| File name: | Ethelium.exe |
| Full analysis: | https://app.any.run/tasks/892f2aff-c178-4e4d-b539-7cd0e3424fab |
| Verdict: | Malicious activity |
| Threats: | Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. |
| Analysis date: | May 17, 2025, 00:44:11 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections |
| MD5: | 195037A30E6D964EB48A27A1B7B16C0B |
| SHA1: | DE804CCBF10E5E786E2531654BE23657F8B5E476 |
| SHA256: | 09B95364B01ED8B35D545F12556F263A3EBD21FCBDEB7CD17331C75927EE8624 |
| SSDEEP: | 98304:6jwmpIrY7fXsLHryLyHcaGt3d7VSTf+NMuPxJkcyXydfcleAfrn:5SBrcrx |
MALICIOUS
Executing a file with an untrusted certificate
- Ethelium.exe (PID: 7692)
Create files in the Startup directory
- cmd.exe (PID: 5364)
AutoIt loader has been detected (YARA)
- Biography.com (PID: 8176)
LUMMA mutex has been found
- Biography.com (PID: 8176)
SUSPICIOUS
Executing commands from a ".bat" file
- Ethelium.exe (PID: 7692)
Get information on the list of running processes
- cmd.exe (PID: 7736)
Starts CMD.EXE for commands execution
- Ethelium.exe (PID: 7692)
- cmd.exe (PID: 7736)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 7736)
Reads security settings of Internet Explorer
- Ethelium.exe (PID: 7692)
Application launched itself
- cmd.exe (PID: 7736)
Starts application with an unusual extension
- cmd.exe (PID: 7736)
Starts the AutoIt3 executable file
- cmd.exe (PID: 7736)
The executable file from the user directory is run by the CMD process
- Biography.com (PID: 8176)
There is functionality for taking screenshot (YARA)
- Biography.com (PID: 8176)
- Ethelium.exe (PID: 7692)
Executable content was dropped or overwritten
- Biography.com (PID: 8176)
Searches for installed software
- Biography.com (PID: 8176)
INFO
Reads the computer name
- Ethelium.exe (PID: 7692)
- extrac32.exe (PID: 8096)
- Biography.com (PID: 8176)
Process checks computer location settings
- Ethelium.exe (PID: 7692)
Checks supported languages
- Ethelium.exe (PID: 7692)
- extrac32.exe (PID: 8096)
- Biography.com (PID: 8176)
Create files in a temporary directory
- Ethelium.exe (PID: 7692)
- extrac32.exe (PID: 8096)
Creates a new folder
- cmd.exe (PID: 8076)
Reads mouse settings
- Biography.com (PID: 8176)
Manual execution by a user
- cmd.exe (PID: 5364)
The sample compiled with english language support
- Biography.com (PID: 8176)
Auto-launch of the file from Startup directory
- cmd.exe (PID: 5364)
Reads the machine GUID from the registry
- Biography.com (PID: 8176)
Reads the software policy settings
- Biography.com (PID: 8176)
- slui.exe (PID: 4724)
Creates files or folders in the user directory
- Biography.com (PID: 8176)
Checks proxy server information
- slui.exe (PID: 4724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2010:04:10 12:19:23+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 9 |
| CodeSize: | 25600 |
| InitializedDataSize: | 431104 |
| UninitializedDataSize: | 16896 |
| EntryPoint: | 0x33e9 |
| OSVersion: | 5 |
| ImageVersion: | 6 |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
Total processes
139
Monitored processes
16
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 4172 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4724 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5364 | cmd /k echo [InternetShortcut] > "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & echo URL="C:\Users\admin\AppData\Local\TechMesh Dynamics\InnoMesh.js" >> "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoMesh.url" & exit | C:\Windows\SysWOW64\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7288 | choice /d y /t 5 | C:\Windows\SysWOW64\choice.