analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Setup_v1.0.5.exe

Full analysis: https://app.any.run/tasks/a407f006-ee45-420d-b576-f259094df091
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: June 08, 2024, 20:31:06
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
exfiltration
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5:

71093DFE2BC1B3D65ACAF5CC8177CDAF

SHA1:

3F11200D6CA7CE563D39676AAD116A646B9A7F0C

SHA256:

6EEA2773C1B4B5C6FB7C142933E220C96F9A4EC89055BF0CF54ACCDCDE7DF535

SSDEEP:

98304:OrYQGm3sWFNkyuKAM5aOhCkXh4e42GZSCeI:r

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA has been detected (YARA)

      • Setup_v1.0.5.exe (PID: 6884)
      • Setup_v1.0.5.exe (PID: 6488)
      • BitLockerToGo.exe (PID: 6952)
      • BitLockerToGo.exe (PID: 7012)

    • Drops the executable file immediately after the start

      • Setup_v1.0.5.exe (PID: 6488)

    • LUMMA has been detected (SURICATA)

      • BitLockerToGo.exe (PID: 6952)
      • BitLockerToGo.exe (PID: 7012)

    • Actions looks like stealing of personal data

      • BitLockerToGo.exe (PID: 6952)
      • BitLockerToGo.exe (PID: 7012)

  • SUSPICIOUS

    • Searches for installed software

      • BitLockerToGo.exe (PID: 7012)
      • BitLockerToGo.exe (PID: 6952)

  • INFO

    • Checks supported languages

      • Setup_v1.0.5.exe (PID: 6488)
      • Setup_v1.0.5.exe (PID: 6884)
      • BitLockerToGo.exe (PID: 6952)
      • BitLockerToGo.exe (PID: 7012)

    • Manual execution by a user

      • Setup_v1.0.5.exe (PID: 6884)

    • Reads the computer name

      • BitLockerToGo.exe (PID: 6952)
      • BitLockerToGo.exe (PID: 7012)

    • Reads the machine GUID from the registry

      • BitLockerToGo.exe (PID: 6952)
      • BitLockerToGo.exe (PID: 7012)

    • Reads the software policy settings

      • BitLockerToGo.exe (PID: 6952)
      • BitLockerToGo.exe (PID: 7012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

OriginalFileName: Setup_v1.0.5
ProductVersion: 1.0.0.0
ProductName: Setup_v1.0.5
LegalTrademarks: All rights reserved
LegalCopyright: Copyright (c) 2024, Setup_v1.0.5
FileVersion: 1.1.0.0
FileDescription: Setup_v1.0.5
CompanyName: Setup_v1.0.5
CharacterSet: Windows, Latin1
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.1.0.0
Subsystem: Windows GUI
SubsystemVersion: 6.1
ImageVersion: -
OSVersion: 6.1
EntryPoint: 0x14c0
UninitializedDataSize: 378880
InitializedDataSize: 10742272
CodeSize: 3320832
LinkerVersion: 2.36
PEType: PE32+
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
TimeStamp: 0000:00:00 00:00:00
MachineType: AMD AMD64
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #LUMMA setup_v1.0.5.exe no specs #LUMMA setup_v1.0.5.exe #LUMMA bitlockertogo.exe #LUMMA bitlockertogo.exe

Process information

PID
CMD
Path
Indicators
Parent process
6488"C:\Users\admin\Desktop\Setup_v1.0.5.exe" C:\Users\admin\Desktop\Setup_v1.0.5.exe
explorer.exe
User:
admin
Company:
Setup_v1.0.5
Integrity Level:
MEDIUM
Description:
Setup_v1.0.5
Exit code:
666
Version:
1.1.0.0
Modules
Images
c:\users\admin\desktop\setup_v1.0.5.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6884"C:\Users\admin\Desktop\Setup_v1.0.5.exe" C:\Users\admin\Desktop\Setup_v1.0.5.exe
explorer.exe
User:
admin
Company:
Setup_v1.0.5
Integrity Level:
HIGH
Description:
Setup_v1.0.5
Exit code:
666
Version:
1.1.0.0
Modules
Images
c:\users\admin\desktop\setup_v1.0.5.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6952C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Setup_v1.0.5.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BitLocker To Go Reader
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
7012C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Setup_v1.0.5.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
BitLocker To Go Reader
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
Total events
10 161
Read events
9 915
Write events
246
Delete events
0

