File name:	lnstall_patched.exe
Full analysis:	https://app.any.run/tasks/551f670a-b48b-4e03-91c9-070a4bb78141
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	March 28, 2025, 14:40:05
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	telegram lumma stealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 8 sections
MD5:	0DD8444BC02B6E04635CBE1168D0259C
SHA1:	D8261CDF2E991636F58B26E090ADE77E78DCB50F
SHA256:	0994EB7EE6F09C7F26B148F34E4A7EDBC23059BBA3F2E72F88AD6953C41F701C
SSDEEP:	98304:vTd7AaKt3m+p7y/D8f82/YziDLajlH4Yq0IZXVqmk7KORoIRXeGTjbuPR4iDXoeb:kVX

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	2.32
CodeSize:	4547584
InitializedDataSize:	5351424
UninitializedDataSize:	12800
EntryPoint:	0x14a0
OSVersion:	4
ImageVersion:	1
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	2025.1.3.0
ProductVersionNumber:	2025.1.3.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Unknown (0)
ObjectFileType:	Unknown
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	DZED Systems LLC
FileDescription:	DZED - Dragonframe 2025
FileVersion:	2025.01.3
LegalCopyright:	© 2025 DZED Systems LLC
ProductName:	Dragonframe 2025
ProductVersion:	2025.01.3

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.19.11.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	149.154.167.99:443	https://t.me/asdccscasaa333t23f	unknown	html	12.1 Kb	whitelisted
—	—	POST	200	172.67.166.143:443	https://lunapixu.top/GzkJSIo	unknown	binary	70 b	unknown
—	—	POST	200	172.67.166.143:443	https://lunapixu.top/GzkJSIo	unknown	binary	69 b	unknown
—	—	POST	—	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	—	—	whitelisted
—	—	POST	200	104.21.50.200:443	https://lunapixu.top/GzkJSIo	unknown	binary	69 b	unknown
—	—	POST	200	104.21.50.200:443	https://lunapixu.top/GzkJSIo	unknown	binary	70 b	unknown
—	—	POST	200	104.21.50.200:443	https://lunapixu.top/GzkJSIo	unknown	binary	70 b	unknown
—	—	POST	200	104.21.50.200:443	https://lunapixu.top/GzkJSIo	unknown	binary	32.8 Kb	unknown
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	2.19.11.120:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
1180	lnstall_patched.exe	149.154.167.99:443	t.me	Telegram Messenger Inc	GB	whitelisted
1180	lnstall_patched.exe	104.21.50.200:443	lunapixu.top	CLOUDFLARENET	—	unknown
3192	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4944	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
google.com	216.58.206.46	whitelisted
crl.microsoft.com	2.19.11.120 2.19.11.105	whitelisted
t.me	149.154.167.99	whitelisted
lunapixu.top	104.21.50.200 172.67.166.143	unknown
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

PID	Process	Class	Message
1180	lnstall_patched.exe	Misc activity	ET INFO Observed Telegram Domain (t .me in TLS SNI)
2196	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
—	—	Potentially Bad Traffic	ET INFO HTTP Request to a *.top domain

General Info

lnstall_patched.exe

0DD8444BC02B6E04635CBE1168D0259C

D8261CDF2E991636F58B26E090ADE77E78DCB50F

0994EB7EE6F09C7F26B148F34E4A7EDBC23059BBA3F2E72F88AD6953C41F701C

98304:vTd7AaKt3m+p7y/D8f82/YziDLajlH4Yq0IZXVqmk7KORoIRXeGTjbuPR4iDXoeb:kVX

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Steals credentials from Web Browsers

Actions looks like stealing of personal data

LUMMA mutex has been found

SUSPICIOUS

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Searches for installed software

INFO

The sample compiled with english language support

Checks supported languages

Reads the machine GUID from the registry

Reads the software policy settings

Reads the computer name

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings