File name:

18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe

Full analysis: https://app.any.run/tasks/0c634979-15b2-42e1-8f96-d2e889267932
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: January 26, 2025, 15:16:41
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autoit
lumma
stealer
autoit-loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

9FD74D2ABBA10DDD2F4C525749FCD84F

SHA1:

3F48F29BC8FF8B334DCA5E8ABAC0B47613CF9904

SHA256:

18C8065794300CD166A196EFD102FD9D05B1BEAEAF3D65F249D8D670AC10C541

SSDEEP:

49152:P9w2T5NaWRCDN/aG2VcFRJf3UEDnh5APISKrJwUHAyILtHCn93MZbY49c2QheeLD:PqENa3D9aGaOeEDIlKCuAbC9ebYyUeeH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe (PID: 6076)

    • LUMMA has been detected (SURICATA)

      • Transsexual.com (PID: 5560)

    • AutoIt loader has been detected (YARA)

      • Transsexual.com (PID: 5560)

    • LUMMA mutex has been found

      • Transsexual.com (PID: 5560)

    • Actions looks like stealing of personal data

      • Transsexual.com (PID: 5560)

    • Steals credentials from Web Browsers

      • Transsexual.com (PID: 5560)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe (PID: 6076)

    • Executing commands from ".cmd" file

      • 18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe (PID: 6076)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 1480)

    • Starts CMD.EXE for commands execution

      • 18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe (PID: 6076)
      • cmd.exe (PID: 1480)

    • Application launched itself

      • cmd.exe (PID: 1480)

    • Get information on the list of running processes

      • cmd.exe (PID: 1480)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 1480)

    • The executable file from the user directory is run by the CMD process

      • Transsexual.com (PID: 5560)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1480)

    • There is functionality for taking screenshot (YARA)

      • Transsexual.com (PID: 5560)

    • Searches for installed software

      • Transsexual.com (PID: 5560)

  • INFO

    • Process checks computer location settings

      • 18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe (PID: 6076)

    • Reads the computer name

      • 18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe (PID: 6076)
      • extrac32.exe (PID: 5452)
      • Transsexual.com (PID: 5560)

    • Create files in a temporary directory

      • 18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe (PID: 6076)
      • extrac32.exe (PID: 5452)

    • Creates a new folder

      • cmd.exe (PID: 3552)

    • Checks supported languages

      • 18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe (PID: 6076)
      • extrac32.exe (PID: 5452)
      • Transsexual.com (PID: 5560)

    • Reads mouse settings

      • Transsexual.com (PID: 5560)

    • Reads the machine GUID from the registry

      • Transsexual.com (PID: 5560)