Modification events

(PID) Process:(6488) Setup_v1.0.5.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-462
Value:
Afghanistan Standard Time
(PID) Process:(6488) Setup_v1.0.5.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-461
Value:
Afghanistan Daylight Time
(PID) Process:(6488) Setup_v1.0.5.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-222
Value:
Alaskan Standard Time
(PID) Process:(6488) Setup_v1.0.5.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-221
Value:
Alaskan Daylight Time
(PID) Process:(6488) Setup_v1.0.5.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-2392
Value:
Aleutian Standard Time
(PID) Process:(6488) Setup_v1.0.5.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-2391
Value:
Aleutian Daylight Time
(PID) Process:(6488) Setup_v1.0.5.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-2162
Value:
Altai Standard Time
(PID) Process:(6488) Setup_v1.0.5.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-2161
Value:
Altai Daylight Time
(PID) Process:(6488) Setup_v1.0.5.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-392
Value:
Arab Standard Time
(PID) Process:(6488) Setup_v1.0.5.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-391
Value:
Arab Daylight Time
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6488Setup_v1.0.5.exeC:\Users\Public\Libraries\bfbih.scif
MD5:
SHA256:
6488Setup_v1.0.5.exeC:\Users\Public\Libraries\ncgbe.scif
MD5:
SHA256:
6884Setup_v1.0.5.exeC:\Users\Public\Libraries\dmhlj.scif
MD5:
SHA256:
6884Setup_v1.0.5.exeC:\Users\Public\Libraries\jahdp.scif
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
30
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5632
RUXIMICS.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5632
RUXIMICS.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
POST
null:443
https://meltedpleasandtws.shop/api
unknown
POST
200
null:443
https://meltedpleasandtws.shop/api
unknown
text
14 b
POST
200
null:443
https://meltedpleasandtws.shop/api
unknown
text
2 b
POST
200
null:443
https://meltedpleasandtws.shop/api
unknown
text
14 b
POST
200
null:443
https://meltedpleasandtws.shop/api
unknown
text
16.5 Kb
POST
200
null:443
https://meltedpleasandtws.shop/api
unknown
text
16.5 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4364
svchost.exe
239.255.255.250:1900
unknown
5004
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5632
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
5632
RUXIMICS.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
5140
MoUsoCoreWorker.exe
2.19.217.218:80
www.microsoft.com
Akamai International B.V.
NL
unknown
5632
RUXIMICS.exe
2.19.217.218:80
www.microsoft.com
Akamai International B.V.
NL
unknown
5140
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 2.19.217.218
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
meltedpleasandtws.shop
  • 172.67.172.99
  • 104.21.71.242
unknown
self.events.data.microsoft.com
  • 104.208.16.95
whitelisted

Threats

PID
Process
Class
Message
6952
BitLockerToGo.exe
A Network Trojan was detected
STEALER [ANY.RUN] Lumma Stealer TLS Connection
A Network Trojan was detected
ET MALWARE Lumma Stealer Related Activity
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Check-In
A Network Trojan was detected
ET MALWARE Lumma Stealer Related Activity M2
Malware Command and Control Activity Detected
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Exfiltration
7012
BitLockerToGo.exe
A Network Trojan was detected
STEALER [ANY.RUN] Lumma Stealer TLS Connection
A Network Trojan was detected
ET MALWARE Lumma Stealer Related Activity
A Network Trojan was detected
ET MALWARE Lumma Stealer Related Activity M2
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Check-In
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Setup_v1.0.5.exe