File name:

2025-05-15_acbc43d27e0e717eefd6d046ecb9875b_black-basta_cobalt-strike_ryuk_satacom

Full analysis: https://app.any.run/tasks/5d2b69fc-19a6-45ab-83a7-467883f4ee4d
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 21:19:10
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
lumma
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 9 sections
MD5:

ACBC43D27E0E717EEFD6D046ECB9875B

SHA1:

37745A27C66F0F7FF7BED8D8E49FA115D8382A28

SHA256:

000B449566EF383349199EA7812184E9E386D557D5053D3D8FD9C4209646D9E8

SSDEEP:

49152:/SZQqnIi1cSHmuWZ8xrmDoo+WAr7NKlOLbQ+DHmDoo+WAr7NKlOLbQ+DA:/SZWiD68xrmDz+WSwOfQ+DHmDz+WSwO+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • svchost.exe (PID: 2196)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2196)
      • MSBuild.exe (PID: 4696)

    • LUMMA has been detected (YARA)

      • MSBuild.exe (PID: 4696)

    • LUMMA mutex has been found

      • MSBuild.exe (PID: 4696)

  • SUSPICIOUS

    • Executes application which crashes

      • 2025-05-15_acbc43d27e0e717eefd6d046ecb9875b_black-basta_cobalt-strike_ryuk_satacom.exe (PID: 6048)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2196)
      • MSBuild.exe (PID: 4696)

    • There is functionality for taking screenshot (YARA)

      • MSBuild.exe (PID: 4696)

    • Searches for installed software

      • MSBuild.exe (PID: 4696)

  • INFO

    • Reads the machine GUID from the registry

      • MSBuild.exe (PID: 4696)

    • Checks supported languages

      • 2025-05-15_acbc43d27e0e717eefd6d046ecb9875b_black-basta_cobalt-strike_ryuk_satacom.exe (PID: 6048)
      • MSBuild.exe (PID: 4696)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 2284)

    • Reads the software policy settings

      • MSBuild.exe (PID: 4696)
      • slui.exe (PID: 664)

    • Reads the computer name

      • MSBuild.exe (PID: 4696)

    • Checks proxy server information

      • slui.exe (PID: 664)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(4696) MSBuild.exe
C2 (9)emphatakpn.bet/ladk
featurlyin.top/pdal
overcovtcg.top/juhd
laminaflbx.shop/twoq
cornerdurv.top/adwq
testcawepr.run/dsap
saxecocnak.live/manj
posseswsnc.top/akds
blackswmxc.top/bgry
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:14 17:59:14+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 222720
InitializedDataSize: 68096
UninitializedDataSize: -
EntryPoint: 0x21538
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-05-15_acbc43d27e0e717eefd6d046ecb9875b_black-basta_cobalt-strike_ryuk_satacom.exe msbuild.exe no specs #LUMMA msbuild.exe werfault.exe no specs #LUMMA svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
664C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2284C:\WINDOWS\system32\WerFault.exe -u -p 6048 -s 260C:\Windows\System32\WerFault.exe2025-05-15_acbc43d27e0e717eefd6d046ecb9875b_black-basta_cobalt-strike_ryuk_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
4696"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
2025-05-15_acbc43d27e0e717eefd6d046ecb9875b_black-basta_cobalt-strike_ryuk_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
Lumma
(PID) Process(4696) MSBuild.exe
C2 (9)emphatakpn.bet/ladk
featurlyin.top/pdal
overcovtcg.top/juhd
laminaflbx.shop/twoq
cornerdurv.top/adwq
testcawepr.run/dsap
saxecocnak.live/manj
posseswsnc.top/akds
blackswmxc.top/bgry
5720"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2025-05-15_acbc43d27e0e717eefd6d046ecb9875b_black-basta_cobalt-strike_ryuk_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6048"C:\Users\admin\Desktop\2025-05-15_acbc43d27e0e717eefd6d046ecb9875b_black-basta_cobalt-strike_ryuk_satacom.exe" C:\Users\admin\Desktop\2025-05-15_acbc43d27e0e717eefd6d046ecb9875b_black-basta_cobalt-strike_ryuk_satacom.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\2025-05-15_acbc43d27e0e717eefd6d046ecb9875b_black-basta_cobalt-strike_ryuk_satacom.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
8 519
Read events
8 519
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2284WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2025-05-15_acbc4_32e4912d15ccf3f514158f1bbfb1789104ed160_ba69c754_d115dbc8-40f8-4cff-8653-114dc4106ab6\Report.wer
MD5:
SHA256:
2284WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WEREAB2.tmp.xmlxml
MD5:016F0731A0773F2667563D44404CF523
SHA256:B42F80FEBA74CB560EC354C0EAD0F4BC3E0D8EC346E82128B008478457B2BC60
2284WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WEREA72.tmp.WERInternalMetadata.xmlbinary
MD5:5FE939662D613A86FE4F5D42C8376F26
SHA256:D81EC33CB1B4BF345087EAFBC2F054BD1B05590A80EF0B5613EE7B062058E9F0
2284WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERE9C5.tmp.dmpbinary
MD5:1DDD03C387AA313FF751001ACE69D105
SHA256:69AAB26CA184C8BCEB67C9B84256D92BC3F02750C310108B899D26178BEBC3E3
2284WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\2025-05-15_acbc43d27e0e717eefd6d046ecb9875b_black-basta_cobalt-strike_ryuk_satacom.exe.6048.dmpbinary
MD5:7D097650275FF9AD77B41DA1213A5A11
SHA256:02219CFCC059CD26F7CD9F63EA172073B3DBDCB78983CAE9BFF449463C62E98E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
64
DNS requests
20
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4068
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4068
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
4068
SIHClient.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
4996
RUXIMICS.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4068
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4068
SIHClient.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
4996
RUXIMICS.exe
GET
200
104.124.11.58:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4068
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4068
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4996
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
20.190.159.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4996
RUXIMICS.exe
104.124.11.58:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4996
RUXIMICS.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
4696
MSBuild.exe
104.21.112.1:443
cornerdurv.top
CLOUDFLARENET
unknown
4696
MSBuild.exe
104.21.32.1:443
cornerdurv.top
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
login.live.com
  • 20.190.159.0
  • 20.190.159.71
  • 40.126.31.69
  • 20.190.159.23
  • 20.190.159.128
  • 40.126.31.67
  • 40.126.31.128
  • 40.126.31.1
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 104.124.11.58
  • 104.124.11.17
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 23.219.150.101
  • 23.35.229.160
whitelisted
cornerdurv.top
  • 104.21.112.1
  • 104.21.32.1
  • 104.21.16.1
  • 104.21.80.1
  • 104.21.64.1
  • 104.21.48.1
  • 104.21.96.1
unknown
saxecocnak.live
  • 104.21.32.1
  • 104.21.16.1
  • 104.21.64.1
  • 104.21.80.1
  • 104.21.112.1
  • 104.21.48.1
  • 104.21.96.1
unknown
testcawepr.run
unknown
emphatakpn.bet
  • 104.21.21.111
  • 172.67.198.73
unknown
laminaflbx.shop
  • 188.114.96.3
  • 188.114.97.3
unknown

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (overcovtcg .top)
4696
MSBuild.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (overcovtcg .top) in TLS SNI
4696
MSBuild.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (overcovtcg .top) in TLS SNI
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
4696
MSBuild.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (overcovtcg .top) in TLS SNI
4696
MSBuild.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (overcovtcg .top) in TLS SNI
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-15_acbc43d27e0e717eefd6d046ecb9875b_black-basta_cobalt-strike_ryuk_satacom