    • Reads the software policy settings

      • Transsexual.com (PID: 5560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:09:26 13:21:38+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 29696
InitializedDataSize: 489984
UninitializedDataSize: 16896
EntryPoint: 0x38af
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
15
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs #LUMMA transsexual.com choice.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1296findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1468tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1480"C:\Windows\System32\cmd.exe" /c copy Estate Estate.cmd & Estate.cmdC:\Windows\SysWOW64\cmd.exe18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2324tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2800\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2956choice /d y /t 5C:\Windows\SysWOW64\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Offers the user a choice
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3552cmd /c md 473462C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3680findstr /I "opssvc wrsa" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5036findstr /V "Transit" Kirk C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
4 090
Read events
4 090
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
19
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
607618c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exeC:\Users\admin\AppData\Local\Temp\Counterbinary
MD5:CC9E1534682BB14D0932D6BC78BD140D
SHA256:2358E6BC4B72178104734968CEE422C75B96EE4354362CEF63B3981121336A1B
607618c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exeC:\Users\admin\AppData\Local\Temp\Paragraphsbinary
MD5:FF9050ACCCD78752D3B159D25F03AB8B
SHA256:FC616895D20BF6F3C9AA49A4F767141131770860CC8935EF4FFDD33F568B883F
5452extrac32.exeC:\Users\admin\AppData\Local\Temp\Butterflybinary
MD5:67AF633BCDA822A689F0D4159FC8192A
SHA256:70E8300674ED637F96039B6A8998E1EFA860607477660C6F86D711CDF7E3C0A3
1480cmd.exeC:\Users\admin\AppData\Local\Temp\Estate.cmdtext
MD5:C9FB74EB2912DED3889C7E1BE8348C50
SHA256:5A9EC479D60DB60529BB293AE2744FB6CBC7DFDB5F93704ED6C35A87BB673900
5452extrac32.exeC:\Users\admin\AppData\Local\Temp\Recipesbinary
MD5:63C71B6D776CECC47C9139062276E8D6
SHA256:F0C1488318CF5BA2B32781D0D90FBA285173A64926BDAA367033459EE03026CD
5452extrac32.exeC:\Users\admin\AppData\Local\Temp\Conflictsbinary
MD5:8C4C90B55CCCF4D12B55654B49EFD119
SHA256:954C5F25ACC2E21B2E3A6321B33786C52986B261B033B86D6701D08875452C8F
5452extrac32.exeC:\Users\admin\AppData\Local\Temp\Ohiobinary
MD5:9E81DF2E6E72AEF938FC607308721C4F
SHA256:FEA887FBE65C4174306ADC0D8FD0CB3F766504E297E983ED1BCD5ACE0D33BF20
5452extrac32.exeC:\Users\admin\AppData\Local\Temp\Arrivalsbinary
MD5:B02C6A9D78A70C70C36DB6295F34D2FE
SHA256:1E18B1414BF3B90EF200953C0736652769B91A531CBB01F22A7AAD349B78E8B1
5452extrac32.exeC:\Users\admin\AppData\Local\Temp\Poolsbinary
MD5:9F82C59BEC6378BBC2E2A9DF4096EEB3
SHA256:6977E79B088006AA1C041DCAD49D5E7D6B87A2B471DD3474ADA45AA4CDFFF96B
5452extrac32.exeC:\Users\admin\AppData\Local\Temp\Carrierbinary
MD5:0B43C7D364EA52CB2DAEE807EA1DE1B2
SHA256:92C6EBCD144863128D41B579DE74C0701637D23240A5EE24B52A37BE54C01C82
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
28
DNS requests
7
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.180:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
104.21.63.226:443
https://sheayingero.shop/api
unknown
text
2 b
malicious
POST
200
104.21.63.226:443
https://sheayingero.shop/api
unknown
text
16 b
malicious
POST
200
172.67.172.91:443
https://sheayingero.shop/api
unknown
text
16 b
malicious
POST
200
104.21.63.226:443
https://sheayingero.shop/api
unknown
text
16 b
malicious
POST
200
172.67.172.91:443
https://sheayingero.shop/api
unknown
text
48 b
malicious
POST
200
172.67.172.91:443
https://sheayingero.shop/api
unknown
text
16 b
malicious
POST
200
104.21.63.226:443
https://sheayingero.shop/api
unknown
text
16 b
malicious
POST
200
172.67.172.91:443
https://sheayingero.shop/api
unknown
text
16.7 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.227.215:443
Ooredoo Q.S.C.
QA
unknown
4712
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.227.208:443
Ooredoo Q.S.C.
QA
unknown
4712
MoUsoCoreWorker.exe
23.48.23.180:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3976
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.48.23.180
  • 23.48.23.166
  • 23.48.23.173
  • 23.48.23.156
  • 23.48.23.193
  • 23.48.23.141
  • 23.48.23.143
  • 23.48.23.169
  • 23.48.23.159
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
vHsjdCmNUDDJ.vHsjdCmNUDDJ
unknown
sheayingero.shop
  • 104.21.63.226
  • 172.67.172.91
malicious
self.events.data.microsoft.com
  • 20.189.173.17
whitelisted

Threats

PID
Process
Class
Message
5560
Transsexual.com
A Network Trojan was detected
STEALER [ANY.RUN] Lumma Stealer TLS Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe