File name:	_51c317b6902b8eba36bfe0d3fd37ea678db221c01dfe9fa449ed2c901e82ae29.exe
Full analysis:	https://app.any.run/tasks/9954633a-90f8-4409-b47b-5734e6d65a4a
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	July 17, 2025, 20:52:56
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	autoit lumma stealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	8A6C719CF97003955C89CBB7221851EF
SHA1:	D19F6C1E00A8231F2E9B6939743F673C63C6346C
SHA256:	51C317B6902B8EBA36BFE0D3FD37EA678DB221C01DFE9FA449ED2C901E82AE29
SSDEEP:	98304:gVzO3ukpTvwgehBGa8POF8TzN0+NkpB6Mx/m6Dx:O5

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2011:07:06 14:31:19+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	25600
InitializedDataSize:	431104
UninitializedDataSize:	16896
EntryPoint:	0x33e9
OSVersion:	5
ImageVersion:	6
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	6.914.1.34762
ProductVersionNumber:	6.914.1.34762
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
ProductName:	NeuraLogix

PID	Process	Filename		Type
32	_51c317b6902b8eba36bfe0d3fd37ea678db221c01dfe9fa449ed2c901e82ae29.exe	C:\Users\admin\AppData\Local\Temp\nsgDA4F.tmp\nsExec.dll		executable
		MD5:08E9796CA20C5FC5076E3AC05FB5709A	SHA256:8165C7AEF7DE3D3E0549776535BEDC380AD9BE7BB85E60AD6436F71528D092AF
32	_51c317b6902b8eba36bfe0d3fd37ea678db221c01dfe9fa449ed2c901e82ae29.exe	C:\Users\admin\AppData\Local\Temp\Cod.mpeg		binary
		MD5:7D5B3B2E6521D7150B9338E38D63016D	SHA256:100028D11490BD254095FB3FD727ECB5E2E65EC5EA28AD86CC6D2C2BDE9E49B9
32	_51c317b6902b8eba36bfe0d3fd37ea678db221c01dfe9fa449ed2c901e82ae29.exe	C:\Users\admin\AppData\Local\Temp\Case.mpeg		binary
		MD5:546CBD7566DDCDA61F22EEBE0B92BEAE	SHA256:BF317C3ED744FDE1C20A591B9BC879D36C26F2C2ACEB33EAA2E770920CB50C91
32	_51c317b6902b8eba36bfe0d3fd37ea678db221c01dfe9fa449ed2c901e82ae29.exe	C:\Users\admin\AppData\Local\Temp\Uniprotkb.mpeg		binary
		MD5:5A9F4CE83E029E878B189FC2F26AD926	SHA256:42DD54F7D4D1A0F3D150794A4B618D2B7D7672F5931B58F7AD30C08C5554736B
32	_51c317b6902b8eba36bfe0d3fd37ea678db221c01dfe9fa449ed2c901e82ae29.exe	C:\Users\admin\AppData\Local\Temp\Cooling.mpeg		binary
		MD5:65FF97C4F01C4EC0939B866096B7FF30	SHA256:87E0463C2CFF7F4A8841FE653877C80E74E767252381B631C22C52353F0D9FA2
32	_51c317b6902b8eba36bfe0d3fd37ea678db221c01dfe9fa449ed2c901e82ae29.exe	C:\Users\admin\AppData\Local\Temp\Continually.mpeg		binary
		MD5:59C896044877D4476A326E27B0B3D1DD	SHA256:29EF218CDBD2966FAE6506D412863C62EA6F89DA9BEAE67EF34D4D12B3D5077B
32	_51c317b6902b8eba36bfe0d3fd37ea678db221c01dfe9fa449ed2c901e82ae29.exe	C:\Users\admin\AppData\Local\Temp\Actions.mpeg		binary
		MD5:25C630C9497F4424135D95752864EB7F	SHA256:A2DA617D246D26BC7E8B7938AA3142B62D05EE387703369F94F229ED12DEE111
6572	extrac32.exe	C:\Users\admin\AppData\Local\Temp\Functional		abr
		MD5:71A9FECA281EE675AE6FF9E59684E45D	SHA256:1601C11286D65BF1351A5E06C5FA2690BF688EEEF5884E6F1739D34E05D793BE
6572	extrac32.exe	C:\Users\admin\AppData\Local\Temp\Replacing		binary
		MD5:E10EA79F03F8808F7EB3F78186EBA006	SHA256:B2F58C4507723E37F5AEA5F5E6CC2B56F4D524DB91F471ECDED5D477DA4F0694
1668	cmd.exe	C:\Users\admin\AppData\Local\Temp\Revisions.mpeg.cmd		text
		MD5:BBE445D9B855755D41719A00D42658F9	SHA256:9D1E23E8320ADA23E5D1DBD0226F86FBD95EFA4E062DB87F45D71A6A3A1F58C7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4160	RUXIMICS.exe	GET	200	23.216.77.25:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.216.77.25:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4160	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	304	20.12.23.50:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
1880	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
1880	SIHClient.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
—	—	GET	200	52.165.164.15:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—
1880	SIHClient.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4160	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	23.216.77.25:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4160	RUXIMICS.exe	23.216.77.25:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
4160	RUXIMICS.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158 51.11.168.232	whitelisted
google.com	142.250.186.110	whitelisted
crl.microsoft.com	23.216.77.25 23.216.77.18 23.216.77.15 23.216.77.16 23.216.77.22 23.216.77.21 23.216.77.13 23.216.77.17 23.216.77.19 2.16.241.12 2.16.241.14	whitelisted
www.microsoft.com	95.101.149.131 2.23.246.101	whitelisted
tlzZTNgONdDx.tlzZTNgONdDx	—	unknown
login.live.com	20.190.160.131 40.126.32.133 40.126.32.140 40.126.32.76 20.190.160.64 40.126.32.136 20.190.160.65 20.190.160.22	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
slscr.update.microsoft.com	4.175.87.197	whitelisted
neutee.pics	172.67.184.12 104.21.75.245	unknown
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted

PID	Process	Class	Message
—	—	Malware Command and Control Activity Detected	MALWARE [ANY.RUN] Win32/Lumma CnC HTTP Activity observed
—	—	Malware Command and Control Activity Detected	MALWARE [ANY.RUN] Win32/Lumma CnC HTTP Activity observed

General Info

_51c317b6902b8eba36bfe0d3fd37ea678db221c01dfe9fa449ed2c901e82ae29.exe

8A6C719CF97003955C89CBB7221851EF

D19F6C1E00A8231F2E9B6939743F673C63C6346C

51C317B6902B8EBA36BFE0D3FD37EA678DB221C01DFE9FA449ED2C901E82AE29

98304:gVzO3ukpTvwgehBGa8POF8TzN0+NkpB6Mx/m6Dx:O5

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LUMMA mutex has been found

SUSPICIOUS

Using 'findstr.exe' to search for text patterns in files and output

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Executing commands from ".cmd" file

Get information on the list of running processes

Runs PING.EXE to delay simulation

There is functionality for taking screenshot (YARA)

Searches for installed software

Starts application with an unusual extension

Starts the AutoIt3 executable file

The executable file from the user directory is run by the CMD process

INFO

Create files in a temporary directory

Checks supported languages

The sample compiled with english language support

Reads mouse settings

Reads the computer name

Reads the machine GUID from the registry

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings