File name:	HMC.Hackus.Mail.Checker.2.3.exe
Full analysis:	https://app.any.run/tasks/bbd6cae8-cc26-476e-b601-3cc1286a414d
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	July 19, 2025, 09:14:32
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	lumma stealer miner winring0x64-sys vuln-driver xor-url upx generic xmrig
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 18 sections
MD5:	B334B90AF9FC435D044F834F0FFF5451
SHA1:	83D8ADF54C965171734540307675958AA8B7870C
SHA256:	88C78261FEA542CFB869617FB292BC0709204C8647119133F8900FE17BAF4C40
SSDEEP:	98304:VJggfFv8alBwUQSIdVKMDWfG6YqmXMmknFVd8lR0pJ9ahvEBLAPnDuIIYaS9SK0Y:D2jRX

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, No line numbers, Large address aware
PEType:	PE32+
LinkerVersion:	2.44
CodeSize:	120832
InitializedDataSize:	5473792
UninitializedDataSize:	3584
EntryPoint:	0x132b
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI


(PID) Process:	(2144) app_x32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
Operation:	write	Name:	DontOfferThroughWUAU
Value: 1
(PID) Process:	(2692) appcertui.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
Operation:	write	Name:	DontOfferThroughWUAU
Value: 1

PID	Process	Filename		Type
3628	HMC.Hackus.Mail.Checker.2.3.exe	C:\ProgramData\app_x32.exe		executable
		MD5:BAD1278DDD6619F99CCDDCF7BA01EF59	SHA256:C5C5E9F6FB91E12815B89ED49790D5B197E53BDAA5BAFF035E55D14E2AFD21DB
6236	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_oqashvjq.k00.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6236	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_4mk0c0jf.qtn.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7084	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zo1wujkj.o4u.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2144	app_x32.exe	C:\ProgramData\Windows App Certification Kit\certification\appcertui.exe		executable
		MD5:BAD1278DDD6619F99CCDDCF7BA01EF59	SHA256:C5C5E9F6FB91E12815B89ED49790D5B197E53BDAA5BAFF035E55D14E2AFD21DB
6236	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_z3b2noie.fzn.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3628	HMC.Hackus.Mail.Checker.2.3.exe	C:\ProgramData\app_x64.exe		executable
		MD5:E303DB63AEC0DA8D896AD65F558C29A5	SHA256:E32ED8EBC0416BAF56E4B055B8C1E67CB4734F3A51146E81EAFAEA5ED00298B8
7084	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cxtbyhde.uyc.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4196	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lqzywarx.plr.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4196	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mf3np0jv.n4p.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5944	MoUsoCoreWorker.exe	GET	200	23.55.110.193:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.55.110.193:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7076	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7076	RUXIMICS.exe	GET	200	23.55.110.193:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.197.130.99:443	https://steamcommunity.com/profiles/76561199863199067	unknown	html	28.9 Kb	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	52.185.211.133:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
1268	svchost.exe	52.185.211.133:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7076	RUXIMICS.exe	52.185.211.133:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	23.55.110.193:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	23.55.110.193:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
7076	RUXIMICS.exe	23.55.110.193:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	52.185.211.133 40.127.240.158	whitelisted
google.com	172.217.16.206	whitelisted
crl.microsoft.com	23.55.110.193 23.55.110.211	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
mcaumnb.shop	—	malicious
prvqhm.shop	—	malicious
daruubs.top	—	malicious
cidtfhh.shop	—	malicious
annwt.xyz	—	malicious
ungryo.shop	—	malicious

PID	Process	Class	Message
2200	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prvqhm .shop)
2200	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mcaumnb .shop)
2200	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
2200	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rayrhs .top)
2200	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (greqjfu .xyz)
2200	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (annwt .xyz)
2200	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (daruubs .top)
2200	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cidtfhh .shop)
2200	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (annwt .xyz)
2200	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ungryo .shop)

General Info

HMC.Hackus.Mail.Checker.2.3.exe

B334B90AF9FC435D044F834F0FFF5451

83D8ADF54C965171734540307675958AA8B7870C

88C78261FEA542CFB869617FB292BC0709204C8647119133F8900FE17BAF4C40

98304:VJggfFv8alBwUQSIdVKMDWfG6YqmXMmknFVd8lR0pJ9ahvEBLAPnDuIIYaS9SK0Y:D2jRX

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Adds path to the Windows Defender exclusion list

Executing a file with an untrusted certificate

Changes Windows Defender settings

LUMMA has been detected (SURICATA)

Adds extension to the Windows Defender exclusion list

Connects to the CnC server

Uninstalls Malicious Software Removal Tool (MRT)

Vulnerable driver has been detected

XMRIG has been detected (YARA)

MINER has been detected (SURICATA)

XORed URL has been found (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the date of Windows installation

Starts POWERSHELL.EXE for commands execution

Script adds exclusion path to Windows Defender

Starts CMD.EXE for commands execution

Executable content was dropped or overwritten

Manipulates environment variables

Contacting a server suspected of hosting an CnC

Script adds exclusion extension to Windows Defender

Windows service management via SC.EXE

Process uninstalls Windows update

Starts SC.EXE for service management

Stops a currently running service

Creates a new Windows service

Drops a system driver (possible attempt to evade defenses)

Crypto Currency Mining Activity Detected

Executes as Windows Service

INFO

Checks supported languages

Reads the computer name

Process checks computer location settings

Reads the machine GUID from the registry

Creates files in the program directory

Checks if a key exists in the options dictionary (POWERSHELL)

The sample compiled with english language support

Script raised an exception (POWERSHELL)

Checks proxy server information

The sample compiled with japanese language support

UPX packer has been detected

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules