File name:

3ed1b57fd5efa3d95f88a8e06e06337253f4427aac41accc2f2fe334ea7fdcc9

Full analysis: https://app.any.run/tasks/7edf51a2-2c12-459c-a8e3-30ab512368ef
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 29, 2024, 07:07:05
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
lumma
loader
proxy
goproxy
golang
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 7 sections
MD5:

D6AB8DA3BD0065C5F9EF7E4C1524C853

SHA1:

A7E0F197FCBBA885EF9CF61BF0694BE269B50AC5

SHA256:

3ED1B57FD5EFA3D95F88A8E06E06337253F4427AAC41ACCC2F2FE334EA7FDCC9

SSDEEP:

49152:+7QOROuuN7qvrqBH+EEwu5X6boqmVhcOHGGJWDPHKsMV22eKSfu1+YzFVjy4DXeU:XEMmTHGSW2sK22eKN1+Y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA mutex has been found

      • BitLockerToGo.exe (PID: 5028)

    • Actions looks like stealing of personal data

      • BitLockerToGo.exe (PID: 5028)

    • Steals credentials from Web Browsers

      • BitLockerToGo.exe (PID: 5028)

    • LUMMA has been detected (YARA)

      • BitLockerToGo.exe (PID: 5028)

    • GOPROXY has been detected (SURICATA)

      • BitLockerToGo.exe (PID: 3992)

    • Connects to the CnC server

      • BitLockerToGo.exe (PID: 3992)

  • SUSPICIOUS

    • There is functionality for communication over UDP network (YARA)

      • 3ed1b57fd5efa3d95f88a8e06e06337253f4427aac41accc2f2fe334ea7fdcc9.exe (PID: 3816)

    • Application launched itself

      • BitLockerToGo.exe (PID: 5028)

    • Connects to unusual port

      • BitLockerToGo.exe (PID: 3992)

  • INFO

    • The sample compiled with english language support

      • 3ed1b57fd5efa3d95f88a8e06e06337253f4427aac41accc2f2fe334ea7fdcc9.exe (PID: 3816)

    • Checks supported languages

      • BitLockerToGo.exe (PID: 5028)
      • 3ed1b57fd5efa3d95f88a8e06e06337253f4427aac41accc2f2fe334ea7fdcc9.exe (PID: 3816)
      • BitLockerToGo.exe (PID: 3992)

    • Reads the computer name

      • BitLockerToGo.exe (PID: 5028)

    • Reads the machine GUID from the registry

      • BitLockerToGo.exe (PID: 5028)

    • Reads the software policy settings

      • BitLockerToGo.exe (PID: 5028)

    • Create files in a temporary directory

      • BitLockerToGo.exe (PID: 3992)

    • Application based on Golang

      • BitLockerToGo.exe (PID: 3992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, 32-bit, No debug
PEType: PE32
LinkerVersion: 3
CodeSize: 1788416
InitializedDataSize: 135680
UninitializedDataSize: -
EntryPoint: 0x5de60
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 2.3.2.812
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: Aman
CompanyName: Hongkong Guangling NetWork Technology Co., Ltd.
FileDescription: Aman
FileVersion: 2,3,2,0812
LegalCopyright: Copyright (C) 2021 Hongkong Guangling NetWork Technology Co., Ltd.
OriginalFileName: Set-up.exe
ProductName: Aman.exe
ProductVersion: 2.3.2.0812
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 3ed1b57fd5efa3d95f88a8e06e06337253f4427aac41accc2f2fe334ea7fdcc9.exe no specs #LUMMA bitlockertogo.exe #GOPROXY bitlockertogo.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3816"C:\Users\admin\Desktop\3ed1b57fd5efa3d95f88a8e06e06337253f4427aac41accc2f2fe334ea7fdcc9.exe" C:\Users\admin\Desktop\3ed1b57fd5efa3d95f88a8e06e06337253f4427aac41accc2f2fe334ea7fdcc9.exeexplorer.exe
User:
admin
Company:
Hongkong Guangling NetWork Technology Co., Ltd.
Integrity Level:
MEDIUM
Description:
Aman
Exit code:
666
Version:
2,3,2,0812
Modules
Images
c:\users\admin\desktop\3ed1b57fd5efa3d95f88a8e06e06337253f4427aac41accc2f2fe334ea7fdcc9.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3992"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
BitLockerToGo.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BitLocker To Go Reader
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
5028"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
3ed1b57fd5efa3d95f88a8e06e06337253f4427aac41accc2f2fe334ea7fdcc9.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BitLocker To Go Reader
Exit code:
666
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
Total events
4 621
Read events
4 621
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3992BitLockerToGo.exeC:\Users\admin\AppData\Local\Temp\configbinary
MD5:AA3756493016D1976C9349EEB29D7874
SHA256:C854DC390F543DCE6813D67D1747B4F3DB374A296DB13B467D7F21EC90A0FCCA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
27
DNS requests
8
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3992
BitLockerToGo.exe
GET
200
46.8.232.106:30001
http://46.8.232.106:30001/api/helper-first-register?buildVersion=0dfF.ore2kBf&md5=a64beab5d4516beca4c40b25dc0c1cd8&proxyPassword=dUZKyymJ&proxyUsername=cACUQSOf&userId=GwhkeMIXedr6k95cAje2l7kZetpIxXXDa1K3
unknown
malicious
POST
200
188.114.97.3:443
https://mooncobudy.click/api
unknown
text
2 b
malicious
POST
200
188.114.96.3:443
https://mooncobudy.click/api
unknown
text
18.3 Kb
malicious
POST
200
188.114.96.3:443
https://mooncobudy.click/api
unknown
text
16 b
malicious
POST
200
188.114.97.3:443
https://mooncobudy.click/api
unknown
text
16 b
malicious
POST
200
188.114.97.3:443
https://mooncobudy.click/api
unknown
text
16 b
malicious
POST
200
188.114.96.3:443
https://mooncobudy.click/api
unknown
text
16 b
malicious
POST
200
188.114.96.3:443
https://mooncobudy.click/api
unknown
text
116 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3976
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5028
BitLockerToGo.exe
188.114.97.3:443
mooncobudy.click
CLOUDFLARENET
NL
malicious
5028
BitLockerToGo.exe
92.113.16.51:443
geai.ch
PJSC Ukrtelecom
UA
unknown
3992
BitLockerToGo.exe
46.8.232.106:30001
Fiord Networks, UAB
RU
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
mooncobudy.click
  • 188.114.97.3
  • 188.114.96.3
malicious
geai.ch
  • 92.113.16.51
unknown
self.events.data.microsoft.com
  • 52.182.143.215
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
A Network Trojan was detected
PROXY [ANY.RUN] GoProxy Check-in
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
3ed1b57fd5efa3d95f88a8e06e06337253f4427aac41accc2f2fe334ea7fdcc9