File name:

LummaC2.exe

Full analysis: https://app.any.run/tasks/70ce02b1-86d0-496d-bf92-0141c7d035eb
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: August 01, 2024, 09:38:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9B3EEF2C222E08A30BAEFA06C4705FFC

SHA1:

82847CE7892290E76BE45B09AA309B27A9376E54

SHA256:

8903D4BFE61CA3CA897AF368619FE98A7D0EE81495DF032B9380F00AF41BBFC7

SSDEEP:

6144:gpvQNxDZUT8ICRRzJnOklE2ZjOwxLM4lvVJ0azov/gq37mOCGUhZD:gpv8UT8ICRR9OklE+md37mOXKD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • LummaC2.exe (PID: 6668)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2256)

    • Connects to the CnC server

      • svchost.exe (PID: 2256)

  • SUSPICIOUS

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2256)

  • INFO

    • Reads the computer name

      • LummaC2.exe (PID: 6668)

    • Reads the machine GUID from the registry

      • LummaC2.exe (PID: 6668)

    • Reads the software policy settings

      • LummaC2.exe (PID: 6668)

    • Checks supported languages

      • LummaC2.exe (PID: 6668)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:29 14:50:32+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 250880
InitializedDataSize: 58880
UninitializedDataSize: -
EntryPoint: 0x9320
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start lummac2.exe #LUMMA svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6668"C:\Users\admin\Desktop\LummaC2.exe" C:\Users\admin\Desktop\LummaC2.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\lummac2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
Total events
3 499
Read events
3 499
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
16
DNS requests
15
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
23.199.218.33:443
https://steamcommunity.com/profiles/76561199724331900
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2872
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2876
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
4324
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6668
LummaC2.exe
23.192.247.89:443
steamcommunity.com
AKAMAI-AS
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.142
whitelisted
egorepetiiiosn.shop
malicious
shelterryujxo.shop
malicious
chequedxmznp.shop
malicious
illnesmunxkza.shop
malicious
triallyforwhgh.shop
malicious
shootydowtqosm.shop
malicious
faceddullinhs.shop
malicious
ammycanedpors.shop
malicious

Threats

PID
Process
Class
Message
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (egorepetiiiosn .shop)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (triallyforwhgh .shop)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (egorepetiiiosn .shop)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (illnesmunxkza .shop)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (ammycanedpors .shop)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (chequedxmznp .shop)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (shelterryujxo .shop)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (shootydowtqosm .shop)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (faceddullinhs .shop)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (ammycanedpors .shop)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LummaC2.exe