File name:

milfbreeder.exe

Full analysis: https://app.any.run/tasks/547a49c1-1cde-461e-a3f5-ec02ceef0fbc
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: May 22, 2024, 16:45:42
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

0E37839474980BB6693AB9C0C1CF6338

SHA1:

1F457DCEC32503C922C6716EE0371E3784D09EA3

SHA256:

29BA1AD6E030F66A63608B7B75DA630138E385302706A32DF83E8118F0FC08D1

SSDEEP:

12288:c01dxMsq6AH+CRiRFGSAWOTg4jgSJnpHc/4a0bj6f11QNPNv9kUqLJqfu5oJDGME:cxsqLtRiRFGSAWOTH0SJnp8/4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • milfbreeder.exe (PID: 4540)

    • LUMMA has been detected (SURICATA)

      • aspnet_regiis.exe (PID: 3688)

    • Actions looks like stealing of personal data

      • aspnet_regiis.exe (PID: 3688)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • milfbreeder.exe (PID: 4540)

    • Searches for installed software

      • aspnet_regiis.exe (PID: 3688)

    • Contacting a server suspected of hosting an CnC

      • aspnet_regiis.exe (PID: 3688)

  • INFO

    • Checks supported languages

      • milfbreeder.exe (PID: 4540)
      • aspnet_regiis.exe (PID: 3688)

    • Reads the computer name

      • milfbreeder.exe (PID: 4540)
      • aspnet_regiis.exe (PID: 3688)

    • Reads the software policy settings

      • aspnet_regiis.exe (PID: 3688)

    • Creates files or folders in the user directory

      • milfbreeder.exe (PID: 4540)

    • Reads the machine GUID from the registry

      • aspnet_regiis.exe (PID: 3688)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (38.3)
.exe | Win32 Executable (generic) (26.2)
.exe | Win16/32 Executable Delphi generic (12)
.exe | Generic Win/DOS Executable (11.6)
.exe | DOS Executable Generic (11.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:22 09:06:10+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 125440
InitializedDataSize: 277504
UninitializedDataSize: -
EntryPoint: 0x6a00a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
FileVersionNumber: 1.2.0.9
ProductVersionNumber: 1.2.0.9
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Mozilla Firefox browser for all.
CompanyName: Mozilla Firefox
FileDescription: Mozilla Firefox
FileVersion: 1.2.0.9
InternalName: NailRemover_crypted.exe
LegalCopyright: Copyright © 2024
LegalTrademarks: Mozilla Firefox
OriginalFileName: NailRemover_crypted.exe
ProductName: Mozilla Firefox Solutions
ProductVersion: 1.2.0.9
AssemblyVersion: 1.2.0.9
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start milfbreeder.exe conhost.exe no specs #LUMMA aspnet_regiis.exe

Process information

PID
CMD
Path
Indicators
Parent process
3688"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
milfbreeder.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
aspnet_regiis.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\aspnet_regiis.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
4280\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exemilfbreeder.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4540"C:\Users\admin\Desktop\milfbreeder.exe" C:\Users\admin\Desktop\milfbreeder.exe
explorer.exe
User:
admin
Company:
Mozilla Firefox
Integrity Level:
MEDIUM
Description:
Mozilla Firefox
Exit code:
0
Version:
1.2.0.9
Modules
Images
c:\users\admin\desktop\milfbreeder.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
3 871
Read events
3 871
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4540milfbreeder.exeC:\Users\admin\AppData\Roaming\d3d9.dllexecutable
MD5:9E54CD9D781FD4501A3F37721C9286DF
SHA256:5549EF085E75253A8D1D7EDAA008CAD0EC7EE93D050CC390C42689593D37659C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
25
DNS requests
5
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4012
RUXIMICS.exe
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5712
svchost.exe
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4012
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5712
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
POST
200
null:443
https://stalfbaclcalorieeis.shop/api
unknown
text
15.4 Kb
3688
aspnet_regiis.exe
POST
200
null:443
https://stalfbaclcalorieeis.shop/api
unknown
text
16 b
POST
200
null:443
https://stalfbaclcalorieeis.shop/api
unknown
text
16 b
2908
OfficeClickToRun.exe
POST
200
13.89.178.27:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
3688
aspnet_regiis.exe
POST
200
null:443
https://stalfbaclcalorieeis.shop/api
unknown
text
16 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5712
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4012
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5140
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4012
RUXIMICS.exe
2.18.121.147:80
crl.microsoft.com
AKAMAI-AS
FR
unknown
5712
svchost.exe
2.18.121.147:80
crl.microsoft.com
AKAMAI-AS
FR
unknown
5140
MoUsoCoreWorker.exe
2.18.121.147:80
crl.microsoft.com
AKAMAI-AS
FR
unknown
5712
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4012
RUXIMICS.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3688
aspnet_regiis.exe
188.114.96.3:443
stalfbaclcalorieeis.shop
CLOUDFLARENET
NL
unknown
5456
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.18.121.147
  • 2.18.121.139
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
stalfbaclcalorieeis.shop
  • 188.114.96.3
  • 188.114.97.3
unknown
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
self.events.data.microsoft.com
  • 20.189.173.3
whitelisted

Threats

PID
Process
Class
Message
2184
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (stalfbaclcalorieeis .shop)
3688
aspnet_regiis.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Lumma Stealer Related Domain (stalfbaclcalorieeis .shop in TLS SNI)
3688
aspnet_regiis.exe
A Network Trojan was detected
STEALER [ANY.RUN] Lumma Stealer TLS Connection
3688
aspnet_regiis.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Lumma Stealer Related Domain (stalfbaclcalorieeis .shop in TLS SNI)
3688
aspnet_regiis.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Lumma Stealer Related Domain (stalfbaclcalorieeis .shop in TLS SNI)
3688
aspnet_regiis.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Lumma Stealer Related Domain (stalfbaclcalorieeis .shop in TLS SNI)
3688
aspnet_regiis.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Lumma Stealer Related Domain (stalfbaclcalorieeis .shop in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
milfbreeder.exe