File name:

Ulpack.exe

Full analysis: https://app.any.run/tasks/d910c451-8c9b-4119-a78e-6e17217b915c
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: August 11, 2024, 14:57:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
crypto-regex
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5:

FF7F5B4D3A9333D0FD2770B54A6AF6C3

SHA1:

17EA6F643DF3696F3F397459B5CC001EA6D47FDE

SHA256:

7256E2EF686FD33C3291D03D4B7A6FD2C2B3BF4049E38B3148B07952582E9DAA

SSDEEP:

98304:wf74KWZp6tm4f2OaOh3RlePN8eZSCRW/Hkx37WyRF2rzWk:j

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA has been detected (YARA)

      • Ulpack.exe (PID: 6440)
      • BitLockerToGo.exe (PID: 7044)

    • Stealers network behavior

      • BitLockerToGo.exe (PID: 7044)

    • Actions looks like stealing of personal data

      • BitLockerToGo.exe (PID: 7044)

    • LUMMA has been detected (SURICATA)

      • BitLockerToGo.exe (PID: 7044)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • Ulpack.exe (PID: 6440)

    • Found regular expressions for crypto-addresses (YARA)

      • Ulpack.exe (PID: 6440)

    • There is functionality for communication over UDP network (YARA)

      • Ulpack.exe (PID: 6440)

    • Searches for installed software

      • BitLockerToGo.exe (PID: 7044)

  • INFO

    • Checks supported languages

      • BitLockerToGo.exe (PID: 7044)
      • Ulpack.exe (PID: 6440)

    • Reads the computer name

      • BitLockerToGo.exe (PID: 7044)

    • Reads the machine GUID from the registry

      • BitLockerToGo.exe (PID: 7044)

    • Reads the software policy settings

      • BitLockerToGo.exe (PID: 7044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.36
CodeSize: 3530240
InitializedDataSize: 12001280
UninitializedDataSize: 584192
EntryPoint: 0x14c0
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 5.15.1.0
ProductVersionNumber: 5.15.1.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: ulpack Software
FileDescription: ulpack
FileVersion: 5.15.1
LegalCopyright: ulpack
ProductName: ulpack
ProductVersion: 5.15.1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #LUMMA ulpack.exe no specs #LUMMA bitlockertogo.exe

Process information

PID
CMD
Path
Indicators
Parent process
6440"C:\Users\admin\Desktop\Ulpack.exe" C:\Users\admin\Desktop\Ulpack.exe
explorer.exe
User:
admin
Company:
ulpack Software
Integrity Level:
MEDIUM
Description:
ulpack
Exit code:
666
Version:
5.15.1
Modules
Images
c:\users\admin\desktop\ulpack.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
7044C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Ulpack.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BitLocker To Go Reader
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
Total events
5 152
Read events
4 906
Write events
246
Delete events
0

Modification events

(PID) Process:(6440) Ulpack.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-462
Value:
Afghanistan Standard Time
(PID) Process:(6440) Ulpack.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-461
Value:
Afghanistan Daylight Time
(PID) Process:(6440) Ulpack.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-222
Value:
Alaskan Standard Time
(PID) Process:(6440) Ulpack.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-221
Value:
Alaskan Daylight Time
(PID) Process:(6440) Ulpack.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-2392
Value:
Aleutian Standard Time
(PID) Process:(6440) Ulpack.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-2391
Value:
Aleutian Daylight Time
(PID) Process:(6440) Ulpack.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-2162
Value:
Altai Standard Time
(PID) Process:(6440) Ulpack.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-2161
Value:
Altai Daylight Time
(PID) Process:(6440) Ulpack.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-392
Value:
Arab Standard Time
(PID) Process:(6440) Ulpack.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-391
Value:
Arab Daylight Time
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6440Ulpack.exeC:\Users\Public\Libraries\dnkll.scif
MD5:
SHA256:
6440Ulpack.exeC:\Users\Public\Libraries\oepje.scif
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
21
DNS requests
5
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
null:443
https://solutionpxmuzo.shop/api
unknown
text
17 b
POST
200
null:443
https://solutionpxmuzo.shop/api
unknown
text
16.5 Kb
POST
200
null:443
https://solutionpxmuzo.shop/api
unknown
text
2 b
POST
200
null:443
https://solutionpxmuzo.shop/api
unknown
text
17 b
POST
200
null:443
https://solutionpxmuzo.shop/api
unknown
text
17 b
POST
200
null:443
https://solutionpxmuzo.shop/api
unknown
text
17 b
POST
200
null:443
https://solutionpxmuzo.shop/api
unknown
text
17 b
POST
200
null:443
https://solutionpxmuzo.shop/api
unknown
text
48 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
3164
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1884
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4324
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7044
BitLockerToGo.exe
188.114.96.3:443
solutionpxmuzo.shop
CLOUDFLARENET
NL
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 172.217.18.14
whitelisted
solutionpxmuzo.shop
  • 188.114.96.3
  • 188.114.97.3
malicious

Threats

PID
Process
Class
Message
7044
BitLockerToGo.exe
A Network Trojan was detected
STEALER [ANY.RUN] Lumma Stealer TLS Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Ulpack.exe