MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb55670b7175f3f3e0e778328ca331ed30057a9dce93e70aca8e5489b422dea7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LummaStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	fb55670b7175f3f3e0e778328ca331ed30057a9dce93e70aca8e5489b422dea7
SHA3-384 hash:	94f66428adca034cb6a00a2c3db7ffcbb1e9f49c691c494a81003a726e321bf2bc1b7ac40f0eb11410b175e9c52eed21
SHA1 hash:	0d154f64c524cb6f04e6fa7bd058adeabffa2ea8
MD5 hash:	5242c1a113b61f4a7c11be5ea6c576c5
humanhash:	single-sad-illinois-lamp
File name:	file
Download:	download sample
Signature	LummaStealer Create hunting rule
File size:	1'335'296 bytes
First seen:	2026-01-04 18:04:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'854 x Amadey, 290 x Smoke Loader)
ssdeep	24576:QonOYu3hTe2OvAG4VunKCSbBIjeHiXH79LTTt/p4N1m:zOYG6224tCveCXtTtp4N1
TLSH	T118552312C7DEC173ED7227B068F644C3092ABC829A79C65F7686989E5C727568C3037B
TrID	37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 12.7% (.EXE) Win64 Executable (generic) (10522/11/4) 7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
dhash icon	19f87cf6d498e868 (1 x LummaStealer)
Reporter	Bitsight
Tags:	dropped-by-Stealc exe LummaStealer sosokenota

Bitsight

url: https://servachok.space/release/OrdinanceAfter.exe

Intelligence

File Origin

# of uploads :

# of downloads :

164

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/48ccf10d-2398-4447-9bb8-fe3f676fd820/

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2026-01-04 18:05:39 UTC

Tags:

trojan autoit lumma stealer fingerprinting

Link:

https://app.any.run/tasks/b2943919-a0a6-40a8-90fe-0f323acd8527

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/47623/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=695aabe6d2357cccc3df6284

Tags:

infosteal autoit emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a process from a recently created file

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

Creating a file in the %temp% subdirectories

Launching a process

Creating a process with a hidden window

Running batch commands

Launching cmd.exe command interpreter

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/fb55670b7175f3f3e0e778328ca331ed30057a9dce93e70aca8e5489b422dea7

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-04T10:00:00Z UTC

Last seen:

2026-01-05T14:13:00Z UTC

Hits:

~100

Detections:

Trojan-PSW.Stealerc.HTTP.C&C Trojan-PSW.Lumma.TCP.C&C PDM:Trojan.Win32.Generic Backdoor.Win32.Agent.myxckj Backdoor.Agent.UDP.C&C

Link:

https://opentip.kaspersky.com/fb55670b7175f3f3e0e778328ca331ed30057a9dce93e70aca8e5489b422dea7/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/fdce5e41-a09a-437e-9360-97f495d97a46

Score:

93%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/fb55670b7175f3f3e0e778328ca331ed30057a9dce93e70aca8e5489b422dea7

Verdict:

inconclusive

YARA:

6 match(es)

Tags:

AutoIt CAB:COMPRESSION:LZX Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/5242c1a113b61f4a7c11be5ea6c576c5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fb55670b7175f3f3e0e778328ca331ed30057a9dce93e70aca8e5489b422dea7/

Verdict:

Malicious

Threat:

Family.LUMMA

Link:

https://tip.neiki.dev/file/fb55670b7175f3f3e0e778328ca331ed30057a9dce93e70aca8e5489b422dea7

Threat name:

Win32.Malware.Heuristic

Status:

Malicious

First seen:

2026-01-04 17:24:20 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

11 of 36 (30.56%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7nkwoc3roxz7hyhhpazizizr5uyak6u5z2j6ocwkrzkitnbc32tq._file

Result

Malware family:

lumma

Score:

10/10

Tags:

family:lumma discovery execution persistence spyware stealer

Link:

https://tria.ge/reports/260106-jdv6laxqe1/

Behaviour

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Browser Information Discovery

System Location Discovery: System Language Discovery

System Time Discovery

Launches sc.exe

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Command and Scripting Interpreter: PowerShell

Legitimate hosting services abused for malware hosting/C2

Executes dropped EXE

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Lumma Stealer, LummaC

Lumma family

Malware Config

C2 Extraction:

https://genusstv.cyou/api
https://whitepepper.su/asds
https://hammernew.su/asdase
https://heavylussy.su/ccvfd
https://broguenko.su/asfase
https://homuncloud.su/ascasef
https://familyriwo.su/fssdaw
https://izzardtow.su/cascasc
https://basilicros.su/asdasq

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/eb00924c-047a-4c9c-b57e-fc8fdce891b7

Unpacked files

SH256 hash:

fb55670b7175f3f3e0e778328ca331ed30057a9dce93e70aca8e5489b422dea7

MD5 hash:

5242c1a113b61f4a7c11be5ea6c576c5

SHA1 hash:

0d154f64c524cb6f04e6fa7bd058adeabffa2ea8

Link:

https://www.unpac.me/results/a869078d-7f3a-408b-9d28-9854551156b8/

Malware family:

CypherIt

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fb55670b7175/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_Redline_Stealer Create hunting rule
Author:	Varp0s

Rule name:	Lumma Create hunting rule
Author:	kevoreilly
Description:	Lumma Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

exe fb55670b7175f3f3e0e778328ca331ed30057a9dce93e70aca8e5489b422dea7

(this sample)

Dropped by

StealC

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3750219/

Cape

https://www.capesandbox.com/analysis/47623/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample