File name:

Neverlose.cc-unpadded.exe

Full analysis: https://app.any.run/tasks/e76091c8-b252-4f69-b745-becc7b26f9ee
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: December 27, 2024, 23:38:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (console) Intel 80386, for MS Windows, 7 sections
MD5:

F597948F04BE76E6ACBD59ED828276AA

SHA1:

6E702CC562321343E0528A7F78E19CC40C46E6AF

SHA256:

7A0E67B82FBC363758A2B4B61CD6042AAB6A88AE9DC955E40C84CC56BF69D692

SSDEEP:

24576:tXjBxGgssR0PPUgicBHGGIzpaBNteVAdiFtNa9L:BjBxG7sCPPUncBHGGIzpcNteVAdiFtNs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2192)

    • Actions looks like stealing of personal data

      • Neverlose.cc-unpadded.exe (PID: 3812)

    • LUMMA has been detected (YARA)

      • Neverlose.cc-unpadded.exe (PID: 3812)

    • Connects to the CnC server

      • svchost.exe (PID: 2192)

    • Steals credentials from Web Browsers

      • Neverlose.cc-unpadded.exe (PID: 3812)

    • LUMMA mutex has been found

      • Neverlose.cc-unpadded.exe (PID: 3812)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • Neverlose.cc-unpadded.exe (PID: 132)
      • Neverlose.cc-unpadded.exe (PID: 3812)

    • Process drops legitimate windows executable

      • Neverlose.cc-unpadded.exe (PID: 132)

    • Application launched itself

      • Neverlose.cc-unpadded.exe (PID: 132)

    • Executes application which crashes

      • Neverlose.cc-unpadded.exe (PID: 132)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2192)

  • INFO

    • The sample compiled with english language support

      • Neverlose.cc-unpadded.exe (PID: 132)

    • Reads the computer name

      • Neverlose.cc-unpadded.exe (PID: 3812)

    • Checks supported languages

      • Neverlose.cc-unpadded.exe (PID: 3812)
      • Neverlose.cc-unpadded.exe (PID: 132)

    • Reads the machine GUID from the registry

      • Neverlose.cc-unpadded.exe (PID: 3812)

    • Reads the software policy settings

      • Neverlose.cc-unpadded.exe (PID: 3812)
      • WerFault.exe (PID: 4520)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 4520)

    • Checks proxy server information

      • WerFault.exe (PID: 4520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:12:21 15:08:14+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 194048
InitializedDataSize: 62976
UninitializedDataSize: -
EntryPoint: 0x14bbb
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
FileVersionNumber: 10.0.19041.1
ProductVersionNumber: 10.0.19041.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: RPC Ping Utility
FileVersion: 10.0.19041.1 (WinBuild.160101.0800)
InternalName: RpcPing.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: RpcPing.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start neverlose.cc-unpadded.exe conhost.exe no specs #LUMMA neverlose.cc-unpadded.exe werfault.exe #LUMMA svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
132"C:\Users\admin\Desktop\Neverlose.cc-unpadded.exe" C:\Users\admin\Desktop\Neverlose.cc-unpadded.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
RPC Ping Utility
Exit code:
3221225477
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\neverlose.cc-unpadded.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2088\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeNeverlose.cc-unpadded.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3812"C:\Users\admin\Desktop\Neverlose.cc-unpadded.exe"C:\Users\admin\Desktop\Neverlose.cc-unpadded.exe
Neverlose.cc-unpadded.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
RPC Ping Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\neverlose.cc-unpadded.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
4520C:\WINDOWS\SysWOW64\WerFault.exe -u -p 132 -s 364C:\Windows\SysWOW64\WerFault.exe
Neverlose.cc-unpadded.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
9 296
Read events
9 296
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4520WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Neverlose.cc-unp_21a4a2231d9179346f9c10beb6ae6f63eab45495_0113eb6b_2e3a270c-ff5a-44ff-8a29-6d5b17eac3e8\Report.wer
MD5:
SHA256:
4520WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER65B3.tmp.WERInternalMetadata.xmlxml
MD5:8524F1F6F532F1CFEC720EEDA3F8C32C
SHA256:32B1C8ED3DE1B15C632FB875883EBEA3475654105C7E0E19ECF84DC44EC496EC
4520WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER65E3.tmp.xmlxml
MD5:3EBF5ECC32C002D5DC4495BC7E75C843
SHA256:7CAF7DAEFD9533B1B0F0EFEA1949AC9397C6C3B0C1574E8916360673A89F89A8
4520WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER6535.tmp.dmpdmp
MD5:1B8A0BA72F9F905B402F482298173CD7
SHA256:98E836D78C37009792C5DCDD697F89C413AC817ECC80C2D5431C488CA8BAB2F4
4520WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\Neverlose.cc-unpadded.exe.132.dmpdmp
MD5:8FD0D07D37FBA204130A5CA51F082AD7
SHA256:4989E87A6D96E9983938AF89C821E9A523217CDB82B943C32345372E110A7F6B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
30
DNS requests
19
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.212.216.106:443
https://steamcommunity.com/profiles/76561199724331900
unknown
html
34.7 Kb
whitelisted
POST
200
172.67.157.254:443
https://lev-tolstoi.com/api
unknown
text
2 b
malicious
POST
200
104.21.66.86:443
https://lev-tolstoi.com/api
unknown
text
17 b
malicious
POST
200
104.21.66.86:443
https://lev-tolstoi.com/api
unknown
text
18.2 Kb
malicious
POST
200
172.67.157.254:443
https://lev-tolstoi.com/api
unknown
text
17 b
malicious
POST
200
172.67.157.254:443
https://lev-tolstoi.com/api
unknown
text
17 b
malicious
POST
200
104.21.66.86:443
https://lev-tolstoi.com/api
unknown
text
17 b
malicious
POST
200
172.67.157.254:443
https://lev-tolstoi.com/api
unknown
text
48 b
malicious
POST
200
172.67.157.254:443
https://lev-tolstoi.com/api
unknown
text
17 b
malicious
POST
200
104.21.66.86:443
https://lev-tolstoi.com/api
unknown
text
17 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2624
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.209.179:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4
System
192.168.100.255:138
whitelisted
3812
Neverlose.cc-unpadded.exe
104.102.49.254:443
steamcommunity.com
AKAMAI-AS
DE
whitelisted
4520
WerFault.exe
104.208.16.94:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3812
Neverlose.cc-unpadded.exe
104.21.66.86:443
lev-tolstoi.com
CLOUDFLARENET
malicious
2624
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
www.bing.com
  • 2.23.209.179
  • 2.23.209.189
  • 2.23.209.187
  • 2.23.209.133
  • 2.23.209.140
  • 2.23.209.165
  • 2.23.209.182
  • 2.23.209.149
  • 2.23.209.185
whitelisted
google.com
  • 216.58.206.78
whitelisted
bellflamre.click
unknown
grannyejh.lat
malicious
discokeyus.lat
malicious
necklacebudi.lat
malicious
energyaffai.lat
malicious
aspecteirs.lat
malicious
sustainskelet.lat
malicious

Threats

PID
Process
Class
Message
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bellflamre .click)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacebudi .lat)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aspecteirs .lat)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sustainskelet .lat)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (energyaffai .lat)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crosshuaht .lat)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Neverlose.cc-unpadded.exe