File name:

Brutex.exe

Full analysis: https://app.any.run/tasks/59b2c955-ea7a-4b79-b94f-7c0f81674996
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: September 08, 2024, 08:47:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5:

874E1F5BF09EB6361C065CEBA2C10767

SHA1:

FA374DE396D0267CC5F0FD0307C7A54538AD1E46

SHA256:

0EF1D4BE6ED364101BD09309A5D218172762460579E47DC024F7C35C1B5DE7CD

SSDEEP:

98304:Ka40snAPqGXvxt23X3MaOh0GR/2PnyBD5IcgFhQTbE2VHPtlylnoyKv6tKOAVujT:Ot6Ne

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA has been detected (YARA)

      • Brutex.exe (PID: 7132)

    • Connects to the CnC server

      • svchost.exe (PID: 2256)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2256)

  • SUSPICIOUS

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2256)

  • INFO

    • Checks supported languages

      • Brutex.exe (PID: 7132)
      • BitLockerToGo.exe (PID: 4604)

    • Reads the computer name

      • Brutex.exe (PID: 7132)
      • BitLockerToGo.exe (PID: 4604)

    • Checks proxy server information

      • Brutex.exe (PID: 7132)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(7132) Brutex.exe
C2 (9)holicisticscrarws.shop
obsceneclassyjuwks.shop
miniaturefinerninewjs.shop
boredimperissvieos.shop
zippyfinickysofwps.shop
acceptabledcooeprs.shop
greetclassifytalk.shop
sweetsquarediaslw.shop
plaintediousidowsko.shop
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.36
CodeSize: 8438784
InitializedDataSize: 22279680
UninitializedDataSize: 654848
EntryPoint: 0x14c0
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 10.0.19041.4230
ProductVersionNumber: 10.0.19041.4230
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Brutex
FileDescription: Brutex
FileVersion: 10.0.19041.4230 (WinBuild.160101.0800)
InternalName: Brutex
LegalCopyright: © Brutex. All rights reserved.
OriginalFileName: Brutex.exe
ProductName: Brutex
ProductVersion: 10.0.19041.4230
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #LUMMA brutex.exe no specs bitlockertogo.exe no specs #LUMMA svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4604C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeBrutex.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BitLocker To Go Reader
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
7132"C:\Users\admin\Desktop\Brutex.exe" C:\Users\admin\Desktop\Brutex.exe
explorer.exe
User:
admin
Company:
Brutex
Integrity Level:
MEDIUM
Description:
Brutex
Exit code:
666
Version:
10.0.19041.4230 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\brutex.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
Lumma
(PID) Process(7132) Brutex.exe
C2 (9)holicisticscrarws.shop
obsceneclassyjuwks.shop
miniaturefinerninewjs.shop
boredimperissvieos.shop
zippyfinickysofwps.shop
acceptabledcooeprs.shop
greetclassifytalk.shop
sweetsquarediaslw.shop
plaintediousidowsko.shop
Total events
1 574
Read events
1 574
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7132Brutex.exeC:\Users\Public\Libraries\pdpdm.scif
MD5:
SHA256:
7132Brutex.exeC:\Users\Public\Libraries\miaif.scif
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
18
DNS requests
12
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6856
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6248
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6248
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6856
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6856
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6248
RUXIMICS.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4324
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.23.110
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
greetclassifytalk.shop
malicious
acceptabledcooeprs.shop
malicious
obsceneclassyjuwks.shop
malicious
zippyfinickysofwps.shop
malicious
miniaturefinerninewjs.shop
malicious
plaintediousidowsko.shop
malicious
sweetsquarediaslw.shop
malicious

Threats

PID
Process
Class
Message
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (greetclassifytalk .shop)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (obsceneclassyjuwks .shop)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (holicisticscrarws .shop)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (acceptabledcooeprs .shop)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (zippyfinickysofwps .shop)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (miniaturefinerninewjs .shop)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (boredimperissvieos .shop)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (plaintediousidowsko .shop)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (sweetsquarediaslw .shop)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Brutex.exe