MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6bcb9c86a45cccbfb318545d3e3688d0c37e74892dadcac6e40970bb8b83ff8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6bcb9c86a45cccbfb318545d3e3688d0c37e74892dadcac6e40970bb8b83ff8
SHA3-384 hash: 46110d640216f9d0ab6368858b5209efa71ce82f333fb26a0c1ddd9a223fa2557279e6d7ae2223804d104e98808371d0
SHA1 hash: 8162901ac594a15c72ccd073dfd258041753b1ab
MD5 hash: 73a6813e34505dccbb5f81e2828c8584
humanhash: beer-three-paris-lake
File name:73a6813e34505dccbb5f81e2828c8584.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'302'016 bytes
First seen:2025-09-03 06:26:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 37801b95c438a73e300d9190a7cb0752 (8 x LummaStealer, 5 x Stealc, 3 x Vidar)
ssdeep 24576:RSaYxjk4UGMFAT3LZrzuGPxvziFgbrkQv+K:RSZxbZf7ziirki
Threatray 767 similar samples on MalwareBazaar
TLSH T1D155D018E87590DAFCD340B06F769112E433BD7B8F385A9B41E4DB612616DEC0A3A376
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
9b55f6144b096d141be338f36ad10386818e04ed8166899fbb3de0ac3f53b51c.zip
Verdict:
Malicious activity
Analysis date:
2025-09-02 16:41:35 UTC
Tags:
auto amadey botnet arch-exec stealer redline rdp autoit loader lumma telegram qrcode inno installer delphi evasion
Link:
https://app.any.run/tasks/a20211f2-2bd1-4926-9682-bff67378abc9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/24855/
Detection(s):
Win.Packed.Lazy-10057809-0
Create hunting rule

Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b7dfd4eb163e0ec1843785
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Forced shutdown of a system process
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
amadey fingerprint krypt microsoft_visual_cc packed unsafe
Link:
https://www.filescan.io/uploads/68b7dff039a6221faa7bf2b5/reports/b190adf5-649e-4957-8e95-ba9146ddf5cd/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/f6bcb9c86a45cccbfb318545d3e3688d0c37e74892dadcac6e40970bb8b83ff8
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-02T08:38:00Z UTC
Last seen:
2025-09-02T08:38:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/f6bcb9c86a45cccbfb318545d3e3688d0c37e74892dadcac6e40970bb8b83ff8/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/241e668d-3012-437c-94a5-2f370cbe660a
Result
Threat name:
LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1770120
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Writes to foreign memory regions
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1770120 Sample: G5srL4Rpyd.exe Startdate: 03/09/2025 Architecture: WINDOWS Score: 100 32 washerv.ru 2->32 34 t.me 2->34 36 2 other IPs or domains 2->36 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 4 other signatures 2->52 9 G5srL4Rpyd.exe 2->9         started        signatures3 process4 signatures5 54 Writes to foreign memory regions 9->54 56 Allocates memory in foreign processes 9->56 58 Injects a PE file into a foreign processes 9->58 12 MSBuild.exe 9->12         started        process6 dnsIp7 42 t.me 149.154.167.99, 443, 49686 TELEGRAMRU United Kingdom 12->42 44 washerv.ru 91.212.166.160, 443, 49687, 49714 MOBILY-ASEtihadEtisalatCompanyMobilySA United Kingdom 12->44 60 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->60 62 Query firmware table information (likely to detect VMs) 12->62 64 Tries to harvest and steal ftp login credentials 12->64 66 3 other signatures 12->66 16 chrome.exe 12->16         started        19 chrome.exe 12->19         started        21 chrome.exe 12->21         started        23 chrome.exe 12->23         started        signatures8 process9 dnsIp10 30 192.168.2.10, 138, 443, 49674 unknown unknown 16->30 25 chrome.exe 16->25         started        28 chrome.exe 19->28         started        process11 dnsIp12 38 www.google.com 142.250.80.36, 443, 49693, 49696 GOOGLEUS United States 25->38 40 142.251.40.196, 443, 49707, 49711 GOOGLEUS United States 28->40
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f6bcb9c86a45cccbfb318545d3e3688d0c37e74892dadcac6e40970bb8b83ff8
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/73a6813e34505dccbb5f81e2828c8584
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f6bcb9c86a45cccbfb318545d3e3688d0c37e74892dadcac6e40970bb8b83ff8/
Threat name:
Win64.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-09-02 11:31:05 UTC
File Type:
PE+ (Exe)
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=626ltsdkixgmx6zrqvc5hy3irugdpz2islnnzldoiclqxofyh74a._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
1f2af392cafd75426312e4862f6a1cedd40982bb0d49ca85f101fb60109b2b3f
LummaStealer
2b66dd69c506f9acfb104bb0e6da0c110737fa3625dc309a3f8782f3be20d80e
LummaStealer
723736cb104a4aeef1045dbeb175699e8888bb1f5af62401ab1cf07739f1d7ec
LummaStealer
984fafd740b3efe1f2606d3aa036440229ee8fa6b7608587820cb1c0064b618f
LummaStealer
b5fb602add12067761efa2188bd0f2e5f70b572b302002723957edebc6e6abd8
LummaStealer
error
LummaStealer
f6bcb9c86a45cccbfb318545d3e3688d0c37e74892dadcac6e40970bb8b83ff8
LummaStealer
+ 757 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma discovery stealer
Link:
https://tria.ge/reports/250903-g78mnsgq2s/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://t.me/romalabs2
https://washerv.ru/qygd
https://mastwin.in/qsaz
https://noggs.ru/yopd
https://georgej.ru/plnb
https://oneflof.ru/tids
https://epitherd.ru/zadw
https://backab.ru/lkdo
https://eigwos.ru/wqex
https://kimmenkiz.ru/zldw
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/60f235e3-f720-47a8-903d-ed1b43909b68
Unpacked files
SH256 hash:
f6bcb9c86a45cccbfb318545d3e3688d0c37e74892dadcac6e40970bb8b83ff8
MD5 hash:
73a6813e34505dccbb5f81e2828c8584
SHA1 hash:
8162901ac594a15c72ccd073dfd258041753b1ab
Link:
https://www.unpac.me/results/43ea9f44-87b6-4185-9b59-9b40b753c382/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f6bcb9c86a45/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f6bcb9c86a45cccbfb318545d3e3688d0c37e74892dadcac6e40970bb8b83ff8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe f6bcb9c86a45cccbfb318545d3e3688d0c37e74892dadcac6e40970bb8b83ff8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3607393/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/24855/

Comments