File name:

7f260a5786a223b195576075400d70746da12906b05f48f3f869bea6918eb6c7

Full analysis: https://app.any.run/tasks/8a72cbe0-7cb3-4ddb-96de-0f5063f52e12
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: November 04, 2024, 20:25:39
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
purecrypter
netreactor
lumma
stealer
exfiltration
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

BBA3D53B85B5CF52630E9DB7D8D8B270

SHA1:

454C9E7CDB6FBC11C0EDAF7F29AB5C54176854D6

SHA256:

7F260A5786A223B195576075400D70746DA12906B05F48F3F869BEA6918EB6C7

SSDEEP:

98304:EZn23qevdbN2hzmyUwyqEaDICsS4EeS9QR+IB0+2tDaXplLg84wnHKfMP1XYU8Cr:ZC/K+8ilSCNde+xt+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • svchost.exe (PID: 2172)

    • LUMMA has been detected (YARA)

      • sixdesigner.exe (PID: 7148)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2172)

    • PURECRYPTER has been detected (YARA)

      • sixdesigner.exe (PID: 6680)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 7f260a5786a223b195576075400d70746da12906b05f48f3f869bea6918eb6c7.exe (PID: 300)

    • Starts a Microsoft application from unusual location

      • 7f260a5786a223b195576075400d70746da12906b05f48f3f869bea6918eb6c7.exe (PID: 300)

    • Executable content was dropped or overwritten

      • 7f260a5786a223b195576075400d70746da12906b05f48f3f869bea6918eb6c7.exe (PID: 300)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2172)

  • INFO

    • Create files in a temporary directory

      • 7f260a5786a223b195576075400d70746da12906b05f48f3f869bea6918eb6c7.exe (PID: 300)

    • Checks supported languages

      • sixdesigner.exe (PID: 6680)
      • 7f260a5786a223b195576075400d70746da12906b05f48f3f869bea6918eb6c7.exe (PID: 300)

    • Reads the machine GUID from the registry

      • sixdesigner.exe (PID: 6680)

    • Reads the computer name

      • sixdesigner.exe (PID: 6680)

    • .NET Reactor protector has been detected

      • sixdesigner.exe (PID: 6680)

    • Manual execution by a user

      • sixdesigner.exe (PID: 7148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(7148) sixdesigner.exe
C2 (9)drawwyobstacw.sbs
condifendteu.sbs
allocatinow.sbs
punchudump.buzz
vennurviot.sbs
enlargkiw.sbs
resinedyw.sbs
mathcucom.sbs
ehticsprocw.sbs
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2062:07:25 12:18:00+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.2
CodeSize: 31744
InitializedDataSize: 8930304
UninitializedDataSize: -
EntryPoint: 0x8200
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 11.0.19041.1
ProductVersionNumber: 11.0.19041.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Win32 Cabinet Self-Extractor
FileVersion: 11.00.19041.1 (WinBuild.160101.0800)
InternalName: Wextract
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: WEXTRACT.EXE .MUI
ProductName: Internet Explorer
ProductVersion: 11.00.19041.1
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 7f260a5786a223b195576075400d70746da12906b05f48f3f869bea6918eb6c7.exe #PURECRYPTER sixdesigner.exe no specs #LUMMA sixdesigner.exe #LUMMA svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
300"C:\Users\admin\Desktop\7f260a5786a223b195576075400d70746da12906b05f48f3f869bea6918eb6c7.exe" C:\Users\admin\Desktop\7f260a5786a223b195576075400d70746da12906b05f48f3f869bea6918eb6c7.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\7f260a5786a223b195576075400d70746da12906b05f48f3f869bea6918eb6c7.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2172C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6680C:\Users\admin\AppData\Local\Temp\IXP000.TMP\sixdesigner.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\sixdesigner.exe
7f260a5786a223b195576075400d70746da12906b05f48f3f869bea6918eb6c7.exe
User:
admin
Company:
SRWare
Integrity Level:
MEDIUM
Description:
SRWare Iron Setup
Exit code:
4294967295
Version:
129.0.6550.0
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\sixdesigner.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7148"C:\Users\admin\AppData\Local\Temp\IXP000.TMP\sixdesigner.exe"C:\Users\admin\AppData\Local\Temp\IXP000.TMP\sixdesigner.exe
explorer.exe
User:
admin
Company:
SRWare
Integrity Level:
MEDIUM
Description:
SRWare Iron Setup
Exit code:
0
Version:
129.0.6550.0
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\sixdesigner.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Lumma
(PID) Process(7148) sixdesigner.exe
C2 (9)drawwyobstacw.sbs
condifendteu.sbs
allocatinow.sbs
punchudump.buzz
vennurviot.sbs
enlargkiw.sbs
resinedyw.sbs
mathcucom.sbs
ehticsprocw.sbs
Total events
3 771
Read events
3 771
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3007f260a5786a223b195576075400d70746da12906b05f48f3f869bea6918eb6c7.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\sixdesigner.exeexecutable
MD5:94301BD3EB3A339B7473C37C0CDDDEB7
SHA256:B763331E324CB7248AE8F9D08813143968B53AD8F664C50027BB48A915C67896
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
31
DNS requests
17
Threats
22

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1588
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1588
RUXIMICS.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
104.21.51.232:443
https://dismissanw.icu/api
unknown
text
17 b
malicious
POST
200
104.21.51.232:443
https://dismissanw.icu/api
unknown
text
2 b
malicious
GET
200
23.67.133.187:443
https://steamcommunity.com/profiles/76561199724331900
unknown
html
35.1 Kb
whitelisted
POST
200
104.21.51.232:443
https://dismissanw.icu/api
unknown
text
17 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1588
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
92.123.104.35:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6944
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1588
RUXIMICS.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 92.123.104.35
  • 92.123.104.42
  • 92.123.104.38
  • 92.123.104.40
  • 92.123.104.36
  • 92.123.104.34
  • 92.123.104.33
  • 92.123.104.37
  • 92.123.104.32
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.32.238.107
  • 23.32.238.112
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
punchudump.buzz
unknown
mathcucom.sbs
malicious
allocatinow.sbs
malicious
enlargkiw.sbs
malicious
resinedyw.sbs
malicious

Threats

PID
Process
Class
Message
2172
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs)
2172
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (punchudump .buzz)
2172
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs)
2172
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs)
2172
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs)
2172
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs)
2172
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs)
2172
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs)
2172
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs)
2172
svchost.exe
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .icu Domain
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
7f260a5786a223b195576075400d70746da12906b05f48f3f869bea6918eb6c7