File name:	lumma.exe
Full analysis:	https://app.any.run/tasks/5849a46d-d79d-4167-ab9b-6c943a68cbdd
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 08, 2025, 10:12:29
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	lumma stealer opendir
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	5BFFEC5B786B54B8FE06990047BC093D
SHA1:	D00B98ED1046B04E04B90FC79F3DC97D9B92ACF2
SHA256:	25B251A6B74D9D65060CBCF1FCB404252F0146F884039346960C28C369062A2E
SSDEEP:	98304:vhvla/0/18J1+3lh5KDHMk+vyibPenLxkafigws7PbSQ2mkNtxoIllWdyKi0KCxT:uJtShV0j8xzOYo

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:08:11 13:00:00+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	107520
InitializedDataSize:	32768
UninitializedDataSize:	-
EntryPoint:	0x19e3c
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	24.8.0.0
ProductVersionNumber:	24.8.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Igor Pavlov
FileDescription:	7z Setup SFX
FileVersion:	24.08
InternalName:	7zS.sfx
LegalCopyright:	Copyright (c) 1999-2024 Igor Pavlov
OriginalFileName:	7zS.sfx.exe
ProductName:	7-Zip
ProductVersion:	24.08


(PID) Process:	(4244) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(4244) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:	write	Name:	S-1-5-21-1693682860-607145093-2874071422-1001
Value: 409E4763C5892F00
(PID) Process:	(4244) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(4244) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(4244) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(4244) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:	write	Name:	S-1-5-21-1693682860-607145093-2874071422-1001
Value: A6604F63C5892F00
(PID) Process:	(4244) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328160
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {E05C9616-9126-44F3-8E7D-7B54BFBC4E11}
(PID) Process:	(4244) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328160
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {F1D94315-0014-4201-8D3A-10C43105CB82}
(PID) Process:	(6744) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(6744) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2

PID	Process	Filename		Type
2676	lumma.exe	C:\Users\admin\AppData\Local\Temp\7zS47A66A43\Data\basename_basic.phpt		text
		MD5:3EFD7C903578564055BAAB694E0ADE79	SHA256:09BC603C893B2C487F7E6023003FE210FF425D808A4C1A7D42FB2E5B12D59586
2676	lumma.exe	C:\Users\admin\AppData\Local\Temp\7zS47A66A43\Data\gh16829_2.inc		text
		MD5:2F5285430DBFD0D8EA2A06874C719EED	SHA256:8DE806AEA30482F9C674967BC84912496262D623C5FB400FB3CA9AB2EC6A345F
2676	lumma.exe	C:\Users\admin\AppData\Local\Temp\7zS47A66A43\Data\contains_element_direct_descendent.phpt		text
		MD5:F2F6726E72E344139C14F57651B82990	SHA256:2FF05001837D2D6D6CE0996559FAC16387DDAB9E19558EEA00F3EF528C45C4C2
2676	lumma.exe	C:\Users\admin\AppData\Local\Temp\7zS47A66A43\Data\array_chunk2.phpt		text
		MD5:8FE5D970030A74AA1FC9825D3B5DE1C7	SHA256:A85E02D4C396A945AFE1E81558689EB439A7F83EB15F4DE79C9BD5BC88C4F16C
2676	lumma.exe	C:\Users\admin\AppData\Local\Temp\7zS47A66A43\Data\bug75318.phpt		text
		MD5:35C2A0E11C9848B0D1B25E85B4ED8F73	SHA256:3A30ED866B7E84E53CA618090710E3420DB746A2E624EA1EDF8E545A406B6761
2676	lumma.exe	C:\Users\admin\AppData\Local\Temp\7zS47A66A43\Data\button_element.c		text
		MD5:9322B075AF482BF9C4F1656A850DFC2B	SHA256:2BFC9F1B0F51843B82C7900CA34BBD83A6E1E816BFA07862381A57CE5B643802
2676	lumma.exe	C:\Users\admin\AppData\Local\Temp\7zS47A66A43\Data\bug79191.phpt		text
		MD5:6D247ACF9D28FAB348F3BA5B1459996D	SHA256:1F39F502FF5F1E7860A9BC23B0AB203B1ED61078E0D680BEF7C7F158E32A3BB4
2676	lumma.exe	C:\Users\admin\AppData\Local\Temp\7zS47A66A43\Data\bug77024.phpt		text
		MD5:4BD6C6A6178A045BE1D276F9F67FA1CE	SHA256:3346EEE325EA7D3F490029A6D1791E655C385987B4BFD0E438507F128EB5D5E6
2676	lumma.exe	C:\Users\admin\AppData\Local\Temp\7zS47A66A43\Data\doc_comment_internal_symbols2.phpt		text
		MD5:B95ACF233CC6A551A4E08FC89C64612C	SHA256:AC60679BBADA6C81632C9D2BA7753F16F6219B937A3EE22A32A3F2131F035A92
2676	lumma.exe	C:\Users\admin\AppData\Local\Temp\7zS47A66A43\Data\date_modify_basic1.phpt		text
		MD5:A6143429262B999AE70BC5BEC63A40C8	SHA256:CDDAEFB0D61EEDFABB42F89416FF056CB88DB44110E4A4DF788F9A65D400CCB8

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.10.249.17:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	104.90.25.175:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	OPTIONS	503	2.19.126.152:443	https://bzib.nelreports.net/api/report?cat=bingbusiness	unknown	—	—	unknown
—	—	GET	200	137.208.57.37:443	https://cran.r-project.org/web/orcid.svg	unknown	image	983 b	whitelisted
—	—	GET	200	137.208.57.37:443	https://cran.r-project.org/web/orcid.svg	unknown	image	983 b	unknown
—	—	GET	200	13.107.42.16:443	https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeRuntime%2CEdgeRuntimeConfig%2CEdgeDomainActions&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=44&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1	unknown	binary	43.2 Kb	whitelisted
—	—	GET	200	137.208.57.37:443	https://cran.r-project.org/web/packages/multicore/index.html	unknown	html	945 b	whitelisted
—	—	GET	200	13.107.246.45:443	https://xpaywalletcdn.azureedge.net/mswallet/ExpressCheckout/v2/GetEligibleSites?version=0&type=topSite&IsStable=false	unknown	binary	497 b	whitelisted
—	—	GET	200	137.208.57.37:443	https://cran.r-project.org/favicon.ico	unknown	image	5.30 Kb	whitelisted
—	—	GET	303	137.208.57.37:443	https://cran.r-project.org/package=lattice	unknown	html	334 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
904	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
4	System	192.168.100.255:138	—	—	—	unknown
4712	MoUsoCoreWorker.exe	23.10.249.17:80	crl.microsoft.com	Akamai International B.V.	CH	whitelisted
4712	MoUsoCoreWorker.exe	104.90.25.175:80	www.microsoft.com	AKAMAI-AS	BE	whitelisted
904	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4244	msedge.exe	239.255.255.250:1900	—	—	—	whitelisted
2088	msedge.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 20.73.194.208 40.127.240.158	whitelisted
google.com	142.250.186.174	whitelisted
crl.microsoft.com	23.10.249.17 23.10.249.24	whitelisted
www.microsoft.com	104.90.25.175	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
cran.r-project.org	137.208.57.37	whitelisted
edge.microsoft.com	204.79.197.239 13.107.21.239	whitelisted
business.bing.com	13.107.6.158	whitelisted
edge-mobile-static.azureedge.net	13.107.253.45	whitelisted
bzib.nelreports.net	2.19.126.152 2.19.126.145	whitelisted

General Info

lumma.exe

5BFFEC5B786B54B8FE06990047BC093D

D00B98ED1046B04E04B90FC79F3DC97D9B92ACF2

25B251A6B74D9D65060CBCF1FCB404252F0146F884039346960C28C369062A2E

98304:vhvla/0/18J1+3lh5KDHMk+vyibPenLxkafigws7PbSQ2mkNtxoIllWdyKi0KCxT:uJtShV0j8xzOYo

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

LUMMA mutex has been found

Actions looks like stealing of personal data

Steals credentials from Web Browsers

LUMMA has been detected (SURICATA)

SUSPICIOUS

Drops 7-zip archiver for unpacking

Executable content was dropped or overwritten

Process drops legitimate windows executable

Reads security settings of Internet Explorer

INFO

Checks supported languages

Reads the computer name

The process uses the downloaded file

The sample compiled with english language support

Create files in a temporary directory

Manual execution by a user

Process checks computer location settings

Reads Environment values

Reads the machine GUID from the registry

Reads the software policy settings

Application launched itself

Sends debugging messages

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings