File name:

2025-05-19_6e6f2885219948f475d167ff8ae27da9_black-basta_cobalt-strike_ryuk_satacom

Full analysis: https://app.any.run/tasks/bf21586b-34f6-42c0-a760-61dab045781a
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: May 19, 2025, 21:35:18
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
telegram
lumma
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 9 sections
MD5:

6E6F2885219948F475D167FF8AE27DA9

SHA1:

3B86AB9CE898FC2E1646199CB2DD12EF557D43AE

SHA256:

8DE3A2C478BA0DEE799E4537DFB18609C0CF88EFF1C4A80D414E1FF0FDC68BAC

SSDEEP:

49152:QLBkpd/mwhs7IySd1kNl7S8IVWWU1kfHUgpWZmeA9a08UcC+Ldylv7S8IVWWU1k+:QLymwhs72S+8IVWWCkfUgmrAT8UyL2++

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA mutex has been found

      • MSBuild.exe (PID: 7392)

    • Executing a file with an untrusted certificate

      • 2025-05-19_6e6f2885219948f475d167ff8ae27da9_black-basta_cobalt-strike_ryuk_satacom.exe (PID: 7324)

    • LUMMA has been detected (YARA)

      • MSBuild.exe (PID: 7392)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • MSBuild.exe (PID: 7392)

    • Searches for installed software

      • MSBuild.exe (PID: 7392)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • MSBuild.exe (PID: 7392)

  • INFO

    • Checks supported languages

      • 2025-05-19_6e6f2885219948f475d167ff8ae27da9_black-basta_cobalt-strike_ryuk_satacom.exe (PID: 7324)
      • MSBuild.exe (PID: 7392)

    • Reads the machine GUID from the registry

      • MSBuild.exe (PID: 7392)

    • Reads the computer name

      • MSBuild.exe (PID: 7392)

    • Checks proxy server information

      • slui.exe (PID: 7792)

    • Reads the software policy settings

      • MSBuild.exe (PID: 7392)
      • slui.exe (PID: 7792)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(7392) MSBuild.exe
C2 (10)threatqjqy.top/nybe
bubblezdjw.live/kudf
winterghzp.digital/ywq
leasegjjr.digital/iwi
trotwhvn.live/lxak
haircuirfm.top/aldk
gettoknwg.life/xapd
https://t.me/sgsjlghj234
jackthyfuc.run/xpas
narrathfpt.top/tekq
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:18 16:53:19+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 311808
InitializedDataSize: 69632
UninitializedDataSize: -
EntryPoint: 0x35640
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-05-19_6e6f2885219948f475d167ff8ae27da9_black-basta_cobalt-strike_ryuk_satacom.exe no specs conhost.exe no specs #LUMMA msbuild.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7324"C:\Users\admin\Desktop\2025-05-19_6e6f2885219948f475d167ff8ae27da9_black-basta_cobalt-strike_ryuk_satacom.exe" C:\Users\admin\Desktop\2025-05-19_6e6f2885219948f475d167ff8ae27da9_black-basta_cobalt-strike_ryuk_satacom.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-19_6e6f2885219948f475d167ff8ae27da9_black-basta_cobalt-strike_ryuk_satacom.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
7332\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2025-05-19_6e6f2885219948f475d167ff8ae27da9_black-basta_cobalt-strike_ryuk_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7392"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
2025-05-19_6e6f2885219948f475d167ff8ae27da9_black-basta_cobalt-strike_ryuk_satacom.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
Lumma
(PID) Process(7392) MSBuild.exe
C2 (10)threatqjqy.top/nybe
bubblezdjw.live/kudf
winterghzp.digital/ywq
leasegjjr.digital/iwi
trotwhvn.live/lxak
haircuirfm.top/aldk
gettoknwg.life/xapd
https://t.me/sgsjlghj234
jackthyfuc.run/xpas
narrathfpt.top/tekq
7792C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
6 808
Read events
6 808
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
62
DNS requests
16
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7608
SIHClient.exe
GET
200
23.48.23.151:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7608
SIHClient.exe
GET
200
23.48.23.151:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7608
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7608
SIHClient.exe
GET
200
23.48.23.151:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7608
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7608
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7608
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7608
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
20.190.160.5:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.160.5:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7392
MSBuild.exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
whitelisted
2112
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7392
MSBuild.exe
104.21.27.136:443
trotwhvn.live
CLOUDFLARENET
unknown
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.5
  • 40.126.32.136
  • 20.190.160.17
  • 20.190.160.2
  • 20.190.160.66
  • 20.190.160.67
  • 40.126.32.72
  • 40.126.32.68
whitelisted
google.com
  • 216.58.206.46
whitelisted
t.me
  • 149.154.167.99
whitelisted
trotwhvn.live
  • 104.21.27.136
  • 172.67.142.188
unknown
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
crl.microsoft.com
  • 23.48.23.151
  • 23.48.23.155
  • 23.48.23.183
  • 23.48.23.160
  • 23.48.23.169
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
7392
MSBuild.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-19_6e6f2885219948f475d167ff8ae27da9_black-basta_cobalt-strike_ryuk_satacom