File name:

573c1ce9085c71b0a2e2ee2c96fe3b47d3f941bf5e23e3f46289135eaa153d26

Full analysis: https://app.any.run/tasks/360f692a-6e78-4210-90b9-4f04aeb785dd
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: December 07, 2024, 18:27:53
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

EB604E2A70243ACB885FE5A944A647C3

SHA1:

4F115ACFA7662547B877C75A6845297D49713621

SHA256:

573C1CE9085C71B0A2E2EE2C96FE3B47D3F941BF5E23E3F46289135EAA153D26

SSDEEP:

12288:tMDYxvU1IfNyqkld5vSsvQVVVV5VVVVV5:tbU1IfNyqkj5vST

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2192)
      • 573c1ce9085c71b0a2e2ee2c96fe3b47d3f941bf5e23e3f46289135eaa153d26.exe (PID: 8)

    • Connects to the CnC server

      • svchost.exe (PID: 2192)

    • Actions looks like stealing of personal data

      • 573c1ce9085c71b0a2e2ee2c96fe3b47d3f941bf5e23e3f46289135eaa153d26.exe (PID: 8)

    • LUMMA has been detected (YARA)

      • 573c1ce9085c71b0a2e2ee2c96fe3b47d3f941bf5e23e3f46289135eaa153d26.exe (PID: 8)

    • Steals credentials from Web Browsers

      • 573c1ce9085c71b0a2e2ee2c96fe3b47d3f941bf5e23e3f46289135eaa153d26.exe (PID: 8)

  • SUSPICIOUS

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2192)
      • 573c1ce9085c71b0a2e2ee2c96fe3b47d3f941bf5e23e3f46289135eaa153d26.exe (PID: 8)

    • Executes application which crashes

      • 573c1ce9085c71b0a2e2ee2c96fe3b47d3f941bf5e23e3f46289135eaa153d26.exe (PID: 8)

  • INFO

    • Reads the computer name

      • 573c1ce9085c71b0a2e2ee2c96fe3b47d3f941bf5e23e3f46289135eaa153d26.exe (PID: 8)

    • Checks supported languages

      • 573c1ce9085c71b0a2e2ee2c96fe3b47d3f941bf5e23e3f46289135eaa153d26.exe (PID: 8)

    • Reads the machine GUID from the registry

      • 573c1ce9085c71b0a2e2ee2c96fe3b47d3f941bf5e23e3f46289135eaa153d26.exe (PID: 8)

    • Reads the software policy settings

      • 573c1ce9085c71b0a2e2ee2c96fe3b47d3f941bf5e23e3f46289135eaa153d26.exe (PID: 8)
      • WerFault.exe (PID: 5308)

