File name:	_1b107670d00d86e0791541131af5d663c74eec95c615ea2086925c30adb086c2.txt
Full analysis:	https://app.any.run/tasks/5a1ff616-9da8-41ad-b735-efe3ee8eec58
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	July 14, 2025, 19:20:10
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	lumma stealer
Indicators:
MIME:	text/plain
File info:	ASCII text, with very long lines (65078), with CRLF line terminators
MD5:	BF943099CE63650294F8EF774C0B6CCB
SHA1:	C73AE7649F111CB8FACDA9643FFC22FDF5D07DE0
SHA256:	1B107670D00D86E0791541131AF5D663C74EEC95C615EA2086925C30ADB086C2
SSDEEP:	24576:SVyfs1K76tjuFDFybJk3lVu2TCSizExiPh3IncpKoHhTuv5TZir5ArH5b1ykMv7l:S4f7FxTKEwIn0K+uhT5rtQl


(PID) Process:	(2468) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(2468) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(2468) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(2468) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(2468) chrome.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:	write	Name:	usagestats
Value: 0
(PID) Process:	(2468) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	internat.exe
Value:
(PID) Process:	(1636) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(1636) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(1636) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(1636) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	internat.exe
Value:

PID	Process	Filename		Type
5008	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_t5iuitlb.0zn.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5008	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF177196.TMP		binary
		MD5:00A03B286E6E0EBFF8D9C492365D5EC2	SHA256:4DBFC417D053BA6867308671F1C61F4DCAFC61F058D4044DB532DA6D3BDE3615
2468	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old~RF17a373.TMP		—
		MD5:—	SHA256:—
2468	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old		—
		MD5:—	SHA256:—
5008	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U1O6V9UMS0PDOH3FLD6G.temp		binary
		MD5:7DF848042EB29E39D28A690B81D7A246	SHA256:F6D88A5519848E0FF9A2716F1AE52735438577FFB21D6204478CD769186C57D0
2468	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF17a383.TMP		—
		MD5:—	SHA256:—
2468	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
2468	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RF17a383.TMP		—
		MD5:—	SHA256:—
2468	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old~RF17a383.TMP		—
		MD5:—	SHA256:—
2468	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	825 b	whitelisted
—	—	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	825 b	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	DE	binary	814 b	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	DE	binary	814 b	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	DE	binary	814 b	whitelisted
—	—	POST	200	188.114.97.3:443	https://abremeh.top/aure	US	binary	32.7 Kb	unknown
—	—	GET	200	216.58.212.163:443	https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=133	US	compressed	64.5 Kb	whitelisted
—	—	GET	200	142.250.185.170:443	https://safebrowsingohttpgateway.googleapis.com/v1/ohttp/hpkekeyconfig?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE	US	binary	41 b	whitelisted
1136	chrome.exe	GET	200	142.250.185.78:80	http://clients2.google.com/time/1/current?cup2key=8:4THYrdAjk9Z5J90Pf7k7TRy7xQUrD90cByeTaJk8dms&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	US	text	105 b	whitelisted
—	—	GET	200	142.250.186.68:443	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE	US	text	4.49 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	23.216.77.6:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5240	explorer.exe	188.114.97.3:443	abremeh.top	CLOUDFLARENET	NL	unknown
1136	chrome.exe	142.250.186.35:443	clientservices.googleapis.com	GOOGLE	US	whitelisted
1136	chrome.exe	142.250.181.234:443	safebrowsingohttpgateway.googleapis.com	GOOGLE	US	whitelisted
1136	chrome.exe	142.250.185.78:80	clients2.google.com	GOOGLE	US	whitelisted
1136	chrome.exe	66.102.1.84:443	accounts.google.com	GOOGLE	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	142.250.186.78	whitelisted
crl.microsoft.com	23.216.77.6 23.216.77.28	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
abremeh.top	188.114.97.3 188.114.96.3	unknown
clients2.google.com	142.250.185.78	whitelisted
safebrowsingohttpgateway.googleapis.com	142.250.181.234 142.250.186.42 142.250.185.234 142.250.186.74 142.250.185.170 142.250.184.234 172.217.16.202 172.217.18.106 142.250.185.106 172.217.23.106 142.250.185.74 142.250.185.138 216.58.212.170 172.217.18.10 216.58.206.74 142.250.185.202	whitelisted
clientservices.googleapis.com	142.250.186.35	whitelisted
accounts.google.com	66.102.1.84	whitelisted
www.google.com	142.250.186.164	whitelisted

PID	Process	Class	Message
2200	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
—	—	Potentially Bad Traffic	ET INFO HTTP Request to a *.top domain
—	—	Malware Command and Control Activity Detected	MALWARE [ANY.RUN] Win32/Lumma CnC HTTP Activity observed

General Info

_1b107670d00d86e0791541131af5d663c74eec95c615ea2086925c30adb086c2.txt

BF943099CE63650294F8EF774C0B6CCB

C73AE7649F111CB8FACDA9643FFC22FDF5D07DE0

1B107670D00D86E0791541131AF5D663C74EEC95C615EA2086925C30ADB086C2

24576:SVyfs1K76tjuFDFybJk3lVu2TCSizExiPh3IncpKoHhTuv5TZir5ArH5b1ykMv7l:S4f7FxTKEwIn0K+uhT5rtQl

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Bypass execution policy to execute commands

Dynamically loads an assembly (POWERSHELL)

Create files in the Startup directory

LUMMA mutex has been found

SUSPICIOUS

CSC.EXE is used to compile C# code

Uses base64 encoding (POWERSHELL)

Process drops legitimate windows executable

Executable content was dropped or overwritten

The process executes via Task Scheduler

Application launched itself

Reads the date of Windows installation

Starts a Microsoft application from unusual location

Reads security settings of Internet Explorer

Process checks Powershell history file

INFO

Create files in a temporary directory

Reads the machine GUID from the registry

Gets data length (POWERSHELL)

Checks supported languages

Launching a file from the Startup directory

The sample compiled with english language support

Application launched itself

Reads the software policy settings

Reads the computer name

Creates files in the program directory

Process checks whether UAC notifications are on

Manual execution by a user

Process checks Powershell version

Process checks computer location settings

Reads Environment values

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings