAssembly .NET packer

UPX packed file

Indicator Removal: File Deletion

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Obfuscated Files or Information: Command Obfuscation

Loads dropped DLL

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Sets file to hidden

Stops running service(s)

Contacts a large (2085) amount of remote hosts

Detects KoiLoader payload

ModiLoader Second Stage

OS Credential Dumping: LSASS Memory

AsyncRat

Asyncrat family

AthenaHTTP

Athenahttp family

Detect Neshta payload

Detect Xworm Payload

Detects AthenaHTTP

KoiLoader

Koiloader family

Lumma Stealer, LummaC

Lumma family

MetaSploit

Metasploit family

ModiLoader, DBatLoader

Modiloader family

Neshta

Neshta family

Process spawned unexpected child process

Quasar RAT

Quasar family

Quasar payload

RedLine

RedLine payload

Redline family

VIPKeylogger

Vipkeylogger family

Xworm

Xworm family

Malware Config

C2 Extraction:

66.179.83.142:4446
100.42.176.116:7000
45.141.26.199:8000
185.246.113.246:7707
45.141.151.174:1604
http://83.244.163.203:7788/sCHG5YL0A3bIMskzr6m-YQejoXd0G6jqmYCptXnQWm2fxUSdL1-Wl-sYTMzOv5FTLS5vkf_vtZ35ftff3YSVQd9glEAC_-wbl6gsueaPPd6REwt2U1PPcY-sYv4sefroJqrfiwrJA9
http://83.244.163.203:7788/Lrl704cuqDDcT91Ouwu6vQIMO0OppTT5f-J_7eujoV1M60ne7Y_Z8ce_QGBE1llotu5Ww3Joa0knXvgWPdRyuMxlyG9h43g3JEUIIgwe8HZ-MPGpH1jmgkNldVZKP1ykI-JHC4hl0ICARvBqFkSDI
http://83.244.163.203:7788/mA712ukPZ8I60jvTXUrOrQh7NDGRtP6iGzfAl9WI2cmu-4VMrdIisf98hIfmSjIlU96X_bpTTSgTVyLBFSwyu0EP9HYN_OqhG6LjWWB-E6wkwT0JYZy4R7OVb-2SBQt-F8fgvJykN4bo9aScowGDu6WAVUiTtugksTsUapCnGQ-i8SqPUZOMr9CWv-iLIag7T3Q1VhoUpKLj4xQJ5Ne7kLUh8a9gc2uT5iX
https://shagkeg.ru/xkzd
https://mastwin.in/qsaz
https://tiltyufaz.ru/tlxa
https://runmgov.ru/tixd
https://semipervaz.ru/xued
https://capitalior.ru/akts
https://retrofik.ru/jgur
https://copulardi.ru/xhza
https://visokiywkaf.ru/mmtn
https://ordinarniyvrach.ru/xiur
https://yamakrug.ru/lzka
https://vishneviyjazz.ru/neco
https://yrokistorii.ru/uqya
https://stolewnica.ru/xjuf
https://kletkamozga.ru/iwyq
160.191.244.103:6582
http://5.101.82.4/sparkles.php
176.46.152.46:1911

Dropper Extraction:

https://gestionycobranzas.com/1/MSI1.png
https://archive.org/download/optimized_msi_20250814/optimized_MSI.png
http://57.155.1.42/shell.ps1
https://archive.org/download/optimized_msi_20250821/optimized_MSI.png
http://216.9.224.88/xampp/cv/optimized_MSI.png

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a1f58d52-2955-48ad-a85f-f69f8c8ad394

Unpacked files

SH256 hash:

f30be67ab6688aec314704baa698e798893771eb12acb087e7a19abe70ff0ed6

MD5 hash:

5d45c93f5e66557659408662431c5455

SHA1 hash:

b9db4eddd629262f9a0ee5862bd374711fa317eb

Link:

https://www.unpac.me/results/ece17895-9edd-4d0d-b56e-41d989b23cf5/

Malware family:

ScreenConnect

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f30be67ab668/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f30be67ab6688aec314704baa698e798893771eb12acb087e7a19abe70ff0ed6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_PyInstaller Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PyInstaller compiled executables across platforms

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/23214/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample