File name:

Xeno-Executor.zip

Full analysis: https://app.any.run/tasks/ac068fcd-b0d3-45c6-86be-e49e2b945419
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: December 21, 2024, 01:34:03
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-doc
arch-exec
lumma
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

869116454C2E854AF01F973D653CA8A6

SHA1:

906606CA55A15B5CEB894EFC24EB6D7F62EBB5DB

SHA256:

7D591A894CA6BEAF880FDCF0B321B3F7379C7324AFAB3AD72CB965A17CEF150F

SSDEEP:

24576:2JQD8olVRqlowqYh0mdQ2he1Jf875nC66JnJPPx/xE7i2CU88X7IikznJnqWPE/3:2JQD8olVRqlowqYh0mdQ2h6Jf875C66c

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Antivirus name has been found in the command line (generic signature)

      • MpCmdRun.exe (PID: 4544)
      • MpCmdRun.exe (PID: 3296)

    • Executing a file with an untrusted certificate

      • Xeno-Executor.exe (PID: 4840)
      • Xeno-Executor.exe (PID: 1224)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2192)
      • Xeno-Executor.exe (PID: 1224)

    • Connects to the CnC server

      • svchost.exe (PID: 2192)

    • Actions looks like stealing of personal data

      • Xeno-Executor.exe (PID: 1224)

    • LUMMA mutex has been found

      • Xeno-Executor.exe (PID: 1224)

    • Steals credentials from Web Browsers

      • Xeno-Executor.exe (PID: 1224)

    • LUMMA has been detected (YARA)

      • Xeno-Executor.exe (PID: 1224)

  • SUSPICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 3612)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3612)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 3612)

    • Application launched itself

      • Xeno-Executor.exe (PID: 4840)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 3612)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2192)
      • Xeno-Executor.exe (PID: 1224)

  • INFO

    • Manual execution by a user

      • notepad.exe (PID: 5868)
      • Xeno-Executor.exe (PID: 4840)
      • notepad.exe (PID: 5200)
      • notepad.exe (PID: 6076)
      • OpenWith.exe (PID: 4708)
      • OpenWith.exe (PID: 2992)
      • notepad.exe (PID: 5712)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3612)

    • Create files in a temporary directory

      • MpCmdRun.exe (PID: 4544)

    • Checks supported languages

      • MpCmdRun.exe (PID: 4544)
      • Xeno-Executor.exe (PID: 4840)
      • Xeno-Executor.exe (PID: 1224)
      • MpCmdRun.exe (PID: 3296)

    • Reads the computer name

      • MpCmdRun.exe (PID: 4544)
      • Xeno-Executor.exe (PID: 1224)
      • MpCmdRun.exe (PID: 3296)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 3612)

    • Reads the software policy settings

      • Xeno-Executor.exe (PID: 1224)

    • Reads the machine GUID from the registry

      • Xeno-Executor.exe (PID: 1224)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 5712)
      • notepad.exe (PID: 6076)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 4708)
      • OpenWith.exe (PID: 2992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:12:19 17:44:26
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Xeno-Executor/bin/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
17
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe notepad.exe no specs cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs xeno-executor.exe no specs conhost.exe no specs notepad.exe no specs #LUMMA xeno-executor.exe notepad.exe no specs #LUMMA svchost.exe notepad.exe no specs openwith.exe no specs openwith.exe no specs cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1224"C:\Users\admin\Desktop\Xeno-Executor.exe"C:\Users\admin\Desktop\Xeno-Executor.exe
Xeno-Executor.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\xeno-executor.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2804\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2992"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\Language.pimxC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3296"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR3612.27180"C:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
4.18.1909.6 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
3612"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Xeno-Executor.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3812C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR3612.27180\Rar$Scan109339.bat" "C:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
4544"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR3612.18442"C:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
4.18.1909.6 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
4708"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\DebugPPF.tmpC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4840"C:\Users\admin\Desktop\Xeno-Executor.exe" C:\Users\admin\Desktop\Xeno-Executor.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\xeno-executor.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
6 667
Read events
6 657
Write events
10
Delete events
0

Modification events

(PID) Process:(3612) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(3612) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(3612) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(3612) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Xeno-Executor.zip
(PID) Process:(3612) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3612) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3612) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3612) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3612) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan
Operation:writeName:DefScanner
Value:
Windows Defender
Executable files
6
Suspicious files
6
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
3612WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3612.18442\Xeno-Executor.zip\Xeno-Executor\DLLs\Main.initext
MD5:5BF4353D089309E57865BA86D4199004
SHA256:96088D93BE0C39001E87B5647BC8FFDEF684A90FA02F0F91D430248F7C3415E2
3612WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3612.18442\Xeno-Executor.zip\Xeno-Executor\bin\DebugPPT.tmpbinary
MD5:4969578A5FD8D113AB7783812849C1ED
SHA256:9F2B02BA814C2975A7B6ED5AA03345046A9C9D3036481A8A109B132A951E82A0
3612WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3612.18442\Xeno-Executor.zip\Xeno-Executor\bin\Management.logtext
MD5:FF765D6581FE6568AAAE19DE239B2E7A
SHA256:4DD051DE9B04902FC59D411B1C27C42007CACCA4EA52E88D71C897CAD1D990CC
3612WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3612.18442\Xeno-Executor.zip\Xeno-Executor\DLLs\Packaged\Main.inixml
MD5:7B53EBD64E5781E02EAEFB6739A6B556
SHA256:B975C9251EF7394DCC69F49E54DC5AA5E8DF32F9B5E8C687484DDD840EB94D20
3612WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3612.18442\Xeno-Executor.zip\Xeno-Executor\DLLs\Language.pimxtext
MD5:01FBF905F95578B7C2EB370D5BD867B6
SHA256:A17506A018994501E0CF6847CEEE97F7CD9FFCFFC48B256D180175256FF5C0F7
3612WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3612.18442\Xeno-Executor.zip\Xeno-Executor\DLLs\Packaged\Resource.dllcompressed
MD5:4427AEEE68321D0F4D7BEFA74E669F83
SHA256:A9661F89B8D957F4E71CBE1BA0342A39E5B50A1D80D974E2E1B349A273967F1B
3612WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3612.27180\Xeno-Executor.zip\Xeno-Executor\bin\DebugPPT.tmpbinary
MD5:4969578A5FD8D113AB7783812849C1ED
SHA256:9F2B02BA814C2975A7B6ED5AA03345046A9C9D3036481A8A109B132A951E82A0
3612WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3612.27180\Xeno-Executor.zip\Xeno-Executor\bin\Management.logtext
MD5:FF765D6581FE6568AAAE19DE239B2E7A
SHA256:4DD051DE9B04902FC59D411B1C27C42007CACCA4EA52E88D71C897CAD1D990CC
4544MpCmdRun.exeC:\Users\admin\AppData\Local\Temp\MpCmdRun.logtext
MD5:1CEC1741B0398220701F38CB3726EEA6
SHA256:55F9524D7C52F65AC038049CA03ACD4DD164153ED35571C36272014537F83B9A
3612WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR3612.27180\Xeno-Executor.zip\Xeno-Executor\bin\DebugPPF.tmpbinary
MD5:B1E68FABD5C19AAA21DE6351554AAE2E
SHA256:63909409D9C79950289701C4A58605EA7FCD30703163FCE0B4AC81204F0B3CCA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
30
DNS requests
7
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
104.21.21.99:443
https://discokeyus.lat/api
unknown
text
16 b
malicious
POST
200
172.67.197.170:443
https://discokeyus.lat/api
unknown
text
18.2 Kb
malicious
POST
200
104.21.21.99:443
https://discokeyus.lat/api
unknown
text
16 b
malicious
POST
200
172.67.197.170:443
https://discokeyus.lat/api
unknown
text
16 b
malicious
POST
200
104.21.21.99:443
https://discokeyus.lat/api
unknown
text
2 b
malicious
POST
200
172.67.197.170:443
https://discokeyus.lat/api
unknown
text
16 b
malicious
POST
200
104.21.21.99:443
https://discokeyus.lat/api
unknown
text
16 b
malicious
POST
200
172.67.197.170:443
https://discokeyus.lat/api
unknown
text
16 b
malicious
POST
200
104.21.21.99:443
https://discokeyus.lat/api
unknown
text
48 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2.23.209.182:443
www.bing.com
Akamai International B.V.
GB
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1224
Xeno-Executor.exe
172.67.197.170:443
discokeyus.lat
CLOUDFLARENET
US
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.209.182
  • 2.23.209.130
  • 2.23.209.133
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.142
whitelisted
bellflamre.click
malicious
grannyejh.lat
malicious
discokeyus.lat
  • 172.67.197.170
  • 104.21.21.99
malicious
self.events.data.microsoft.com
  • 20.189.173.26
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bellflamre .click)
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat)
1224
Xeno-Executor.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)
1224
Xeno-Executor.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)
1224
Xeno-Executor.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)
1224
Xeno-Executor.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)
1224
Xeno-Executor.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)
1224
Xeno-Executor.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)
1224
Xeno-Executor.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Xeno-Executor.zip