File name:	lumma.exe
Full analysis:	https://app.any.run/tasks/5849a46d-d79d-4167-ab9b-6c943a68cbdd
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 08, 2025, 10:12:29
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	lumma stealer opendir
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	5BFFEC5B786B54B8FE06990047BC093D
SHA1:	D00B98ED1046B04E04B90FC79F3DC97D9B92ACF2
SHA256:	25B251A6B74D9D65060CBCF1FCB404252F0146F884039346960C28C369062A2E
SSDEEP:	98304:vhvla/0/18J1+3lh5KDHMk+vyibPenLxkafigws7PbSQ2mkNtxoIllWdyKi0KCxT:uJtShV0j8xzOYo

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:08:11 13:00:00+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	107520
InitializedDataSize:	32768
UninitializedDataSize:	-
EntryPoint:	0x19e3c
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	24.8.0.0
ProductVersionNumber:	24.8.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Igor Pavlov
FileDescription:	7z Setup SFX
FileVersion:	24.08
InternalName:	7zS.sfx
LegalCopyright:	Copyright (c) 1999-2024 Igor Pavlov
OriginalFileName:	7zS.sfx.exe
ProductName:	7-Zip
ProductVersion:	24.08


(PID) Process:	(4244) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(4244) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:	write	Name:	S-1-5-21-1693682860-607145093-2874071422-1001
Value: 409E4763C5892F00
(PID) Process:	(4244) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(4244) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(4244) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(4244) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:	write	Name:	S-1-5-21-1693682860-607145093-2874071422-1001
Value: A6604F63C5892F00
(PID) Process:	(4244) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328160
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {E05C9616-9126-44F3-8E7D-7B54BFBC4E11}
(PID) Process:	(4244) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328160
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {F1D94315-0014-4201-8D3A-10C43105CB82}
(PID) Process:	(6744) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(6744) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2

PID	Process	Filename		Type
2676	lumma.exe	C:\Users\admin\AppData\Local\Temp\7zS47A66A43\Data\array_chunk2.phpt		text
		MD5:8FE5D970030A74AA1FC9825D3B5DE1C7	SHA256:A85E02D4C396A945AFE1E81558689EB439A7F83EB15F4DE79C9BD5BC88C4F16C
2676	lumma.exe	C:\Users\admin\AppData\Local\Temp\7zS47A66A43\Data\bug26614.inc		text
		MD5:2F470B7A57285B88046D33D7007F6ACD	SHA256:F526D39426818E7514C25534DE26C7ACE703A8987A2E3F05837E9F997DF95E15
2676	lumma.exe	C:\Users\admin\AppData\Local\Temp\7zS47A66A43\Data\bug79191.phpt		text
		MD5:6D247ACF9D28FAB348F3BA5B1459996D	SHA256:1F39F502FF5F1E7860A9BC23B0AB203B1ED61078E0D680BEF7C7F158E32A3BB4
2676	lumma.exe	C:\Users\admin\AppData\Local\Temp\7zS47A66A43\Data\arrayObject___construct_basic3.phpt		text
		MD5:7EAEB98023C7721AC0DF5036F909F1BE	SHA256:6FEF1730F6D814596906A3FA218E76012A72B535A287BF28C6EF929A3FF55C82
2676	lumma.exe	C:\Users\admin\AppData\Local\Temp\7zS47A66A43\Data\bug77024.phpt		text
		MD5:4BD6C6A6178A045BE1D276F9F67FA1CE	SHA256:3346EEE325EA7D3F490029A6D1791E655C385987B4BFD0E438507F128EB5D5E6
2676	lumma.exe	C:\Users\admin\AppData\Local\Temp\7zS47A66A43\Data\03sync_query.phpt		text
		MD5:CAD599879E500E45DACECE792436191B	SHA256:B32C4448507DC19583366D6791A28657A4322331A612B5B9895E099325660EE0
2676	lumma.exe	C:\Users\admin\AppData\Local\Temp\7zS47A66A43\Data\button_element.c		text
		MD5:9322B075AF482BF9C4F1656A850DFC2B	SHA256:2BFC9F1B0F51843B82C7900CA34BBD83A6E1E816BFA07862381A57CE5B643802
2676	lumma.exe	C:\Users\admin\AppData\Local\Temp\7zS47A66A43\Data\gh16829_2.inc		text
		MD5:2F5285430DBFD0D8EA2A06874C719EED	SHA256:8DE806AEA30482F9C674967BC84912496262D623C5FB400FB3CA9AB2EC6A345F
2676	lumma.exe	C:\Users\admin\AppData\Local\Temp\7zS47A66A43\Data\gdparttopng.c		text
		MD5:D00E8CC1D229E844CE342BF031D6EA61	SHA256:01C0B38CB815BF658B3BB672865468146A7D304D0924FFF07E567E276302ABEC
2676	lumma.exe	C:\Users\admin\AppData\Local\Temp\7zS47A66A43\Data\inference_004.phpt		text
		MD5:2FD32D83D88F86A74482C0AA10797534	SHA256:DB79E3E454DE3A4D4DED4BBDFA329EDFE9E2C54A1132E1B3516E878641468FAE

