File name:

2025-05-15_bc8d5ffe5a0617f10807ac0045b3aa81_black-basta_cobalt-strike_ryuk_satacom

Full analysis: https://app.any.run/tasks/b76eb9de-9d11-46df-a04e-2a853c1ceaa4
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 17:41:58
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
telegram
lumma
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 9 sections
MD5:

BC8D5FFE5A0617F10807AC0045B3AA81

SHA1:

9B97E900EE31E1AAF19DCD448E04A99F02806E1B

SHA256:

51D400CD7E6D579D53F0E9BAB7CAF5994B1CCA2135FC7A5D9D11DD0AF0C6442C

SSDEEP:

49152:YSZQqnIi1cSHmuWZ8xDkdproFMpGpIkGCGP71b24oAFBU+qGHkdproFMpGpIkGCZ:YSZWiD68xDkde6cpIkqP7I47FW+qGHkY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA has been detected (YARA)

      • MSBuild.exe (PID: 7556)

    • LUMMA mutex has been found

      • MSBuild.exe (PID: 7556)

  • SUSPICIOUS

    • Executes application which crashes

      • 2025-05-15_bc8d5ffe5a0617f10807ac0045b3aa81_black-basta_cobalt-strike_ryuk_satacom.exe (PID: 7508)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • MSBuild.exe (PID: 7556)

    • There is functionality for taking screenshot (YARA)

      • MSBuild.exe (PID: 7556)

    • Searches for installed software

      • MSBuild.exe (PID: 7556)

  • INFO

    • Checks supported languages

      • 2025-05-15_bc8d5ffe5a0617f10807ac0045b3aa81_black-basta_cobalt-strike_ryuk_satacom.exe (PID: 7508)
      • MSBuild.exe (PID: 7556)

    • Reads the computer name

      • MSBuild.exe (PID: 7556)

    • Reads the machine GUID from the registry

      • MSBuild.exe (PID: 7556)

    • Reads the software policy settings

      • MSBuild.exe (PID: 7556)
      • slui.exe (PID: 8064)

    • Attempting to use instant messaging service

      • MSBuild.exe (PID: 7556)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 7720)

    • Checks proxy server information

      • slui.exe (PID: 8064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(7556) MSBuild.exe
C2 (10)emphatakpn.bet/ladk
featurlyin.top/pdal
overcovtcg.top/juhd
laminaflbx.shop/twoq
racxilb.digital/ozi
posseswsnc.top/akds
https://t.me/kz_prokla1
testcawepr.run/dsap
saxecocnak.live/manj
blackswmxc.top/bgry
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:14 17:59:14+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 222720
InitializedDataSize: 68096
UninitializedDataSize: -
EntryPoint: 0x21538
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-05-15_bc8d5ffe5a0617f10807ac0045b3aa81_black-basta_cobalt-strike_ryuk_satacom.exe #LUMMA msbuild.exe werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7508"C:\Users\admin\Desktop\2025-05-15_bc8d5ffe5a0617f10807ac0045b3aa81_black-basta_cobalt-strike_ryuk_satacom.exe" C:\Users\admin\Desktop\2025-05-15_bc8d5ffe5a0617f10807ac0045b3aa81_black-basta_cobalt-strike_ryuk_satacom.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\2025-05-15_bc8d5ffe5a0617f10807ac0045b3aa81_black-basta_cobalt-strike_ryuk_satacom.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7556"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
2025-05-15_bc8d5ffe5a0617f10807ac0045b3aa81_black-basta_cobalt-strike_ryuk_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
Lumma
(PID) Process(7556) MSBuild.exe
C2 (10)emphatakpn.bet/ladk
featurlyin.top/pdal
overcovtcg.top/juhd
laminaflbx.shop/twoq
racxilb.digital/ozi
posseswsnc.top/akds
https://t.me/kz_prokla1
testcawepr.run/dsap
saxecocnak.live/manj
blackswmxc.top/bgry
7720C:\WINDOWS\system32\WerFault.exe -u -p 7508 -s 232C:\Windows\System32\WerFault.exe2025-05-15_bc8d5ffe5a0617f10807ac0045b3aa81_black-basta_cobalt-strike_ryuk_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
8064C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
8 519
Read events
8 519
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7720WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2025-05-15_bc8d5_494dfd31688f34444856824bd6493c35bde035_d8b588a9_c59be377-9911-4c33-87a2-af2f795c3130\Report.wer
MD5:
SHA256:
7720WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD2C5.tmp.xmlxml
MD5:8FB0BE3CCE4CD912056C39A81B2D8D98
SHA256:E8E793D03CA321AA53EFA03E73859414F948593237E44593F14B6B01D91F7F19
7720WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD16B.tmp.dmpbinary
MD5:84D9B00D8F955440232F180B1DFC9A44
SHA256:9817ACC441676C6142D0752473B0F9B0F8E8F6C0BEA3DE835D27B63253A8E8EC
7720WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERD276.tmp.WERInternalMetadata.xmlbinary
MD5:7D226972B51A4828271F36ACD6571C6A
SHA256:471BABFE35C24F187107B7A45B4560AE4744E4D12B814E9C82CB06B231F83D45
7720WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\2025-05-15_bc8d5ffe5a0617f10807ac0045b3aa81_black-basta_cobalt-strike_ryuk_satacom.exe.7508.dmpbinary
MD5:942934A2635E2D6FA574591F0C14B370
SHA256:31F1ADC48103298D847C02BCB21BBF944F8CEB170FE689F5996B9C4FC3DD2A1C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
27
DNS requests
9
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2656
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2656
RUXIMICS.exe
GET
200
23.48.23.138:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
2656
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2656
RUXIMICS.exe
23.48.23.138:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2656
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7556
MSBuild.exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
whitelisted
7556
MSBuild.exe
104.21.32.1:443
racxilb.digital
CLOUDFLARENET
unknown
7188
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.48.23.138
  • 23.48.23.147
  • 23.48.23.141
  • 23.48.23.134
  • 23.48.23.146
  • 23.48.23.140
  • 23.48.23.139
  • 23.48.23.143
  • 23.48.23.193
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
t.me
  • 149.154.167.99
whitelisted
racxilb.digital
  • 104.21.32.1
  • 104.21.16.1
  • 104.21.112.1
  • 104.21.96.1
  • 104.21.48.1
  • 104.21.80.1
  • 104.21.64.1
unknown
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
7556
MSBuild.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-15_bc8d5ffe5a0617f10807ac0045b3aa81_black-basta_cobalt-strike_ryuk_satacom