    • Checks proxy server information

      • WerFault.exe (PID: 5308)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 5308)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:06:11 10:44:20+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 235520
InitializedDataSize: 4096512
UninitializedDataSize: -
EntryPoint: 0x1663
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 100.0.0.0
ProductVersionNumber: 12.0.0.0
FileFlagsMask: 0x003f
FileFlags: Debug, Pre-release, Patched, Private build, Special build
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Czech
CharacterSet: Unknown (08E2)
FileVersions: 35.75.55.77
ProductVersions: 84.66.56.33
InternalName: Folding
CompanyName: Bunch
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #LUMMA 573c1ce9085c71b0a2e2ee2c96fe3b47d3f941bf5e23e3f46289135eaa153d26.exe #LUMMA svchost.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
8"C:\Users\admin\Desktop\573c1ce9085c71b0a2e2ee2c96fe3b47d3f941bf5e23e3f46289135eaa153d26.exe" C:\Users\admin\Desktop\573c1ce9085c71b0a2e2ee2c96fe3b47d3f941bf5e23e3f46289135eaa153d26.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\573c1ce9085c71b0a2e2ee2c96fe3b47d3f941bf5e23e3f46289135eaa153d26.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5308C:\WINDOWS\SysWOW64\WerFault.exe -u -p 8 -s 1584C:\Windows\SysWOW64\WerFault.exe
573c1ce9085c71b0a2e2ee2c96fe3b47d3f941bf5e23e3f46289135eaa153d26.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
9 237
Read events
9 237
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
5308WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_573c1ce9085c71b0_a8a3965326276327b71aee537435afbe3681ba_404b4443_a7d5c6c9-65ed-4c99-927d-ab7307ea7afe\Report.wer
MD5:
SHA256:
5308WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERCE6F.tmp.dmpbinary
MD5:28BEC6A26D18264B04867AA66758B487
SHA256:1F626F05BDABA7D58A9B353B862A3D85A4421130D97790D5D490F66DBF1B61B8
5308WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERCF6B.tmp.xmlxml
MD5:722653261C565721E0EF249BC96F918E
SHA256:DCE8E5819ED298204E349E46AD0AA1141D9904DB5204169B369BCE449106A29F
5308WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERCF3B.tmp.WERInternalMetadata.xmlxml
MD5:727ABC54978A4A9F79C5E82CBC4E8D08
SHA256:72642B10A37E0BB6E5B4D6F8D887CFA63E1A620773C94DAF2281FD5C797FF377
5308WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\573c1ce9085c71b0a2e2ee2c96fe3b47d3f941bf5e23e3f46289135eaa153d26.exe.8.dmpbinary
MD5:9B50E1DC1455AF1F4D7ED08CED15C9DF
SHA256:D95D998673A7AF77BD588B64D3861ACA7A1E58C09962E452B000594568ED2A54
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
28
DNS requests
10
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
188.114.96.3:443
https://brendon-sharjen.biz/api
unknown
text
2 b
malicious
POST
200
188.114.97.3:443
https://brendon-sharjen.biz/api
unknown
text
16 b
malicious
POST
200
188.114.96.3:443
https://brendon-sharjen.biz/api
unknown
text
16 b
malicious
POST
200
188.114.97.3:443
https://brendon-sharjen.biz/api
unknown
text
16.7 Kb
malicious
POST
200
188.114.97.3:443
https://brendon-sharjen.biz/api
unknown
text
16 b
malicious
POST
200
188.114.96.3:443
https://brendon-sharjen.biz/api
unknown
text
16 b
malicious
POST
200
188.114.96.3:443
https://brendon-sharjen.biz/api
unknown
text
16 b
malicious
POST
200
188.114.97.3:443
https://brendon-sharjen.biz/api
unknown
text
48 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.110.195:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
8
573c1ce9085c71b0a2e2ee2c96fe3b47d3f941bf5e23e3f46289135eaa153d26.exe
188.114.97.3:443
brendon-sharjen.biz
CLOUDFLARENET
NL
unknown
4712
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3976
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.16.110.195
  • 2.16.110.179
  • 2.16.110.170
  • 2.16.110.136
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
brendon-sharjen.biz
  • 188.114.97.3
  • 188.114.96.3
unknown
www.microsoft.com
  • 23.52.120.96
whitelisted
watson.events.data.microsoft.com
  • 20.189.173.21
whitelisted
self.events.data.microsoft.com
  • 20.189.173.12
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brendon-sharjen .biz)
8
573c1ce9085c71b0a2e2ee2c96fe3b47d3f941bf5e23e3f46289135eaa153d26.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI)
8
573c1ce9085c71b0a2e2ee2c96fe3b47d3f941bf5e23e3f46289135eaa153d26.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI)
8
573c1ce9085c71b0a2e2ee2c96fe3b47d3f941bf5e23e3f46289135eaa153d26.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI)
8
573c1ce9085c71b0a2e2ee2c96fe3b47d3f941bf5e23e3f46289135eaa153d26.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI)
8
573c1ce9085c71b0a2e2ee2c96fe3b47d3f941bf5e23e3f46289135eaa153d26.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI)
8
573c1ce9085c71b0a2e2ee2c96fe3b47d3f941bf5e23e3f46289135eaa153d26.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (brendon-sharjen .biz in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
573c1ce9085c71b0a2e2ee2c96fe3b47d3f941bf5e23e3f46289135eaa153d26