File name:

NETCrypt.exe

Full analysis: https://app.any.run/tasks/e4c295e7-45f3-47c4-88aa-e31c61771d18
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: September 14, 2024, 18:35:08
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

A910FCE1E0740103D03B012BE583CCCB

SHA1:

F1623B626CA3658289801BC482B141C7BF14CFA5

SHA256:

66F3A6FCF27CCD08C29042A254AB3AE5310C4BD919E4488EAC7F7364F560A0E4

SSDEEP:

6144:afqHE5ww/f3LIU6OhlKxCvVUkgFbg82Aubmzo/NY43oYCx1uxQL8zzcts0EFB:8KL6f8U6OhEpkQM82p/r6/yzctdEFB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2256)

    • Connects to the CnC server

      • svchost.exe (PID: 2256)

  • SUSPICIOUS

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2256)

  • INFO

    • Checks supported languages

      • RegAsm.exe (PID: 488)
      • NETCrypt.exe (PID: 5624)

    • Reads the computer name

      • NETCrypt.exe (PID: 5624)
      • RegAsm.exe (PID: 488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:06 13:39:22+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 344576
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x561de
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription: NETCrypt
FileVersion: 1.0.0.0
InternalName: NETCrypt.exe
LegalCopyright: Copyright © 2024
OriginalFileName: NETCrypt.exe
ProductName: NETCrypt
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start netcrypt.exe no specs conhost.exe no specs regasm.exe no specs #LUMMA svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
488"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeNETCrypt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3244\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeNETCrypt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5624"C:\Users\admin\Desktop\NETCrypt.exe" C:\Users\admin\Desktop\NETCrypt.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
NETCrypt
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\netcrypt.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
469
Read events
469
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
18
DNS requests
13
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6424
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5796
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5796
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6424
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5796
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6424
RUXIMICS.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
5796
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 216.58.206.46
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
sideindexfollowragelrew.pw
malicious
acceptabledcooeprs.shop
malicious
obsceneclassyjuwks.shop
malicious
zippyfinickysofwps.shop
malicious
miniaturefinerninewjs.shop
malicious
plaintediousidowsko.shop
malicious
sweetsquarediaslw.shop
malicious

Threats

PID
Process
Class
Message
2256
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related Domain in DNS Lookup (sideindexfollowragelrew .pw)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (acceptabledcooeprs .shop)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (miniaturefinerninewjs .shop)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (holicisticscrarws .shop)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (sweetsquarediaslw .shop)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (obsceneclassyjuwks .shop)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (plaintediousidowsko .shop)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (zippyfinickysofwps .shop)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (boredimperissvieos .shop)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
NETCrypt.exe