File name:	012246bc3048970d6463175d947fc65dda7a0953627ccd79f99a139d9a7729ec.exe
Full analysis:	https://app.any.run/tasks/4a2f68f4-f8a8-4cca-9403-726c23d32e70
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	March 18, 2025, 21:45:26
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	lumma stealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	785F0D3F22D5C03AAE457BFB0FB94126
SHA1:	302BB354D45D05513AC48D459F4DE87EBC217D02
SHA256:	012246BC3048970D6463175D947FC65DDA7A0953627CCD79F99A139D9A7729EC
SSDEEP:	12288:WSL/ENlwJ0wdOazDoxb/qHnvLcV/ViVVFzSVFVbEhVlVqbfb6H:WSklwJ02zcxb/qHv

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:12:21 17:41:26+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	33792
InitializedDataSize:	563712
UninitializedDataSize:	-
EntryPoint:	0x11e5
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	45.0.0.0
ProductVersionNumber:	61.0.0.0
FileFlagsMask:	0x003f
FileFlags:	Debug, Pre-release, Patched, Private build, Special build
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-

PID	Process	Filename		Type
7680	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_012246bc3048970d_a0fcdf6089a3d1eba11f8980fc4ae89b8de1725d_176692c5_d720694e-824c-443b-81bd-979b1d8baa39\Report.wer		—
		MD5:—	SHA256:—
7680	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERE89F.tmp.xml		xml
		MD5:9ED91FE5532AE95505518AA09B631180	SHA256:235367E3C0A314D4CF7C7E5C45691D4BA988A8250BA531BF273256556B9A55C8
7680	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERE706.tmp.dmp		binary
		MD5:B8B97156E2B1945FEF4FA0DC0A03633A	SHA256:9C05F5218F985EB87C0AF8BBBFCB2D2BECEE7D5A1354C5BD2685CA9F01D4456C
7680	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\012246bc3048970d6463175d947fc65dda7a0953627ccd79f99a139d9a7729ec.exe.7504.dmp		binary
		MD5:46E405E8BAA30224B4DA96DDF91C3BD5	SHA256:E54930156DCDDBBB225B5F374F2B764222B56313B9EEB5653FB9CA9A268D6C31
7680	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERE7F2.tmp.WERInternalMetadata.xml		binary
		MD5:CD1F74C8C832FF0E32ABA513083337F9	SHA256:E88E4F9E9A23BD6A2E75869D8BF455CBD1E3BF782048145630A25543BAC6BCD7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
2104	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2104	svchost.exe	23.53.40.178:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7424	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7996	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 4.231.128.59	whitelisted
google.com	216.58.206.78	whitelisted
crl.microsoft.com	23.53.40.178 23.53.40.176	whitelisted
deadpanstupiddyjjuwk.shop	—	unknown
wisemassiveharmonious.shop	—	malicious
colorfulequalugliess.shop	—	malicious
relevantvoicelesskw.shop	—	malicious
detectordiscusser.shop	—	malicious
edurestunningcrackyow.fun	—	malicious
pooreveningfuseor.pw	—	malicious

PID	Process	Class	Message
2196	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (deadpanstupiddyjjuwk .shop)
2196	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (deadpanstupiddyjjuwk .shop)
2196	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (relevantvoicelesskw .shop)
2196	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (wisemassiveharmonious .shop)
2196	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (detectordiscusser .shop)
2196	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (colorfulequalugliess .shop)
2196	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .fun)
2196	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pooreveningfuseor .pw)
2196	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (associationokeo .shop)
2196	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.pw domain - Likely Hostile

General Info

012246bc3048970d6463175d947fc65dda7a0953627ccd79f99a139d9a7729ec.exe

785F0D3F22D5C03AAE457BFB0FB94126

302BB354D45D05513AC48D459F4DE87EBC217D02

012246BC3048970D6463175D947FC65DDA7A0953627CCD79F99A139D9A7729EC

12288:WSL/ENlwJ0wdOazDoxb/qHnvLcV/ViVVFzSVFVbEhVlVqbfb6H:WSklwJ02zcxb/qHv

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Connects to the CnC server

LUMMA has been detected (SURICATA)

SUSPICIOUS

Contacting a server suspected of hosting an CnC

Executes application which crashes

INFO

Reads the computer name

Checks supported languages

Creates files or folders in the user directory

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings