File name:

940691f905df9999b8b3e60ac9013ff8691eb27b7689b6174052169220ffb52b

Full analysis: https://app.any.run/tasks/844d8138-25b2-4e52-bd74-6625ea01fe79
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 18:43:29
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
golang
inno
installer
lumma
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

D9BEA1CF33294021F018F2D2E14ECF0A

SHA1:

F800E72B107461110B94E3B898B93C26CA69AA8C

SHA256:

940691F905DF9999B8B3E60AC9013FF8691EB27B7689B6174052169220FFB52B

SSDEEP:

98304:PCuUx8oKtEYj0007BmSIJQQShMnefy7BpDOztnu2pZnlPWNd//zU0mAdjzJ8ZxzA:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA has been detected (YARA)

      • 940691f905df9999b8b3e60ac9013ff8691eb27b7689b6174052169220ffb52b.exe (PID: 5720)

  • SUSPICIOUS

    • There is functionality for communication over UDP network (YARA)

      • 940691f905df9999b8b3e60ac9013ff8691eb27b7689b6174052169220ffb52b.exe (PID: 5720)

    • There is functionality for taking screenshot (YARA)

      • 940691f905df9999b8b3e60ac9013ff8691eb27b7689b6174052169220ffb52b.exe (PID: 5720)

  • INFO

    • Checks supported languages

      • 940691f905df9999b8b3e60ac9013ff8691eb27b7689b6174052169220ffb52b.exe (PID: 5720)
      • BitLockerToGo.exe (PID: 5772)

    • Reads the computer name

      • 940691f905df9999b8b3e60ac9013ff8691eb27b7689b6174052169220ffb52b.exe (PID: 5720)
      • BitLockerToGo.exe (PID: 5772)

    • Checks proxy server information

      • 940691f905df9999b8b3e60ac9013ff8691eb27b7689b6174052169220ffb52b.exe (PID: 5720)

    • Detects GO elliptic curve encryption (YARA)

      • 940691f905df9999b8b3e60ac9013ff8691eb27b7689b6174052169220ffb52b.exe (PID: 5720)

    • Application based on Golang

      • 940691f905df9999b8b3e60ac9013ff8691eb27b7689b6174052169220ffb52b.exe (PID: 5720)

    • Detects InnoSetup installer (YARA)

      • 940691f905df9999b8b3e60ac9013ff8691eb27b7689b6174052169220ffb52b.exe (PID: 5720)

    • Reads the software policy settings

      • BitLockerToGo.exe (PID: 5772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(5720) 940691f905df9999b8b3e60ac9013ff8691eb27b7689b6174052169220ffb52b.exe
C2 (9)covvercilverow.shop
surroundeocw.shop
racedsuitreow.shop
deallyharvenw.shop
priooozekw.shop
pumpkinkwquo.shop
defenddsouneuw.shop
perforatedmwqn.shop
abortinoiwiam.shop
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 3
CodeSize: 4549632
InitializedDataSize: 1326592
UninitializedDataSize: -
EntryPoint: 0x70fe0
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Bitmap2LCD Switzerland
FileDescription: Bitmap2LCD Basic Edition V4.9a Setup
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName: Bitmap2LCD Basic Edition V4.9a
ProductVersion:
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #LUMMA 940691f905df9999b8b3e60ac9013ff8691eb27b7689b6174052169220ffb52b.exe no specs sppextcomobj.exe no specs slui.exe no specs bitlockertogo.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5680"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5720"C:\Users\admin\AppData\Local\Temp\940691f905df9999b8b3e60ac9013ff8691eb27b7689b6174052169220ffb52b.exe" C:\Users\admin\AppData\Local\Temp\940691f905df9999b8b3e60ac9013ff8691eb27b7689b6174052169220ffb52b.exe
explorer.exe
User:
admin
Company:
Bitmap2LCD Switzerland
Integrity Level:
MEDIUM
Description:
Bitmap2LCD Basic Edition V4.9a Setup
Exit code:
666
Version:
Modules
Images
c:\users\admin\appdata\local\temp\940691f905df9999b8b3e60ac9013ff8691eb27b7689b6174052169220ffb52b.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\bcryptprimitives.dll
Lumma
(PID) Process(5720) 940691f905df9999b8b3e60ac9013ff8691eb27b7689b6174052169220ffb52b.exe
C2 (9)covvercilverow.shop
surroundeocw.shop
racedsuitreow.shop
deallyharvenw.shop
priooozekw.shop
pumpkinkwquo.shop
defenddsouneuw.shop
perforatedmwqn.shop
abortinoiwiam.shop
5772"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
940691f905df9999b8b3e60ac9013ff8691eb27b7689b6174052169220ffb52b.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BitLocker To Go Reader
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6944C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
Total events
1 656
Read events
1 656
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
27
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
88.221.110.122:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6644
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6644
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6808
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5496
MoUsoCoreWorker.exe
88.221.110.122:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1852
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5772
BitLockerToGo.exe
23.197.127.21:443
steamcommunity.com
Akamai International B.V.
US
whitelisted
2196
svchost.exe
224.0.0.252:5355
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 88.221.110.122
  • 88.221.110.114
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
login.live.com
  • 40.126.32.133
  • 20.190.160.17
  • 20.190.160.131
  • 20.190.160.128
  • 40.126.32.68
  • 20.190.160.2
  • 40.126.32.134
  • 20.190.160.132
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
perforatedmwqn.shop
malicious
racedsuitreow.shop
malicious
defenddsouneuw.shop
malicious
deallyharvenw.shop
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
940691f905df9999b8b3e60ac9013ff8691eb27b7689b6174052169220ffb52b