File name:

Aura.exe

Full analysis: https://app.any.run/tasks/2be3b92c-a233-481d-8606-474d948ef34e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 05, 2025, 18:38:18
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
netreactor
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 4 sections
MD5:

320BF7FBC1C911B3359527BF0EA85FCA

SHA1:

CB1B1244C5E5F902E21252DEE0F017D3D4A03046

SHA256:

3B2C100E17A3A58006BFA5AB9FC0BD4A3951F6CA5449D0D8FF7F8F1B3A2C9884

SSDEEP:

12288:jtKoLPC8Y4W5Ndj0xkWZM6HvssjwoMW3l4/4SBcJTL7:jtK4PCxNh0CWZMwsuwoMWVrS2f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Aura.exe (PID: 1448)
      • Aura.exe (PID: 5340)

    • LUMMA mutex has been found

      • Aura.exe (PID: 5340)

    • Steals credentials from Web Browsers

      • Aura.exe (PID: 5340)

    • Connects to the CnC server

      • svchost.exe (PID: 2192)

    • Actions looks like stealing of personal data

      • Aura.exe (PID: 5340)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2192)
      • Aura.exe (PID: 5340)

    • LUMMA has been detected (YARA)

      • Aura.exe (PID: 5340)

    • Stealers network behavior

      • Aura.exe (PID: 5340)

  • SUSPICIOUS

    • Application launched itself

      • Aura.exe (PID: 1448)

    • Executes application which crashes

      • Aura.exe (PID: 1448)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2192)
      • Aura.exe (PID: 5340)

    • Connects to the server without a host name

      • Aura.exe (PID: 5340)

    • Process requests binary or script from the Internet

      • Aura.exe (PID: 5340)

  • INFO

    • Checks supported languages

      • Aura.exe (PID: 1448)
      • Aura.exe (PID: 5340)

    • Reads the computer name

      • Aura.exe (PID: 5340)
      • Aura.exe (PID: 1448)

    • Reads the software policy settings

      • Aura.exe (PID: 5340)
      • WerFault.exe (PID: 5872)

    • Reads the machine GUID from the registry

      • Aura.exe (PID: 5340)

    • Checks proxy server information

      • WerFault.exe (PID: 5872)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 5872)

    • .NET Reactor protector has been detected

      • Aura.exe (PID: 5340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (61.6)
.dll | Win32 Dynamic Link Library (generic) (14.6)
.exe | Win32 Executable (generic) (10)
.exe | Win16/32 Executable Delphi generic (4.6)
.exe | Generic Win/DOS Executable (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2064:09:21 17:53:14+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 34304
InitializedDataSize: 1536
UninitializedDataSize: -
EntryPoint: 0xa4be
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start aura.exe conhost.exe no specs #LUMMA aura.exe werfault.exe #LUMMA svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1448"C:\Users\admin\Desktop\Aura.exe" C:\Users\admin\Desktop\Aura.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226505
Modules
Images
c:\users\admin\desktop\aura.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3224\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeAura.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5340"C:\Users\admin\Desktop\Aura.exe"C:\Users\admin\Desktop\Aura.exe
Aura.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\aura.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
5872C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1448 -s 856C:\Windows\SysWOW64\WerFault.exe
Aura.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
9 299
Read events
9 299
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
5872WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Aura.exe_4724175c1ff2da3c946950a8381a3cf04260dd3c_27bdd1c1_38bb54f7-3797-4a17-8ed7-b378bfa74111\Report.wer
MD5:
SHA256:
5872WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\Aura.exe.1448.dmp
MD5:
SHA256:
5872WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7498.tmp.WERInternalMetadata.xmlxml
MD5:4DD2CA490D9C00437F99737CB927D4AE
SHA256:D7935161402DF61FDAE2E68BD979B8D2C4C601565EDD10FCCA84C5575788E3CB
5872WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER74E7.tmp.xmlxml
MD5:540EF05B4B2F93E2CD832F0508D07243
SHA256:814DF8EA7EE210FD874DE582124499C2D96C6E2D50A4315F81243BF0C8F5AB65
5872WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER734F.tmp.dmpbinary
MD5:E2AF3AA3D510020D32E0467398A0202C
SHA256:E625C82134F321E0F9A3F6A4C2056ADFB25E4B363D10742D5885B5EB5D84FCE6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
29
DNS requests
9
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6072
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6072
svchost.exe
GET
200
184.30.230.103:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5340
Aura.exe
GET
147.45.47.81:80
http://147.45.47.81/conhost.exe
unknown
unknown
POST
200
104.21.16.1:443
https://fancywaxxers.shop/api
unknown
text
2 b
malicious
POST
200
104.21.32.1:443
https://fancywaxxers.shop/api
unknown
text
17 b
malicious
POST
200
104.21.96.1:443
https://fancywaxxers.shop/api
unknown
text
17 b
malicious
POST
200
104.21.112.1:443
https://fancywaxxers.shop/api
unknown
text
17 b
malicious
POST
200
104.21.16.1:443
https://fancywaxxers.shop/api
unknown
text
18.3 Kb
malicious
POST
200
104.21.80.1:443
https://fancywaxxers.shop/api
unknown
text
17 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6072
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5340
Aura.exe
104.21.96.1:443
fancywaxxers.shop
CLOUDFLARENET
malicious
6072
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6072
svchost.exe
184.30.230.103:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
unknown
google.com
  • 142.250.185.78
whitelisted
fancywaxxers.shop
  • 104.21.96.1
  • 104.21.16.1
  • 104.21.112.1
  • 104.21.80.1
  • 104.21.64.1
  • 104.21.48.1
  • 104.21.32.1
malicious
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 184.30.230.103
whitelisted
watson.events.data.microsoft.com
  • 20.42.73.29
whitelisted
self.events.data.microsoft.com
  • 51.116.253.170
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop)
5340
Aura.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
5340
Aura.exe
A Network Trojan was detected
STEALER [ANY.RUN] Lumma Stealer TLS Connection
5340
Aura.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
5340
Aura.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
5340
Aura.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
5340
Aura.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
5340
Aura.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
5340
Aura.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 23
5340
Aura.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Aura.exe