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Offers the user a choice Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7692 | "C:\Users\admin\Desktop\Ethelium.exe" | C:\Users\admin\Desktop\Ethelium.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 7736 | "C:\WINDOWS\System32\CMd.exe" /c copy Pf.xlsm Pf.xlsm.bat & Pf.xlsm.bat | C:\Windows\SysWOW64\cmd.exe | — | Ethelium.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7744 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7904 | tasklist | C:\Windows\SysWOW64\tasklist.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Lists the current running tasks Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7924 | findstr /I "opssvc wrsa" | C:\Windows\SysWOW64\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 8020 | tasklist | C:\Windows\SysWOW64\tasklist.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Lists the current running tasks Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
7 299
Read events
7 299
Write events
0
Delete events
0
Modification events
Executable files
2
Suspicious files
23
Text files
4
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7692 | Ethelium.exe | C:\Users\admin\AppData\Local\Temp\Pf.xlsm | text | |
MD5:3AD7D209AAA6ECDD3D8683C62915FD05 | SHA256:DCD3DC187D7A2AD56A6CF92487F3A57CB4A17CE4808314F9A7D4F84EF4F7AE4B | |||
| 7692 | Ethelium.exe | C:\Users\admin\AppData\Local\Temp\Tumor.xlsm | binary | |
MD5:275DA6FFC2902C099BB1BF172F547E7D | SHA256:CEBB326162363621AD9559149332C4DCD553C2ABE9F56BCB5903018E7BE189BD | |||
| 7692 | Ethelium.exe | C:\Users\admin\AppData\Local\Temp\Third.xlsm | binary | |
MD5:9E295978B8EFC5852D77BBDE7E566A82 | SHA256:77FD8AFC878CF0490E018BC7C94C747C02DB363A9C8298F1EAEDC94853E43905 | |||
| 7692 | Ethelium.exe | C:\Users\admin\AppData\Local\Temp\Fatal.xlsm | binary | |
MD5:0D346ADE5A4CF918367FD723CB3F18C7 | SHA256:0F366AAC8BB640195E2B958D017611209D665091E4AE168E536F195296C86336 | |||
| 7692 | Ethelium.exe | C:\Users\admin\AppData\Local\Temp\Luke.xlsm | binary | |
MD5:8E39A9B59B4EBB3B1B64BB78381577DE | SHA256:B706FBDCC86A1627A7FDAE1051A5A1BB6F4C510EF7F8226C058B5C0B3CBA78A5 | |||
| 7692 | Ethelium.exe | C:\Users\admin\AppData\Local\Temp\Prescription.xlsm | binary | |
MD5:19DD4E0B60B42C1A8FB97D16AA89E9BC | SHA256:0F91A21D47220526A4F19036D8CFC508105BF90170D09D0B7B9D3AD1E1ECF76A | |||
| 7692 | Ethelium.exe | C:\Users\admin\AppData\Local\Temp\Windows.xlsm | binary | |
MD5:15846A66F3D1B5FDDD0E6515EBA2E33F | SHA256:B311A801FC71DC07E405B94F5B019B2AB6733DF1280120C6C33054B8F43BDEF5 | |||
| 7692 | Ethelium.exe | C:\Users\admin\AppData\Local\Temp\Experiencing.xlsm | binary | |
MD5:10758D4FC19B3D11723EC85782214469 | SHA256:C3B614C85C3F76A654CFDF3E180F643DFFE499BAED042445EB10A4590B70A1FB | |||
| 7692 | Ethelium.exe | C:\Users\admin\AppData\Local\Temp\Novel.xlsm | compressed | |
MD5:67DD6F1ED2E74F82CD57243A24C51D95 | SHA256:2584062F655F728DDE22C29DEE351811EB9A8DFAC5743B8E47320CD2305D643F | |||
| 7692 | Ethelium.exe | C:\Users\admin\AppData\Local\Temp\Jam.xlsm | binary | |
MD5:57A11CB279781D50C9F5D0E23ABABC0C | SHA256:93530394527EB650554002BD5339AD7801AC7389BA651F188AD1042A30EE9B24 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
25
DNS requests
7
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2104 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
8176 | Biography.com | 104.21.7.123:443 | amniotjnrt.run | CLOUDFLARENET | — | unknown |
7488 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4724 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
XxDHwjICkgNIHiirKOwsv.XxDHwjICkgNIHiirKOwsv |
| unknown |
amniotjnrt.run |
| unknown |
activation-v2.sls.microsoft.com |
| whitelisted |