File name:	AMinecraftMovie2025.1080p.HD.X264.Dual.YG.exe
Full analysis:	https://app.any.run/tasks/f1ae947b-56a7-4d43-a396-5bc56034b492
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 07, 2025, 17:51:10
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	autoit telegram stealer lumma autoit-loader attachments attc-unc
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	3618028B3F53A9BA8A2979839F590337
SHA1:	7372695E6C4F58C512C48022942199971DEF123A
SHA256:	09614DA3434B6797114BB17928356771A58D82859A1C8D9EBE6D8EC718D5F072
SSDEEP:	49152:tdS4xI40X3YZKjKC/8qRll0f48b1gSM6IgRrhGSJ4IZ8zyo4JDJE7F7PSMNgO+IG:z0HlEqRo/ZgSM634SF8zytNC1qMOO+IG

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:07:02 02:09:35+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	27136
InitializedDataSize:	3803648
UninitializedDataSize:	2048
EntryPoint:	0x364b
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI

PID	Process	Filename		Type
5864	AMinecraftMovie2025.1080p.HD.X264.Dual.YG.exe	C:\Users\admin\AppData\Local\Temp\Plastics.docx		binary
		MD5:E4AA1FB21BACD59D914C30B66E3EBBC3	SHA256:C8E11D4F34B19022C8978771CAA98C9FD89DDD573A1AA6A01A6E89E321246959
5864	AMinecraftMovie2025.1080p.HD.X264.Dual.YG.exe	C:\Users\admin\AppData\Local\Temp\Coming.docx		binary
		MD5:1DF6FDF470299F09F216C8802FE782C3	SHA256:DFF12E765DF6212D79FCFEFDD7F2A4C650CB596E4E54213BF2EAA4B377EBEACF
2908	expand.exe	C:\Users\admin\AppData\Local\Temp\antonio.docx.bat		text
		MD5:0E22EA30428C7D238D36FB2B0B5E3A55	SHA256:B3EC562C8A6BB2DEA0DA9E00FB754575B143706BC1686FF3B769AAB61580CF70
5864	AMinecraftMovie2025.1080p.HD.X264.Dual.YG.exe	C:\Users\admin\AppData\Local\Temp\Minute.docx		binary
		MD5:8F18FC9BDBE722252F0CF9877ADB3480	SHA256:AC815F2707D8F5282434E4F0E4C84464CFA417B97C49A41598D8E353F23CEAF7
5864	AMinecraftMovie2025.1080p.HD.X264.Dual.YG.exe	C:\Users\admin\AppData\Local\Temp\Fx.docx		binary
		MD5:E9E82F0F3CA5CB74136E82AA1DA059BD	SHA256:9389E22E1BF3342B34C2EF4634F94EB6B50E34936FF4BB067AE01207B5B207F6
5864	AMinecraftMovie2025.1080p.HD.X264.Dual.YG.exe	C:\Users\admin\AppData\Local\Temp\nssC9CB.tmp		binary
		MD5:183339765B784CD42615B7339E9569E5	SHA256:C9E97F4D2152086AFAEA4AEEB663076E3361D600740807A3A91394EED3E73F5A
5864	AMinecraftMovie2025.1080p.HD.X264.Dual.YG.exe	C:\Users\admin\AppData\Local\Temp\Penny.docx		binary
		MD5:A38272C8639E1482D5BE2DB20B1C76B7	SHA256:063E43A4BA55D4DD84CC9B07AA71BBA73C919B163C7102AA64C88DF1338E9DE2
5864	AMinecraftMovie2025.1080p.HD.X264.Dual.YG.exe	C:\Users\admin\AppData\Local\Temp\Bleeding.docx		binary
		MD5:43AB8DE23F8528A0BDE5D99F70DEFCFA	SHA256:F3294EEADD3C7DDFD2D4E6EAB4170C693F34117BC65284D1F932BEE45C97DBA5
1196	extrac32.exe	C:\Users\admin\AppData\Local\Temp\Occasions		binary
		MD5:AD6FEDB8E99947A0B2057B1BD30B88DD	SHA256:F3448D943A1BD39CF6988E0AF849D2AA966493BBCB6AFF34F1B1376B5F78FC8E
5864	AMinecraftMovie2025.1080p.HD.X264.Dual.YG.exe	C:\Users\admin\AppData\Local\Temp\Fought.docx		binary
		MD5:CC4D0D2557AF01BF5B611E206146153A	SHA256:E38C9A9C9F84F965FBA004316C6364A7BA74EF48BB66F31CC74989E6E738DE62

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	149.154.167.99:443	https://t.me/bzvrip	unknown	—	—	—
—	—	GET	304	4.175.87.197:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
1164	SIHClient.exe	GET	200	23.216.77.25:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	13.95.31.18:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—
1164	SIHClient.exe	GET	200	23.216.77.25:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
1164	SIHClient.exe	GET	200	2.16.253.202:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
1164	SIHClient.exe	GET	200	2.16.253.202:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1164	SIHClient.exe	GET	200	2.16.253.202:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
1164	SIHClient.exe	GET	200	23.216.77.25:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
1164	SIHClient.exe	GET	200	2.16.253.202:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
2152	Doug.com	149.154.167.99:443	t.me	Telegram Messenger Inc	GB	whitelisted
1164	SIHClient.exe	20.109.210.53:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
2152	Doug.com	188.114.97.3:443	compgonentco.top	CLOUDFLARENET	NL	unknown
1164	SIHClient.exe	23.216.77.25:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1164	SIHClient.exe	2.16.253.202:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	142.250.185.78	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
trOBbIWypqMzohkbZkTpcgQJvNQZ.trOBbIWypqMzohkbZkTpcgQJvNQZ	—	unknown
t.me	149.154.167.99	whitelisted
slscr.update.microsoft.com	20.109.210.53	whitelisted
compgonentco.top	188.114.97.3 188.114.96.3	unknown
crl.microsoft.com	23.216.77.25 23.216.77.10	whitelisted
www.microsoft.com	2.16.253.202	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted

PID	Process	Class	Message
2152	Doug.com	Misc activity	ET INFO Observed Telegram Domain (t .me in TLS SNI)
2196	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
—	—	Potentially Bad Traffic	ET INFO HTTP Request to a *.top domain

General Info

AMinecraftMovie2025.1080p.HD.X264.Dual.YG.exe

3618028B3F53A9BA8A2979839F590337

7372695E6C4F58C512C48022942199971DEF123A

09614DA3434B6797114BB17928356771A58D82859A1C8D9EBE6D8EC718D5F072

49152:tdS4xI40X3YZKjKC/8qRll0f48b1gSM6IgRrhGSJ4IZ8zyo4JDJE7F7PSMNgO+IG:z0HlEqRo/ZgSM634SF8zytNC1qMOO+IG

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

AutoIt loader has been detected (YARA)

LUMMA mutex has been found

Actions looks like stealing of personal data

Steals credentials from Web Browsers

SUSPICIOUS

Reads security settings of Internet Explorer

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Get information on the list of running processes

Application launched itself

Using 'findstr.exe' to search for text patterns in files and output

The executable file from the user directory is run by the CMD process

Starts application with an unusual extension

Starts the AutoIt3 executable file

There is functionality for taking screenshot (YARA)

Process communicates with Telegram (possibly using it as an attacker's C2 server)

INFO

Create files in a temporary directory

Reads the computer name

Checks supported languages

Process checks computer location settings

Creates a new folder

Reads the machine GUID from the registry

Reads the software policy settings

Manual execution by a user

Reads Microsoft Office registry keys

Checks proxy server information

Reads mouse settings

Attempting to use instant messaging service

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats