File name:

0a64ec8ac294e8feba01306293974a105b7abf93783db1a813239055e5812866

Full analysis: https://app.any.run/tasks/d8574fcb-463b-4a10-aece-2eda3cf287b2
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: September 28, 2024, 16:02:57
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
exfiltration
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7690744E892C390707607EE3DA29979E

SHA1:

B98B5CF903BE24549DF8934193FE7FE390E906D5

SHA256:

0A64EC8AC294E8FEBA01306293974A105B7ABF93783DB1A813239055E5812866

SSDEEP:

98304:hFa1fDeiyp1o+jbkGIhyHd2NgHWcTFvUKbCPBePZrrV:r

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA has been detected (YARA)

      • 0a64ec8ac294e8feba01306293974a105b7abf93783db1a813239055e5812866.exe (PID: 3812)
      • BitLockerToGo.exe (PID: 5736)

    • LUMMA has been detected (SURICATA)

      • BitLockerToGo.exe (PID: 5736)

    • Actions looks like stealing of personal data

      • BitLockerToGo.exe (PID: 5736)

    • Stealers network behavior

      • BitLockerToGo.exe (PID: 5736)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Checks supported languages

      • 0a64ec8ac294e8feba01306293974a105b7abf93783db1a813239055e5812866.exe (PID: 3812)
      • BitLockerToGo.exe (PID: 5736)

    • Reads the software policy settings

      • BitLockerToGo.exe (PID: 5736)

    • Reads the machine GUID from the registry

      • BitLockerToGo.exe (PID: 5736)

    • Reads the computer name

      • BitLockerToGo.exe (PID: 5736)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 3
CodeSize: 5417984
InitializedDataSize: 449536
UninitializedDataSize: -
EntryPoint: 0x73460
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 6.7.0.4921
ProductVersionNumber: 6.7.0.4921
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Cybertron Software Co., Ltd.
FileDescription: Privacy Eraser Free Setup
FileVersion: 6.7.0.4921
LegalCopyright: © 2002-2024 Cybertron Software Co., Ltd. All rights reserved.
OriginalFileName:
ProductName: Privacy Eraser Free
ProductVersion: 6.7.0.4921
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #LUMMA 0a64ec8ac294e8feba01306293974a105b7abf93783db1a813239055e5812866.exe no specs #LUMMA bitlockertogo.exe

Process information

PID
CMD
Path
Indicators
Parent process
3812"C:\Users\admin\Desktop\0a64ec8ac294e8feba01306293974a105b7abf93783db1a813239055e5812866.exe" C:\Users\admin\Desktop\0a64ec8ac294e8feba01306293974a105b7abf93783db1a813239055e5812866.exe
explorer.exe
User:
admin
Company:
Cybertron Software Co., Ltd.
Integrity Level:
MEDIUM
Description:
Privacy Eraser Free Setup
Exit code:
666
Version:
6.7.0.4921
Modules
Images
c:\users\admin\desktop\0a64ec8ac294e8feba01306293974a105b7abf93783db1a813239055e5812866.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
5736"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
0a64ec8ac294e8feba01306293974a105b7abf93783db1a813239055e5812866.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BitLocker To Go Reader
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
4 454
Read events
4 454
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
28
DNS requests
7
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2120
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
104.21.83.105:443
https://ptramidermsnqj.shop/api
unknown
text
15 b
malicious
POST
200
172.67.222.194:443
https://ptramidermsnqj.shop/api
unknown
html
4.29 Kb
malicious
POST
200
104.21.83.105:443
https://ptramidermsnqj.shop/api
unknown
text
16.6 Kb
malicious
POST
200
172.67.222.194:443
https://ptramidermsnqj.shop/api
unknown
text
15 b
malicious
POST
200
172.67.222.194:443
https://ptramidermsnqj.shop/api
unknown
text
15 b
malicious
POST
200
172.67.222.194:443
https://ptramidermsnqj.shop/api
unknown
text
15 b
malicious
POST
200
104.21.83.105:443
https://ptramidermsnqj.shop/api
unknown
text
15 b
malicious
POST
200
104.21.83.105:443
https://ptramidermsnqj.shop/api
unknown
text
48 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
2120
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4324
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5736
BitLockerToGo.exe
104.21.83.105:443
ptramidermsnqj.shop
CLOUDFLARENET
malicious
3916
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.142
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
ptramidermsnqj.shop
  • 104.21.83.105
  • 172.67.222.194
malicious

Threats

PID
Process
Class
Message
5736
BitLockerToGo.exe
A Network Trojan was detected
STEALER [ANY.RUN] Lumma Stealer TLS Connection
A Network Trojan was detected
ET MALWARE Lumma Stealer Related Activity
A Network Trojan was detected
ET MALWARE Lumma Stealer CnC Host Checkin
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Check-In
A Network Trojan was detected
ET MALWARE Lumma Stealer Related Activity M2
A Network Trojan was detected
ET MALWARE Lumma Stealer CnC Host Checkin
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Exfiltration
Malware Command and Control Activity Detected
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Check-In
A Network Trojan was detected
ET MALWARE Lumma Stealer CnC Host Checkin
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
0a64ec8ac294e8feba01306293974a105b7abf93783db1a813239055e5812866