File name:

202410029427e049399e92c0f1223869e77d3d2cpoetratsnatch

Full analysis: https://app.any.run/tasks/764b858a-c80f-4f94-a59c-97983579f236
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: October 02, 2024, 05:27:37
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
exfiltration
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9427E049399E92C0F1223869E77D3D2C

SHA1:

D99BC674E4D235C252A972B0B0F57BDA904EDAB6

SHA256:

34D26D81241725A9966380E1A07B40DF5BA90E26FE24B7109F2F71300B6CD243

SSDEEP:

98304:DhgjySOn+9ggUNhkiVi3tSgV3BOR/8Fl1WtV5lzMITRfJjapvV3MwNmH8KP8HMls:BV3RpWhpF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Stealers network behavior

      • BitLockerToGo.exe (PID: 3920)

    • LUMMA has been detected (SURICATA)

      • BitLockerToGo.exe (PID: 3920)

    • LUMMA has been detected (YARA)

      • BitLockerToGo.exe (PID: 3920)

    • Actions looks like stealing of personal data

      • BitLockerToGo.exe (PID: 3920)

  • SUSPICIOUS

    • There is functionality for communication over UDP network (YARA)

      • 202410029427e049399e92c0f1223869e77d3d2cpoetratsnatch.exe (PID: 3296)

  • INFO

    • Checks supported languages

      • 202410029427e049399e92c0f1223869e77d3d2cpoetratsnatch.exe (PID: 3296)
      • BitLockerToGo.exe (PID: 3920)

    • Reads the computer name

      • 202410029427e049399e92c0f1223869e77d3d2cpoetratsnatch.exe (PID: 3296)
      • BitLockerToGo.exe (PID: 3920)

    • Checks proxy server information

      • 202410029427e049399e92c0f1223869e77d3d2cpoetratsnatch.exe (PID: 3296)

    • Reads the software policy settings

      • BitLockerToGo.exe (PID: 3920)

    • Reads the machine GUID from the registry

      • BitLockerToGo.exe (PID: 3920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(3920) BitLockerToGo.exe
C2 (9)agentyanlark.site
delaylacedmn.site
famikyjdiag.site
writekdmsnu.site
bellykmrebk.site
egodoubkeo.site
underlinemdsj.site
possiwreeste.site
commandejorsk.site
No Malware configuration.

TRiD

.exe | InstallShield setup (83.4)
.exe | Win32 Executable (generic) (8.7)
.exe | Generic Win/DOS Executable (3.8)
.exe | DOS Executable Generic (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 3
CodeSize: 6752256
InitializedDataSize: 1068544
UninitializedDataSize: -
EntryPoint: 0x721d0
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 4.0.1.2
ProductVersionNumber: 4.0.1.2
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: CutePDF Setup
CompanyName: Acro Software Inc.
FileDescription: CutePDF Writer Setup
FileVersion: 4.0.1.2
LegalCopyright: Copyright © 2003-2022 Acro Software Inc.
ProductName: CutePDF Writer
ProductVersion: 4.0.1.2
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT 202410029427e049399e92c0f1223869e77d3d2cpoetratsnatch.exe no specs #LUMMA bitlockertogo.exe

Process information

PID
CMD
Path
Indicators
Parent process
3296"C:\Users\admin\Desktop\202410029427e049399e92c0f1223869e77d3d2cpoetratsnatch.exe" C:\Users\admin\Desktop\202410029427e049399e92c0f1223869e77d3d2cpoetratsnatch.exe
explorer.exe
User:
admin
Company:
Acro Software Inc.
Integrity Level:
MEDIUM
Description:
CutePDF Writer Setup
Exit code:
666
Version:
4.0.1.2
Modules
Images
c:\users\admin\desktop\202410029427e049399e92c0f1223869e77d3d2cpoetratsnatch.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
3920"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
202410029427e049399e92c0f1223869e77d3d2cpoetratsnatch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BitLocker To Go Reader
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Lumma
(PID) Process(3920) BitLockerToGo.exe
C2 (9)agentyanlark.site
delaylacedmn.site
famikyjdiag.site
writekdmsnu.site
bellykmrebk.site
egodoubkeo.site
underlinemdsj.site
possiwreeste.site
commandejorsk.site
Total events
4 479
Read events
4 479
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
32
DNS requests
6
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1448
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
188.114.96.3:443
https://egodoubkeo.site/api
unknown
text
2 b
malicious
POST
200
188.114.96.3:443
https://egodoubkeo.site/api
unknown
text
15 b
malicious
POST
200
188.114.97.3:443
https://egodoubkeo.site/api
unknown
text
15 b
malicious
POST
200
188.114.97.3:443
https://egodoubkeo.site/api
unknown
text
16.6 Kb
malicious
POST
200
188.114.96.3:443
https://egodoubkeo.site/api
unknown
malicious
POST
200
188.114.97.3:443
https://egodoubkeo.site/api
unknown
text
15 b
malicious
POST
200
188.114.96.3:443
https://egodoubkeo.site/api
unknown
text
15 b
malicious
POST
200
188.114.97.3:443
https://egodoubkeo.site/api
unknown
text
48 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1448
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1448
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1448
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3920
BitLockerToGo.exe
188.114.97.3:443
egodoubkeo.site
CLOUDFLARENET
NL
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 172.217.23.110
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
egodoubkeo.site
  • 188.114.97.3
  • 188.114.96.3
malicious

Threats

PID
Process
Class
Message
3920
BitLockerToGo.exe
A Network Trojan was detected
STEALER [ANY.RUN] Lumma Stealer TLS Connection
A Network Trojan was detected
ET MALWARE Lumma Stealer Related Activity
A Network Trojan was detected
ET MALWARE Lumma Stealer CnC Host Checkin
A Network Trojan was detected
ET MALWARE Lumma Stealer Related Activity M2
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Check-In
A Network Trojan was detected
ET MALWARE Lumma Stealer CnC Host Checkin
Malware Command and Control Activity Detected
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Exfiltration
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Check-In
A Network Trojan was detected
ET MALWARE Lumma Stealer CnC Host Checkin
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
202410029427e049399e92c0f1223869e77d3d2cpoetratsnatch