File name:

18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe

Full analysis: https://app.any.run/tasks/0c634979-15b2-42e1-8f96-d2e889267932
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: January 26, 2025, 15:16:41
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autoit
lumma
stealer
autoit-loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

9FD74D2ABBA10DDD2F4C525749FCD84F

SHA1:

3F48F29BC8FF8B334DCA5E8ABAC0B47613CF9904

SHA256:

18C8065794300CD166A196EFD102FD9D05B1BEAEAF3D65F249D8D670AC10C541

SSDEEP:

49152:P9w2T5NaWRCDN/aG2VcFRJf3UEDnh5APISKrJwUHAyILtHCn93MZbY49c2QheeLD:PqENa3D9aGaOeEDIlKCuAbC9ebYyUeeH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe (PID: 6076)

    • LUMMA mutex has been found

      • Transsexual.com (PID: 5560)

    • LUMMA has been detected (SURICATA)

      • Transsexual.com (PID: 5560)

    • AutoIt loader has been detected (YARA)

      • Transsexual.com (PID: 5560)

    • Steals credentials from Web Browsers

      • Transsexual.com (PID: 5560)

    • Actions looks like stealing of personal data

      • Transsexual.com (PID: 5560)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe (PID: 6076)

    • Starts CMD.EXE for commands execution

      • 18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe (PID: 6076)
      • cmd.exe (PID: 1480)

    • Get information on the list of running processes

      • cmd.exe (PID: 1480)

    • Executing commands from ".cmd" file

      • 18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe (PID: 6076)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 1480)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 1480)

    • Application launched itself

      • cmd.exe (PID: 1480)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1480)

    • The executable file from the user directory is run by the CMD process

      • Transsexual.com (PID: 5560)

    • There is functionality for taking screenshot (YARA)

      • Transsexual.com (PID: 5560)

    • Searches for installed software

      • Transsexual.com (PID: 5560)

  • INFO

    • Reads the computer name

      • 18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe (PID: 6076)
      • extrac32.exe (PID: 5452)
      • Transsexual.com (PID: 5560)

    • Checks supported languages

      • 18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe (PID: 6076)
      • Transsexual.com (PID: 5560)
      • extrac32.exe (PID: 5452)

    • Create files in a temporary directory

      • 18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe (PID: 6076)
      • extrac32.exe (PID: 5452)

    • Process checks computer location settings

      • 18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe (PID: 6076)

    • Creates a new folder

      • cmd.exe (PID: 3552)

    • Reads mouse settings

      • Transsexual.com (PID: 5560)

    • Reads the software policy settings

      • Transsexual.com (PID: 5560)

