File name:	AMinecraftMovie2025.1080p.HD.X264.Dual.YG.exe
Full analysis:	https://app.any.run/tasks/f1ae947b-56a7-4d43-a396-5bc56034b492
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 07, 2025, 17:51:10
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	autoit telegram stealer lumma autoit-loader attachments attc-unc
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	3618028B3F53A9BA8A2979839F590337
SHA1:	7372695E6C4F58C512C48022942199971DEF123A
SHA256:	09614DA3434B6797114BB17928356771A58D82859A1C8D9EBE6D8EC718D5F072
SSDEEP:	49152:tdS4xI40X3YZKjKC/8qRll0f48b1gSM6IgRrhGSJ4IZ8zyo4JDJE7F7PSMNgO+IG:z0HlEqRo/ZgSM634SF8zytNC1qMOO+IG

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:07:02 02:09:35+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	27136
InitializedDataSize:	3803648
UninitializedDataSize:	2048
EntryPoint:	0x364b
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI

PID	Process	Filename		Type
5864	AMinecraftMovie2025.1080p.HD.X264.Dual.YG.exe	C:\Users\admin\AppData\Local\Temp\Fought.docx		binary
		MD5:CC4D0D2557AF01BF5B611E206146153A	SHA256:E38C9A9C9F84F965FBA004316C6364A7BA74EF48BB66F31CC74989E6E738DE62
5864	AMinecraftMovie2025.1080p.HD.X264.Dual.YG.exe	C:\Users\admin\AppData\Local\Temp\Rule.docx		compressed
		MD5:FC3898384BA27095F2E3FDD37D7AFD5B	SHA256:1219813455371C89D34A8509C0BC7C2EA63C033F39CEDE595C27DAB707C5F7D3
5864	AMinecraftMovie2025.1080p.HD.X264.Dual.YG.exe	C:\Users\admin\AppData\Local\Temp\Nfl.docx		binary
		MD5:E3EFF81A543A569E10DAB0502FDC1D6C	SHA256:A45583AA0821815A9ABA4CE241C998FE36979B2B98C24015E5E0EF835E2C1FE6
5864	AMinecraftMovie2025.1080p.HD.X264.Dual.YG.exe	C:\Users\admin\AppData\Local\Temp\Minute.docx		binary
		MD5:8F18FC9BDBE722252F0CF9877ADB3480	SHA256:AC815F2707D8F5282434E4F0E4C84464CFA417B97C49A41598D8E353F23CEAF7
1196	extrac32.exe	C:\Users\admin\AppData\Local\Temp\Cum		binary
		MD5:9FE966E5D9DD8B4A6F377B663D5DA7D7	SHA256:3DADE3945250003A003C1E90E8ACB7C1FDB148309466C1A84C71E8C0470640DD
2908	expand.exe	C:\Users\admin\AppData\Local\Temp\antonio.docx.bat		text
		MD5:0E22EA30428C7D238D36FB2B0B5E3A55	SHA256:B3EC562C8A6BB2DEA0DA9E00FB754575B143706BC1686FF3B769AAB61580CF70
5864	AMinecraftMovie2025.1080p.HD.X264.Dual.YG.exe	C:\Users\admin\AppData\Local\Temp\Bleeding.docx		binary
		MD5:43AB8DE23F8528A0BDE5D99F70DEFCFA	SHA256:F3294EEADD3C7DDFD2D4E6EAB4170C693F34117BC65284D1F932BEE45C97DBA5
1196	extrac32.exe	C:\Users\admin\AppData\Local\Temp\Occasions		binary
		MD5:AD6FEDB8E99947A0B2057B1BD30B88DD	SHA256:F3448D943A1BD39CF6988E0AF849D2AA966493BBCB6AFF34F1B1376B5F78FC8E
1196	extrac32.exe	C:\Users\admin\AppData\Local\Temp\Enjoyed		binary
		MD5:5335EADF78F0E7F515808D296241B875	SHA256:B0E5B34BA16DE0CA676D44C4E83CB4793E4A7D0D4B4FE326B18D5B0AECCC246F
1196	extrac32.exe	C:\Users\admin\AppData\Local\Temp\Distributions		binary
		MD5:7D2FC66BAAAB04AB51EC15BDC23BFC10	SHA256:17945FA221129E047A67B62FF3A68AB59B7F66E77C4C249E5307FF66C3326BB1

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	149.154.167.99:443	https://t.me/bzvrip	unknown	—	—	unknown
—	—	GET	304	4.175.87.197:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	unknown
1164	SIHClient.exe	GET	200	23.216.77.25:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1164	SIHClient.exe	GET	200	2.16.253.202:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
1164	SIHClient.exe	GET	200	23.216.77.25:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
1164	SIHClient.exe	GET	200	2.16.253.202:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
—	—	GET	200	13.95.31.18:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	unknown
1164	SIHClient.exe	GET	200	2.16.253.202:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
—	—	GET	304	4.175.87.197:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	unknown
1164	SIHClient.exe	GET	200	23.216.77.25:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
2152	Doug.com	149.154.167.99:443	t.me	Telegram Messenger Inc	GB	whitelisted
1164	SIHClient.exe	20.109.210.53:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
2152	Doug.com	188.114.97.3:443	compgonentco.top	CLOUDFLARENET	NL	unknown
1164	SIHClient.exe	23.216.77.25:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1164	SIHClient.exe	2.16.253.202:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	142.250.185.78	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
trOBbIWypqMzohkbZkTpcgQJvNQZ.trOBbIWypqMzohkbZkTpcgQJvNQZ	—	unknown
t.me	149.154.167.99	whitelisted
slscr.update.microsoft.com	20.109.210.53	whitelisted
compgonentco.top	188.114.97.3 188.114.96.3	unknown
crl.microsoft.com	23.216.77.25 23.216.77.10	whitelisted
www.microsoft.com	2.16.253.202	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted

PID	Process	Class	Message
2152	Doug.com	Misc activity	ET INFO Observed Telegram Domain (t .me in TLS SNI)
2196	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
—	—	Potentially Bad Traffic	ET INFO HTTP Request to a *.top domain

General Info

AMinecraftMovie2025.1080p.HD.X264.Dual.YG.exe

3618028B3F53A9BA8A2979839F590337

7372695E6C4F58C512C48022942199971DEF123A

09614DA3434B6797114BB17928356771A58D82859A1C8D9EBE6D8EC718D5F072

49152:tdS4xI40X3YZKjKC/8qRll0f48b1gSM6IgRrhGSJ4IZ8zyo4JDJE7F7PSMNgO+IG:z0HlEqRo/ZgSM634SF8zytNC1qMOO+IG

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

AutoIt loader has been detected (YARA)

Actions looks like stealing of personal data

LUMMA mutex has been found

Steals credentials from Web Browsers

SUSPICIOUS

Starts CMD.EXE for commands execution

Reads security settings of Internet Explorer

Application launched itself

Executing commands from a ".bat" file

Starts application with an unusual extension

The executable file from the user directory is run by the CMD process

Starts the AutoIt3 executable file

There is functionality for taking screenshot (YARA)

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Get information on the list of running processes

Using 'findstr.exe' to search for text patterns in files and output

INFO

Checks supported languages

Reads the computer name

Create files in a temporary directory

Process checks computer location settings

Reads mouse settings

Reads the machine GUID from the registry

Reads the software policy settings

Attempting to use instant messaging service

Reads Microsoft Office registry keys

Manual execution by a user

Checks proxy server information

Creates a new folder

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats