File name:	Unpacker.exe
Full analysis:	https://app.any.run/tasks/3760c438-6986-463e-9896-64a5b0dd19e4
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 03, 2024, 13:33:12
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	lumma stealer possible-phishing exfiltration
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (console) Intel 80386, for MS Windows, 7 sections
MD5:	A76B2C677F5647AE31E40D17E54C1BF2
SHA1:	AA069AD7BC1A9D335BFC7EA197FEADFB590E4267
SHA256:	78B44C6F9788A8C520BB2539CAFC2AEA3D1AF4492C11F2AF36EE7E5EE6A41102
SSDEEP:	24576:6gekDGWpLL38bWPW5QbL/+PElJ/Da895wHMvJi4q7NG:6gekDGAn38bWPW5QbL/+PElJ/Da895ws

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:11:02 14:19:46+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	258048
InitializedDataSize:	72704
UninitializedDataSize:	-
EntryPoint:	0x21e90
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line

PID	Process	Filename		Type
1440	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Unpacker.exe_b52f5f5589331eb891d63c815e538dc79064ba8d_2548d183_8ff9009e-77e9-4e97-bbcd-821895445b8e\Report.wer		—
		MD5:—	SHA256:—
1440	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERD7BC.tmp.WERInternalMetadata.xml		xml
		MD5:1DDE2D9DCEF934FCDF4BB018A6AA2F9D	SHA256:15E8AA3779F51DB423FFCC2267B30FE3D8F612FCD725FC2ECB5D08BA12EF8F4D
1440	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERD80B.tmp.xml		xml
		MD5:6F3AF66BB412892EDAF63763437CC851	SHA256:846917E7A3316DF1CB16154EE4421B7DAD37BA1649E3AC23C86AD934BCE29193
1440	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\Unpacker.exe.6024.dmp		binary
		MD5:8D4619BA789F6C41CE0793E3943D717B	SHA256:A05444582CC42D68798C3698001AF438DE98B877233AE5B2AC4CCBFD8C913EA1
1440	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERD71F.tmp.dmp		dmp
		MD5:9498B45547C2BF8AB78B82A988737616	SHA256:3B0EB6833CD4F27398B9E913FDEA12228588A089840718D6F4835605D3206C66

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6944	svchost.exe	GET	200	23.32.238.107:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7056	RUXIMICS.exe	GET	200	23.32.238.107:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	23.32.238.107:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6704	Unpacker.exe	GET	—	147.45.47.81:80	http://147.45.47.81/conhost.exe	unknown	—	—	unknown
—	—	POST	200	172.67.145.203:443	https://goalyfeastz.site/api	unknown	text	16.6 Kb	malicious
—	—	POST	200	104.21.33.140:443	https://goalyfeastz.site/api	unknown	text	2 b	malicious
—	—	POST	200	104.21.33.140:443	https://goalyfeastz.site/api	unknown	text	17 b	malicious
—	—	POST	200	172.67.145.203:443	https://goalyfeastz.site/api	unknown	text	17 b	malicious
—	—	POST	200	104.21.33.140:443	https://goalyfeastz.site/api	unknown	text	17 b	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6944	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7056	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5488	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6944	svchost.exe	23.32.238.107:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
7056	RUXIMICS.exe	23.32.238.107:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5488	MoUsoCoreWorker.exe	23.32.238.107:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6704	Unpacker.exe	172.67.145.203:443	goalyfeastz.site	CLOUDFLARENET	US	malicious
6944	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 4.231.128.59	whitelisted
google.com	142.250.185.206	whitelisted
crl.microsoft.com	23.32.238.107 23.32.238.112	whitelisted
computeryrati.site	—	malicious
seallysl.site	—	malicious
opposezmny.site	—	malicious
goalyfeastz.site	172.67.145.203 104.21.33.140	malicious
www.microsoft.com	184.30.21.171	whitelisted
watson.events.data.microsoft.com	20.42.73.29	whitelisted
self.events.data.microsoft.com	52.182.143.215	whitelisted

PID	Process	Class	Message
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (seallysl .site)
6704	Unpacker.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (goalyfeastz .site in TLS SNI)
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (opposezmny .site)
2172	svchost.exe	Potentially Bad Traffic	SUSPICIOUS [ANY.RUN] Suspected Malicious Domain by Cloudflare (computeryrati .site)
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (goalyfeastz .site)
6704	Unpacker.exe	A Network Trojan was detected	STEALER [ANY.RUN] Lumma Stealer TLS Connection
—	—	A Network Trojan was detected	ET MALWARE Lumma Stealer Related Activity
—	—	A Network Trojan was detected	ET MALWARE Lumma Stealer CnC Host Checkin
—	—	A Network Trojan was detected	ET MALWARE Lumma Stealer Related Activity M2
—	—	Malware Command and Control Activity Detected	STEALER [ANY.RUN] Win32/Lumma Stealer Check-In

General Info

Unpacker.exe

A76B2C677F5647AE31E40D17E54C1BF2

AA069AD7BC1A9D335BFC7EA197FEADFB590E4267

78B44C6F9788A8C520BB2539CAFC2AEA3D1AF4492C11F2AF36EE7E5EE6A41102

24576:6gekDGWpLL38bWPW5QbL/+PElJ/Da895wHMvJi4q7NG:6gekDGAn38bWPW5QbL/+PElJ/Da895ws

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LUMMA has been detected (YARA)

LUMMA has been detected (SURICATA)

Connects to the CnC server

Stealers network behavior

Actions looks like stealing of personal data

SUSPICIOUS

Application launched itself

Executes application which crashes

Contacting a server suspected of hosting an CnC

Possible Social Engineering Attempted

INFO

Checks supported languages

Reads the computer name

Creates files or folders in the user directory

Reads the software policy settings

Reads the machine GUID from the registry

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings