File name:

SecuriteInfo.com.Variant.Mikey.154420.4177.25356

Full analysis: https://app.any.run/tasks/b4c56b34-e27c-419c-8820-fd7d24c5bd9c
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: October 08, 2023, 09:22:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
lumma
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

D466BDA2F8C5F5FB0595547E5A97D843

SHA1:

F245EC07D53FBC3A9EE1309A006CAC099A8548CF

SHA256:

09BCFEF16EBDB6EB335B71EC950E173C7488C0B071E7AD217EF66ACF1E9BC5A9

SSDEEP:

49152:T/xN9g9QI1AyJbRcimFNCi1JKahArOAkqkAvbwF+rQ:T/xNC9QI1PVRcBNCssahAiAR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA has been detected (YARA)

      • SecuriteInfo.com.Variant.Mikey.154420.4177.25356.exe (PID: 2896)

    • LUMMA was detected

      • AppLaunch.exe (PID: 2280)

    • Connects to the CnC server

      • AppLaunch.exe (PID: 2280)

    • Actions looks like stealing of personal data

      • AppLaunch.exe (PID: 2280)

  • SUSPICIOUS

    • Reads the Internet Settings

      • AppLaunch.exe (PID: 2280)

    • Reads browser cookies

      • AppLaunch.exe (PID: 2280)

    • Searches for installed software

      • AppLaunch.exe (PID: 2280)

  • INFO

    • Checks supported languages

      • SecuriteInfo.com.Variant.Mikey.154420.4177.25356.exe (PID: 2896)
      • AppLaunch.exe (PID: 2280)

    • Reads the computer name

      • AppLaunch.exe (PID: 2280)

    • Checks proxy server information

      • AppLaunch.exe (PID: 2280)

    • Creates files or folders in the user directory

      • AppLaunch.exe (PID: 2280)

    • Reads the machine GUID from the registry

      • AppLaunch.exe (PID: 2280)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(2896) SecuriteInfo.com.Variant.Mikey.154420.4177.25356.exe
C2 (2)teleportfilmona.online
tipsydulljaui.website
Options
LummaIDkEyJAI--VIGOR
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:10:07 22:59:12+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.34
CodeSize: 774144
InitializedDataSize: 1482752
UninitializedDataSize: -
EntryPoint: 0x1212
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #LUMMA securiteinfo.com.variant.mikey.154420.4177.25356.exe #LUMMA applaunch.exe

Process information

PID
CMD
Path
Indicators
Parent process
2280"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
SecuriteInfo.com.Variant.Mikey.154420.4177.25356.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET ClickOnce Launch Utility
Exit code:
0
Version:
4.7.2558.0 built by: NET471REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2896"C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Mikey.154420.4177.25356.exe" C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Mikey.154420.4177.25356.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\securiteinfo.com.variant.mikey.154420.4177.25356.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
Lumma
(PID) Process(2896) SecuriteInfo.com.Variant.Mikey.154420.4177.25356.exe
C2 (2)teleportfilmona.online
tipsydulljaui.website
Options
LummaIDkEyJAI--VIGOR
Total events
389
Read events
377
Write events
12
Delete events
0

Modification events

(PID) Process:(2280) AppLaunch.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2280) AppLaunch.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2280) AppLaunch.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2280) AppLaunch.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000BD000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2280) AppLaunch.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2280) AppLaunch.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2280) AppLaunch.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2280) AppLaunch.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
0
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2280AppLaunch.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\MICM7F87.txttext
MD5:2F091B9217CEEF414D82067990FB7DA6
SHA256:B455DEDCBEEC5BCA021CA738BD64475D2373960F15CB9523238FAB6C321EE40E
2280AppLaunch.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\J28XLDT8.txttext
MD5:EC3E34EBC3F6476F44C33E80A9D6A55A
SHA256:BC59CDB8BE240C013ABD8CEB228E81F2B45C62D857621FE78512A90B439D2C79
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
42
DNS requests
1
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2280
AppLaunch.exe
GET
403
172.67.161.64:80
http://tipsydulljaui.website/
unknown
html
4.19 Kb
unknown
2280
AppLaunch.exe
POST
200
172.67.161.64:80
http://tipsydulljaui.website/api
unknown
text
2 b
unknown
2280
AppLaunch.exe
POST
200
172.67.161.64:80
http://tipsydulljaui.website/api
unknown
text
16.1 Kb
unknown
2280
AppLaunch.exe
POST
200
172.67.161.64:80
http://tipsydulljaui.website/api
unknown
text
2 b
unknown
2280
AppLaunch.exe
POST
200
172.67.161.64:80
http://tipsydulljaui.website/api
unknown
text
2 b
unknown
2280
AppLaunch.exe
POST
200
172.67.161.64:80
http://tipsydulljaui.website/api
unknown
text
2 b
unknown
2280
AppLaunch.exe
POST
200
172.67.161.64:80
http://tipsydulljaui.website/api
unknown
text
2 b
unknown
2280
AppLaunch.exe
POST
200
172.67.161.64:80
http://tipsydulljaui.website/api
unknown
text
2 b
unknown
2280
AppLaunch.exe
POST
200
172.67.161.64:80
http://tipsydulljaui.website/api
unknown
text
2 b
unknown
2280
AppLaunch.exe
POST
200
172.67.161.64:80
http://tipsydulljaui.website/api
unknown
text
2 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1956
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
whitelisted
324
svchost.exe
224.0.0.252:5355
unknown
2280
AppLaunch.exe
172.67.161.64:80
tipsydulljaui.website
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
tipsydulljaui.website
  • 172.67.161.64
  • 104.21.34.127
malicious

Threats

PID
Process
Class
Message
2280
AppLaunch.exe
Malware Command and Control Activity Detected
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
2280
AppLaunch.exe
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Check-In
2280
AppLaunch.exe
Malware Command and Control Activity Detected
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
2280
AppLaunch.exe
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Exfiltration
2280
AppLaunch.exe
Malware Command and Control Activity Detected
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
2280
AppLaunch.exe
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Exfiltration
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SecuriteInfo.com.Variant.Mikey.154420.4177.25356