File name:	1634057cc5ff967579fd610822628b576227875e5287a59dd76d7258b72bd20c.exe
Full analysis:	https://app.any.run/tasks/10838cbf-d0c3-4e68-8ae2-912e06d866cd
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	March 19, 2025, 02:22:21
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer lumma themida attachments attc-unc susp-attachments
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:	CE3077867DB91FEFAD34E156837C4375
SHA1:	555FA235E6FB16D7E461D1DCE39B29A76E0A27CE
SHA256:	1634057CC5FF967579FD610822628B576227875E5287A59DD76D7258B72BD20C
SSDEEP:	98304:5cSigcN+m1Dju8PUMN8dPkekFdKqOeCN+cNZSj46s15IP78OjNPsk3hJxEQKURC4:/M

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:03:11 12:57:56+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	313856
InitializedDataSize:	46592
UninitializedDataSize:	-
EntryPoint:	0x4b3000
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.212.216.106:443	https://steamcommunity.com/profiles/76561199822375128	unknown	html	35.2 Kb	whitelisted
—	—	GET	200	23.212.216.106:443	https://steamcommunity.com/profiles/76561199822375128	unknown	html	35.2 Kb	whitelisted
—	—	GET	200	23.212.216.106:443	https://steamcommunity.com/profiles/76561199822375128	unknown	html	25.8 Kb	whitelisted
—	—	POST	—	104.21.96.1:443	https://pupmeholk.bet/pLoska	unknown	—	—	malicious
—	—	GET	200	23.212.216.106:443	https://steamcommunity.com/profiles/76561199822375128	unknown	html	25.8 Kb	whitelisted
—	—	GET	200	23.212.216.106:443	https://steamcommunity.com/profiles/76561199822375128	unknown	html	35.2 Kb	whitelisted
—	—	GET	200	23.212.216.106:443	https://steamcommunity.com/profiles/76561199822375128	unknown	html	35.2 Kb	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	200	104.21.32.1:443	https://pupmeholk.bet/pLoska	unknown	binary	70 b	malicious
—	—	POST	200	104.21.32.1:443	https://pupmeholk.bet/pLoska	unknown	binary	13.8 Kb	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2236	1634057cc5ff967579fd610822628b576227875e5287a59dd76d7258b72bd20c.exe	104.73.234.102:443	steamcommunity.com	AKAMAI-AS	DE	whitelisted
2236	1634057cc5ff967579fd610822628b576227875e5287a59dd76d7258b72bd20c.exe	104.21.64.1:443	pupmeholk.bet	CLOUDFLARENET	—	malicious
5556	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5548	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
google.com	142.250.185.78	whitelisted
kbracketba.shop	—	malicious
featureccus.shop	—	malicious
mrodularmall.top	—	malicious
jowinjoinery.icu	—	malicious
legenassedk.top	—	malicious
htardwarehu.icu	—	malicious
cjlaspcorne.icu	—	malicious
bugildbett.top	—	malicious

PID	Process	Class	Message
2196	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
2196	svchost.exe	Potentially Bad Traffic	ET INFO DNS Query for Suspicious .icu Domain
2196	svchost.exe	A Network Trojan was detected	STEALER [ANY.RUN] Domain has been identified as part of Lumma Stealer's infrastructure (bugildbett .top)
2196	svchost.exe	A Network Trojan was detected	STEALER [ANY.RUN] Domain has been identified as part of Lumma Stealer's infrastructure (mrodularmall .top)
2196	svchost.exe	A Network Trojan was detected	STEALER [ANY.RUN] Domain has been identified as part of Lumma Stealer's infrastructure (jowinjoinery .icu)
2196	svchost.exe	A Network Trojan was detected	STEALER [ANY.RUN] Domain has been identified as part of Lumma Stealer's infrastructure (legenassedk .top)
2196	svchost.exe	A Network Trojan was detected	STEALER [ANY.RUN] Domain has been identified as part of Lumma Stealer's infrastructure (htardwarehu .icu)

General Info

1634057cc5ff967579fd610822628b576227875e5287a59dd76d7258b72bd20c.exe

CE3077867DB91FEFAD34E156837C4375

555FA235E6FB16D7E461D1DCE39B29A76E0A27CE

1634057CC5FF967579FD610822628B576227875E5287A59DD76D7258B72BD20C

98304:5cSigcN+m1Dju8PUMN8dPkekFdKqOeCN+cNZSj46s15IP78OjNPsk3hJxEQKURC4:/M

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LUMMA has been detected (SURICATA)

LUMMA mutex has been found

Steals credentials from Web Browsers

Actions looks like stealing of personal data

SUSPICIOUS

Reads the BIOS version

Searches for installed software

INFO

Checks supported languages

Reads the machine GUID from the registry

Reads the computer name

Themida protector has been detected

Reads the software policy settings

Manual execution by a user

Reads Microsoft Office registry keys

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings