| File name: | LummaC2.exe |
| Full analysis: | https://app.any.run/tasks/b165e638-737f-41d8-affd-8c223a9e1989 |
| Verdict: | Malicious activity |
| Threats: | Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. |
| Analysis date: | October 06, 2024, 13:25:45 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 061B11BBD3E700CD49188188288E3494 |
| SHA1: | 484427C4E8B22C697B9041980C85599AB622B07B |
| SHA256: | 3E30182114E0817494F285E08CBF42F6E1F17AEFFD82CEEBC4E187931E96C02A |
| SSDEEP: | 12288:3Nuvj0hk1RRtOgpLz4mfiH2EDDfBluufIe:3U3kKiWE3fBluuge |
MALICIOUS
LUMMA has been detected (YARA)
- LummaC2.exe (PID: 940)
SUSPICIOUS
No suspicious indicators.INFO
Reads the computer name
- LummaC2.exe (PID: 940)
Checks supported languages
- LummaC2.exe (PID: 940)
Reads the machine GUID from the registry
- LummaC2.exe (PID: 940)
Reads the software policy settings
- LummaC2.exe (PID: 940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Lumma
(PID) Process(940) LummaC2.exe
C2 (9)exilepolsiy.sbs
bemuzzeki.sbs
invinjurhey.sbs
exemplarou.sbs
frizzettei.sbs
laddyirekyi.sbs
isoplethui.sbs
epiloggati.sbs
wickedneatr.sbs
TRiD
| .exe | | | Generic Win/DOS Executable (50) |
|---|---|---|
| .exe | | | DOS Executable Generic (49.9) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:10:04 13:44:42+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14 |
| CodeSize: | 303104 |
| InitializedDataSize: | 56320 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xd110 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
Total processes
115
Monitored processes
1
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 940 | "C:\Users\admin\Desktop\LummaC2.exe" | C:\Users\admin\Desktop\LummaC2.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
Lumma(PID) Process(940) LummaC2.exe C2 (9)exilepolsiy.sbs bemuzzeki.sbs invinjurhey.sbs exemplarou.sbs frizzettei.sbs laddyirekyi.sbs isoplethui.sbs epiloggati.sbs wickedneatr.sbs | |||||||||||||||
Total events
3 236
Read events
3 236
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
35
DNS requests
15
Threats
18
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4288 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 92.122.104.90:443 | https://steamcommunity.com/profiles/76561199724331900 | unknown | html | 24.8 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4288 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4288 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
940 | LummaC2.exe | 188.114.97.3:443 | epiloggati.sbs | CLOUDFLARENET | NL | malicious |
940 | LummaC2.exe | 188.114.96.3:443 | epiloggati.sbs | CLOUDFLARENET | NL | malicious |
4288 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
epiloggati.sbs |
| malicious |
frizzettei.sbs |
| malicious |
isoplethui.sbs |
| malicious |
exemplarou.sbs |
| malicious |
bemuzzeki.sbs |
| malicious |
exilepolsiy.sbs |
| malicious |
laddyirekyi.sbs |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | A Network Trojan was detected | ET MALWARE Lumma Stealer Related Activity |
— | — | A Network Trojan was detected | ET MALWARE Lumma Stealer CnC Host Checkin |
— | — | A Network Trojan was detected | ET MALWARE Lumma Stealer Related Activity |
— | — | A Network Trojan was detected | ET MALWARE Lumma Stealer CnC Host Checkin |
— | — | A Network Trojan was detected | ET MALWARE Lumma Stealer Related Activity |
— | — | A Network Trojan was detected | ET MALWARE Lumma Stealer CnC Host Checkin |
— | — | A Network Trojan was detected | ET MALWARE Lumma Stealer Related Activity |
— | — | A Network Trojan was detected | ET MALWARE Lumma Stealer CnC Host Checkin |
— | — | A Network Trojan was detected | ET MALWARE Lumma Stealer Related Activity |
— | — | A Network Trojan was detected | ET MALWARE Lumma Stealer CnC Host Checkin |