File name:

file

Full analysis: https://app.any.run/tasks/9fb74231-aa10-498e-9658-2f930e3ddd76
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: December 02, 2023, 14:33:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
lumma
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

E34141AEE63591AFB8BDD50989B4DD07

SHA1:

6AFD2BF8B840E277BA0C1B5057239344C36F6F8A

SHA256:

96EE428402DD36D29B09333946823D3B6E91AE69956B2C9A79DD5A2A244E36E0

SSDEEP:

98304:G8CXM7XHeOydUi6gaNO509VS6PTJaz0Q0keLCd1G49i3K7n3x+B9gwXFIhwcJcjr:dIUlBhHGefL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • file.exe (PID: 2208)

    • LUMMA has been detected (SURICATA)

      • RegSvcs.exe (PID: 2924)

    • Connects to the CnC server

      • RegSvcs.exe (PID: 2924)

    • LUMMA has been detected (YARA)

      • RegSvcs.exe (PID: 2924)

    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 2924)

  • SUSPICIOUS

    • Searches for installed software

      • RegSvcs.exe (PID: 2924)

    • Reads browser cookies

      • RegSvcs.exe (PID: 2924)

  • INFO

    • Checks supported languages

      • file.exe (PID: 2208)
      • RegSvcs.exe (PID: 2924)

    • Reads the computer name

      • file.exe (PID: 2208)
      • RegSvcs.exe (PID: 2924)

    • Reads the machine GUID from the registry

      • file.exe (PID: 2208)

    • Create files in a temporary directory

      • file.exe (PID: 2208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (32.5)
.exe | Win32 Executable MS Visual C++ (generic) (23.6)
.exe | Win64 Executable (generic) (20.9)
.scr | Windows screen saver (9.9)
.dll | Win32 Dynamic Link Library (generic) (4.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2045:10:18 06:56:57+02:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 3836928
InitializedDataSize: 76800
UninitializedDataSize: -
EntryPoint: 0x3aaa1e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.2.0.0
ProductVersionNumber: 1.2.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: sound_effects_and_presets
FileVersion: 1.2.0.0
InternalName: sound_effects_and_presets.exe
LegalCopyright: Copyright © 2023
LegalTrademarks: -
OriginalFileName: sound_effects_and_presets.exe
ProductName: sound_effects_and_presets
ProductVersion: 1.2.0.0
AssemblyVersion: 1.2.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start file.exe no specs #LUMMA regsvcs.exe

Process information

PID
CMD
Path
Indicators
Parent process
2208"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
sound_effects_and_presets
Exit code:
0
Version:
1.2.0.0
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\mscoree.dll
2924C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
file.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Exit code:
0
Version:
4.8.3761.0 built by: NET48REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Total events
479
Read events
479
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2208file.exeC:\Users\admin\AppData\Local\Temp\Protect544cd51a.dllexecutable
MD5:544CD51A596619B78E9B54B70088307D
SHA256:DFCE2D4D06DE6452998B3C5B2DC33EAA6DB2BD37810D04E3D02DC931887CFDDD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
43
DNS requests
1
Threats
47

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2924
RegSvcs.exe
POST
200
172.67.160.7:80
http://payfrecklematurei.pw/api
unknown
text
16.5 Kb
unknown
2924
RegSvcs.exe
POST
200
172.67.160.7:80
http://payfrecklematurei.pw/api
unknown
text
21 b
unknown
2924
RegSvcs.exe
POST
200
172.67.160.7:80
http://payfrecklematurei.pw/api
unknown
text
21 b
unknown
2924
RegSvcs.exe
POST
200
172.67.160.7:80
http://payfrecklematurei.pw/api
unknown
text
21 b
unknown
2924
RegSvcs.exe
POST
200
172.67.160.7:80
http://payfrecklematurei.pw/api
unknown
text
21 b
unknown
2924
RegSvcs.exe
POST
200
172.67.160.7:80
http://payfrecklematurei.pw/api
unknown
text
2 b
unknown
2924
RegSvcs.exe
POST
200
172.67.160.7:80
http://payfrecklematurei.pw/api
unknown
text
21 b
unknown
2924
RegSvcs.exe
POST
200
172.67.160.7:80
http://payfrecklematurei.pw/api
unknown
text
21 b
unknown
2924
RegSvcs.exe
POST
200
172.67.160.7:80
http://payfrecklematurei.pw/api
unknown
text
21 b
unknown
2924
RegSvcs.exe
POST
200
172.67.160.7:80
http://payfrecklematurei.pw/api
unknown
text
21 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1956
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
324
svchost.exe
224.0.0.252:5355
unknown
2924
RegSvcs.exe
172.67.160.7:80
payfrecklematurei.pw
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
payfrecklematurei.pw
  • 172.67.160.7
  • 104.21.14.160
unknown

Threats

PID
Process
Class
Message
324
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
2924
RegSvcs.exe
Misc activity
ET INFO HTTP Request to a *.pw domain
2924
RegSvcs.exe
Malware Command and Control Activity Detected
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In
2924
RegSvcs.exe
Misc activity
ET INFO HTTP Request to a *.pw domain
2924
RegSvcs.exe
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Check-In
2924
RegSvcs.exe
Malware Command and Control Activity Detected
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
2924
RegSvcs.exe
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Exfiltration
2924
RegSvcs.exe
Misc activity
ET INFO HTTP Request to a *.pw domain
2924
RegSvcs.exe
Misc activity
ET INFO HTTP Request to a *.pw domain
2924
RegSvcs.exe
Misc activity
ET INFO HTTP Request to a *.pw domain
2 ETPRO signatures available at the full report
No debug info