    • Reads the machine GUID from the registry

      • Transsexual.com (PID: 5560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:09:26 13:21:38+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 29696
InitializedDataSize: 489984
UninitializedDataSize: 16896
EntryPoint: 0x38af
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
15
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs #LUMMA transsexual.com choice.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1296findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1468tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1480"C:\Windows\System32\cmd.exe" /c copy Estate Estate.cmd & Estate.cmdC:\Windows\SysWOW64\cmd.exe18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2324tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2800\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2956choice /d y /t 5C:\Windows\SysWOW64\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Offers the user a choice
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3552cmd /c md 473462C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3680findstr /I "opssvc wrsa" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5036findstr /V "Transit" Kirk C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
4 090
Read events
4 090
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
19
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
607618c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exeC:\Users\admin\AppData\Local\Temp\Paragraphsbinary
MD5:FF9050ACCCD78752D3B159D25F03AB8B
SHA256:FC616895D20BF6F3C9AA49A4F767141131770860CC8935EF4FFDD33F568B883F
1480cmd.exeC:\Users\admin\AppData\Local\Temp\Estate.cmdtext
MD5:C9FB74EB2912DED3889C7E1BE8348C50
SHA256:5A9EC479D60DB60529BB293AE2744FB6CBC7DFDB5F93704ED6C35A87BB673900
607618c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exeC:\Users\admin\AppData\Local\Temp\Shownbinary
MD5:76C8328D94671A268957210F3E5087B2
SHA256:81E4FC4BFC6D9A29BC5609FD230CD7F6A29BCFFD5B6AC3572E133CCE468F02D4
607618c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exeC:\Users\admin\AppData\Local\Temp\Estatetext
MD5:C9FB74EB2912DED3889C7E1BE8348C50
SHA256:5A9EC479D60DB60529BB293AE2744FB6CBC7DFDB5F93704ED6C35A87BB673900
5452extrac32.exeC:\Users\admin\AppData\Local\Temp\Butterflybinary
MD5:67AF633BCDA822A689F0D4159FC8192A
SHA256:70E8300674ED637F96039B6A8998E1EFA860607477660C6F86D711CDF7E3C0A3
607618c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exeC:\Users\admin\AppData\Local\Temp\Votecompressed
MD5:D28DB7FD22DC2FBCE397BAFD6B6FCDB4
SHA256:E5AF4A5D579D966D088995F47A8980C2856082D9531F3F01B4767E43C940471D
5452extrac32.exeC:\Users\admin\AppData\Local\Temp\Recipesbinary
MD5:63C71B6D776CECC47C9139062276E8D6
SHA256:F0C1488318CF5BA2B32781D0D90FBA285173A64926BDAA367033459EE03026CD
5452extrac32.exeC:\Users\admin\AppData\Local\Temp\Arrivalsbinary
MD5:B02C6A9D78A70C70C36DB6295F34D2FE
SHA256:1E18B1414BF3B90EF200953C0736652769B91A531CBB01F22A7AAD349B78E8B1
5452extrac32.exeC:\Users\admin\AppData\Local\Temp\Shadebinary
MD5:E7E6D855492B77E14B7B9AF97DADCEC2
SHA256:7B4C95B4D6A3E5643910B428621D799B1128565C1AFB89D93565877C6C134722
5452extrac32.exeC:\Users\admin\AppData\Local\Temp\Poolsbinary
MD5:9F82C59BEC6378BBC2E2A9DF4096EEB3
SHA256:6977E79B088006AA1C041DCAD49D5E7D6B87A2B471DD3474ADA45AA4CDFFF96B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
28
DNS requests
7
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.180:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
104.21.63.226:443
https://sheayingero.shop/api
unknown
text
16 b
malicious
POST
200
104.21.63.226:443
https://sheayingero.shop/api
unknown
text
2 b
malicious
POST
200
172.67.172.91:443
https://sheayingero.shop/api
unknown
text
16 b
malicious
POST
200
172.67.172.91:443
https://sheayingero.shop/api
unknown
text
16.7 Kb
malicious
POST
200
104.21.63.226:443
https://sheayingero.shop/api
unknown
text
16 b
malicious
POST
200
104.21.63.226:443
https://sheayingero.shop/api
unknown
text
16 b
malicious
POST
200
172.67.172.91:443
https://sheayingero.shop/api
unknown
text
16 b
malicious
POST
200
172.67.172.91:443
https://sheayingero.shop/api
unknown
text
48 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.227.215:443
Ooredoo Q.S.C.
QA
unknown
4712
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.227.208:443
Ooredoo Q.S.C.
QA
unknown
4712
MoUsoCoreWorker.exe
23.48.23.180:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3976
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.48.23.180
  • 23.48.23.166
  • 23.48.23.173
  • 23.48.23.156
  • 23.48.23.193
  • 23.48.23.141
  • 23.48.23.143
  • 23.48.23.169
  • 23.48.23.159
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
vHsjdCmNUDDJ.vHsjdCmNUDDJ
unknown
sheayingero.shop
  • 104.21.63.226
  • 172.67.172.91
malicious
self.events.data.microsoft.com
  • 20.189.173.17
whitelisted

Threats

PID
Process
Class
Message
5560
Transsexual.com
A Network Trojan was detected
STEALER [ANY.RUN] Lumma Stealer TLS Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
18c8065794300cd166a196efd102fd9d05b1beaeaf3d65f249d8d670ac10c541.exe