| File name: | SET_UP.exe |
| Full analysis: | https://app.any.run/tasks/83aa7ada-0a3d-4ca3-82ee-e98e12773558 |
| Verdict: | Malicious activity |
| Threats: | Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. |
| Analysis date: | December 14, 2024, 12:16:45 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections |
| MD5: | 3D7985D235DDDD50133C9CB4D05E93CF |
| SHA1: | F4760735FAC36EE4453905208EE47589526A30C7 |
| SHA256: | 7FEB04DD3086C567C461E43A682DD1BFDF1CDE3C8F37338A87656FC81A23BA5D |
| SSDEEP: | 98304:4W0JMnH6lSPaAny7ahqeITAUa/TsEnLz5hxBBDgS8BQX/N5qjtGm5IcDP:QMjX1mlP |
| .exe | | | Win64 Executable (generic) (76.4) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (12.4) |
| .exe | | | Generic Win/DOS Executable (5.5) |
| .exe | | | DOS Executable Generic (5.5) |
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2012:02:24 19:20:04+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 10 |
| CodeSize: | 29696 |
| InitializedDataSize: | 511488 |
| UninitializedDataSize: | 16896 |
| EntryPoint: | 0x38af |
| OSVersion: | 5 |
| ImageVersion: | 6 |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 8 | Stored.com U | C:\Users\admin\AppData\Local\Temp\516983\Stored.com | cmd.exe | ||||||||||||
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script (Beta) Exit code: 0 Version: 3, 3, 15, 5 Modules
| |||||||||||||||
| 188 | findstr /V "ProposedKellyChampionCouldMinistryPhotographersNotFruit" Permitted | C:\Windows\SysWOW64\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 396 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1356 | cmd /c copy /b ..\Imposed + ..\Wellington + ..\Object + ..\Installations + ..\Loaded + ..\Hdtv U | C:\Windows\SysWOW64\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1744 | choice /d y /t 5 | C:\Windows\SysWOW64\choice.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Offers the user a choice Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1804 | tasklist | C:\Windows\SysWOW64\tasklist.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Lists the current running tasks Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2192 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2972 | "C:\Windows\System32\cmd.exe" /c copy Figured Figured.cmd && Figured.cmd | C:\Windows\SysWOW64\cmd.exe | SET_UP.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3612 | cmd /c md 516983 | C:\Windows\SysWOW64\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4132 | "C:\Users\admin\Desktop\SET_UP.exe" | C:\Users\admin\Desktop\SET_UP.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4132 | SET_UP.exe | C:\Users\admin\AppData\Local\Temp\Had | binary | |
MD5:8402510886C8CEB4FD093BBAFA8F452B | SHA256:68B1859430203661F8D31A767909364F645DA1944D6FD0C4CD4EA79C2F2C6212 | |||
| 4132 | SET_UP.exe | C:\Users\admin\AppData\Local\Temp\Installations | pgc | |
MD5:D028BA6B6939326C7BD30516E21E4FF4 | SHA256:7C1AA8EC4C791E4DB7CE1D95DB8C9DF75BAAC3BFB0CB0F1EC56064C88D09BC0D | |||
| 4132 | SET_UP.exe | C:\Users\admin\AppData\Local\Temp\Locator | abr | |
MD5:85E9FAB9AB9A2CE1935F980078995C7B | SHA256:0392E54997947D4E6AC2A5A919F18699DB82524DA641AA913B9E360BB2A1D7DF | |||
| 4132 | SET_UP.exe | C:\Users\admin\AppData\Local\Temp\Permitted | binary | |
MD5:443F5628E48F754B7751D344B9C4C88A | SHA256:5339E4495D03B9301B7D15424DB91B68B7E84B3DCF769B5F44B7CAF7FAB66DE4 | |||
| 4132 | SET_UP.exe | C:\Users\admin\AppData\Local\Temp\Wellington | binary | |
MD5:AB319D86C37B8A1B5047A79E81E84D68 | SHA256:C3727398B660769E90B49D96923F416FB392C866560A59CEFC7F1AA7C2ECE9BA | |||
| 4132 | SET_UP.exe | C:\Users\admin\AppData\Local\Temp\Suicide | binary | |
MD5:1EE9DAEEF21C43336AE8626E9335BEB5 | SHA256:DAB4963BCAFDA1A1E3FCEE0678F1B77B8440DA6E6F04A3CB858AD37101ABFE3D | |||
| 4132 | SET_UP.exe | C:\Users\admin\AppData\Local\Temp\Loaded | binary | |
MD5:194D767A9BD549B3EFF27DB877EBD9CA | SHA256:346233781898FC1BD9B8187DBE79C86F50B51466340D398B8044F0F42B379A72 | |||
| 4132 | SET_UP.exe | C:\Users\admin\AppData\Local\Temp\Transport | mp3 | |
MD5:29310511E646A9DB8EC20112F750205A | SHA256:92572FF759F59420EB6EF712DC8DB8469C63425F0B2AB5798EBB19370FFB61E1 | |||
| 2972 | cmd.exe | C:\Users\admin\AppData\Local\Temp\516983\Stored.com | executable | |
MD5:3DEC208B512C5ADCD445D7FD80F11B8A | SHA256:8CA3A132A9B953C94813C736CC7A911D5C7792E19126E37DEC064BAD1B1454A7 | |||
| 2972 | cmd.exe | C:\Users\admin\AppData\Local\Temp\Figured.cmd | text | |
MD5:21350FCCD60418B01CF83AC826AA31E9 | SHA256:BE21F7CA2001511FBC3E0E43312F8649E83037EBF098682D5FA1D290E62BF470 | |||
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | POST | 200 | 172.67.216.241:443 | https://futipoy.shop/api | unknown | text | 2 b | unknown |
— | — | POST | 200 | 172.67.216.241:443 | https://futipoy.shop/api | unknown | text | 14 b | unknown |
— | — | POST | 200 | 172.67.216.241:443 | https://futipoy.shop/api | unknown | text | 14 b | unknown |
— | — | POST | 200 | 104.21.78.51:443 | https://futipoy.shop/api | unknown | text | 20.4 Kb | unknown |
— | — | POST | 200 | 172.67.216.241:443 | https://futipoy.shop/api | unknown | text | 140 b | unknown |
— | — | POST | 200 | 104.21.78.51:443 | https://futipoy.shop/api | unknown | text | 14 b | unknown |
— | — | POST | 200 | 172.67.216.241:443 | https://futipoy.shop/api | unknown | text | 14 b | unknown |
— | — | POST | 200 | 104.21.78.51:443 | https://futipoy.shop/api | unknown | text | 14 b | unknown |
— | — | POST | 200 | 104.21.78.51:443 | https://futipoy.shop/api | unknown | text | 14 b | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 2.23.209.130:443 | www.bing.com | Akamai International B.V. | GB | whitelisted |
— | — | 192.168.100.255:138 | — | — | — | whitelisted |
8 | Stored.com | 172.67.216.241:443 | futipoy.shop | CLOUDFLARENET | US | unknown |
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
trxBhEXoOi.trxBhEXoOi |
| unknown |
futipoy.shop |
| unknown |
klipcatepiu0.shop |
| unknown |
self.events.data.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
|---|---|---|---|
2192 | svchost.exe | Domain Observed Used for C2 Detected | STEALER [ANY.RUN] Suspected Lumma domain by CrossDomain (klipcatepiu0 .shop) |