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	OPTIONS	503	2.19.126.152:443	https://bzib.nelreports.net/api/report?cat=bingbusiness	unknown	—	—	—
4712	MoUsoCoreWorker.exe	GET	200	23.10.249.17:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	104.90.25.175:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	13.107.246.45:443	https://edge-mobile-static.azureedge.net/eccp/get?settenant=edge-config&setplatform=win&setmkt=en-US&setchannel=stable	unknown	binary	14.3 Kb	whitelisted
—	—	GET	303	137.208.57.37:443	https://cran.r-project.org/package=lattice	unknown	html	334 b	whitelisted
—	—	GET	401	13.107.6.158:443	https://business.bing.com/work/api/v2/tenant/my/settingswithflights?&clienttype=edge-omnibox	unknown	binary	591 b	whitelisted
—	—	GET	200	13.107.42.16:443	https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=44&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1	unknown	binary	768 b	whitelisted
—	—	GET	200	13.107.21.239:443	https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=122.0.2365.59&experimentationmode=2&scpguard=0&scpfull=0&scpver=0	unknown	binary	637 b	whitelisted
—	—	GET	200	13.107.42.16:443	https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=44&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1	unknown	binary	10.2 Kb	whitelisted
—	—	GET	200	137.208.57.37:443	https://cran.r-project.org/web/packages/multicore/index.html	unknown	html	945 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
904	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
4	System	192.168.100.255:138	—	—	—	unknown
4712	MoUsoCoreWorker.exe	23.10.249.17:80	crl.microsoft.com	Akamai International B.V.	CH	whitelisted
4712	MoUsoCoreWorker.exe	104.90.25.175:80	www.microsoft.com	AKAMAI-AS	BE	whitelisted
904	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4244	msedge.exe	239.255.255.250:1900	—	—	—	whitelisted
2088	msedge.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 20.73.194.208 40.127.240.158	whitelisted
google.com	142.250.186.174	whitelisted
crl.microsoft.com	23.10.249.17 23.10.249.24	whitelisted
www.microsoft.com	104.90.25.175	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
cran.r-project.org	137.208.57.37	whitelisted
edge.microsoft.com	204.79.197.239 13.107.21.239	whitelisted
business.bing.com	13.107.6.158	whitelisted
edge-mobile-static.azureedge.net	13.107.253.45	whitelisted
bzib.nelreports.net	2.19.126.152 2.19.126.145	whitelisted

General Info

lumma.exe

5BFFEC5B786B54B8FE06990047BC093D

D00B98ED1046B04E04B90FC79F3DC97D9B92ACF2

25B251A6B74D9D65060CBCF1FCB404252F0146F884039346960C28C369062A2E

98304:vhvla/0/18J1+3lh5KDHMk+vyibPenLxkafigws7PbSQ2mkNtxoIllWdyKi0KCxT:uJtShV0j8xzOYo

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

LUMMA has been detected (SURICATA)

LUMMA mutex has been found

Actions looks like stealing of personal data

Steals credentials from Web Browsers

SUSPICIOUS

Drops 7-zip archiver for unpacking

Reads security settings of Internet Explorer

Process drops legitimate windows executable

Executable content was dropped or overwritten

INFO

Reads the computer name

The sample compiled with english language support

Checks supported languages

Create files in a temporary directory

The process uses the downloaded file

Manual execution by a user

Process checks computer location settings

Application launched itself

Reads Environment values

Reads the machine GUID from the registry

Reads the software policy settings

Sends debugging messages

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings