MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff2db25dd562045e84272f4bdc7e53154c43bd13ffdd4801e7cb309072e67044. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff2db25dd562045e84272f4bdc7e53154c43bd13ffdd4801e7cb309072e67044
SHA3-384 hash: 6f47eb99746d62f0bcc351375e62524ef676b95012aa2af292fa3137bbe6e87d74893a24a0904bfb40e3745737f90246
SHA1 hash: 87bd89aa7404b7e08a5812f2ce83a70335ed2625
MD5 hash: 17e7630d4fc328282ee0d1ec26181ab0
humanhash: spaghetti-cat-skylark-connecticut
File name:file
Download: download sample
Signature LummaStealer
Create hunting rule
File size:5'129'424 bytes
First seen:2026-04-21 21:06:46 UTC
Last seen:2026-04-23 16:42:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1aae8bf580c846f39c71c05898e57e88 (202 x LummaStealer, 61 x SalatStealer, 18 x ValleyRAT)
ssdeep 24576:/ua7zcCxWuQvLJ+1S2GgiEM754LpEy3/MFbmv3SEQ7B5xHN1jSCCo5m21Jf6IHll:/f9JU/n7iJQX//iElCA
Threatray 69 similar samples on MalwareBazaar
TLSH T1A2366C90E9D704B2D646363260B6B36F2732581D0F3EE753DA95ADB9BB3F2C10427618
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 3c4d8e17178e4d3a (3 x LummaStealer)
Reporter Bitsight
Tags:b dropped-by-gcleaner exe LummaStealer MIX3.file signed

Code Signing Certificate

Organisation:*.bleacherreport.com
Issuer:GlobalSign Atlas R3 DV TLS CA 2026 Q1
Algorithm:sha256WithRSAEncryption
Valid from:2026-03-01T22:55:25Z
Valid to:2027-04-02T22:55:24Z
Serial number: 0179b4e4c66b569a4d989ffe9203b6e0
Intelligence: 11 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: d48d3bf08cf276c9c2994a3c23e8e02f54599f70c7a948bf8164436ec3fb953a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
Bitsight
url: http://158.94.209.95/service

Intelligence

File Origin
# of uploads :
18
# of downloads :
179
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
Malicious activity
Analysis date:
2026-04-21 21:07:19 UTC
Tags:
auto-reg loader phishing gabagool fuery golang openssl tool
Link:
https://app.any.run/tasks/353fc3a3-0321-4f1b-a6d2-83e988f3ce17

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/63019/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69e7e7184aed15d0792ef0fd
Tags:
injection obfusc crypt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm golang overlay packed signed
Link:
https://www.filescan.io/uploads/69e7e70cc06ec088bf5a1798/reports/82d43d2c-25ca-4651-8dfb-a3bae619fe37/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/ff2db25dd562045e84272f4bdc7e53154c43bd13ffdd4801e7cb309072e67044
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-04-21T18:17:00Z UTC
Last seen:
2026-04-23T13:56:00Z UTC
Hits:
~1000
Detections:
Backdoor.Agima.HTTP.C&C Trojan.Win64.Agent.sb PDM:Trojan.Win32.Generic Backdoor.Win32.Agima.sb Backdoor.Win32.Agima.ci Backdoor.Win32.Agima.b Backdoor.Win32.Agima.a BSS:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/ff2db25dd562045e84272f4bdc7e53154c43bd13ffdd4801e7cb309072e67044/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c634f8c5-e96b-4b8b-a434-d3441df60b4f
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ff2db25dd562045e84272f4bdc7e53154c43bd13ffdd4801e7cb309072e67044
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/17e7630d4fc328282ee0d1ec26181ab0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff2db25dd562045e84272f4bdc7e53154c43bd13ffdd4801e7cb309072e67044/
Verdict:
Malicious
Threat:
Family.FUERY
Link:
https://tip.neiki.dev/file/ff2db25dd562045e84272f4bdc7e53154c43bd13ffdd4801e7cb309072e67044
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2026-04-21 21:07:34 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=74w3exovmicf5bbhf5f5y7stcvgehpit77ouqaphzmyja4xgobca._file
Verdict:
malicious
Label(s):
cryptinfinite
Create hunting rule
Similar samples:
03e6f4f49cec3af38bbec9ed64c195c7a85a630ec989efb3669f04a2993c1dd7
LummaStealer
0c50b443623b0530b30ef47f036c486d0cdd9f2088c6c1ad1b2ac2963230bff9
LummaStealer
145d70b563de7de617bc40d78b21680227bda09729457f58e79ad12f566a6e51
LummaStealer
1a164d10fe3ca9a603c70bcf83a667b92bab36dbb1705c6865fb83a48935649f
LummaStealer
3d9c9be6ebf52a46fe919cdbfdba0562e7d7591956c0d92482e8679ea439929d
LummaStealer
80ba3f0bf20a0068fbdde96d21eda37d30d5b995088524e0590bb6913335d874
LummaStealer
c32e3e9204f8a8f77376f5800785b95f3a6a5521b205b759376dc7eb4664dd64
LummaStealer
d7791aea7c7bf8ef51d723f151e90b6a413adb4445e69724fc2e320bd66dbd75
LummaStealer
error
LummaStealer
+ 59 additional samples on MalwareBazaar
Result
Malware family:
fuery
Create hunting rule
Score:
  10/10
Tags:
family:fuery discovery trojan
Link:
https://tria.ge/reports/260421-zygfyafv9z/
Behaviour
System Location Discovery: System Language Discovery
Family: Fuery
Unpacked files
SH256 hash:
ff2db25dd562045e84272f4bdc7e53154c43bd13ffdd4801e7cb309072e67044
MD5 hash:
17e7630d4fc328282ee0d1ec26181ab0
SHA1 hash:
87bd89aa7404b7e08a5812f2ce83a70335ed2625
Link:
https://www.unpac.me/results/f47770df-1814-4508-b7d0-76ea1fdc95b2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff2db25dd562045e84272f4bdc7e53154c43bd13ffdd4801e7cb309072e67044

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe ff2db25dd562045e84272f4bdc7e53154c43bd13ffdd4801e7cb309072e67044

(this sample)

  
Dropped by
Gcleaner
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/63019/

Comments