File name:

176.113.115.225.ps1

Full analysis: https://app.any.run/tasks/f0219e63-0baa-4153-a56e-01d906cca912
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: January 27, 2025, 15:04:14
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
api-base64
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (65481), with CRLF line terminators
MD5:

EAF7EBE973EE32E26027BA74EB211B0C

SHA1:

29F2261E2A37E97045D000CC1BD0FB614CFF9F74

SHA256:

97A191D90077F093CE6E0D472167B36BB648DE846098ED494D981C1076D358F5

SSDEEP:

12288:ZcTOT1uStOOovc4mkab9NY+2GyKKIoKUOwFL9:ZcTPStkvcVZT2GyQoKUOwFL9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 4944)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4944)

    • Connects to the CnC server

      • svchost.exe (PID: 2192)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2192)
      • RegSvcs.exe (PID: 6640)

    • LUMMA mutex has been found

      • RegSvcs.exe (PID: 6640)

    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 6640)

    • Steals credentials from Web Browsers

      • RegSvcs.exe (PID: 6640)

    • LUMMA has been detected (YARA)

      • RegSvcs.exe (PID: 6640)

  • SUSPICIOUS

    • Found IP address in command line

      • powershell.exe (PID: 4944)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 4944)

    • The process creates files with name similar to system file names

      • wermgr.exe (PID: 6768)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2192)
      • RegSvcs.exe (PID: 6640)

    • There is functionality for taking screenshot (YARA)

      • RegSvcs.exe (PID: 6640)

    • Searches for installed software

      • RegSvcs.exe (PID: 6640)

  • INFO

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 4944)

    • Creates files in the program directory

      • powershell.exe (PID: 4944)

    • Reads the computer name

      • RegSvcs.exe (PID: 6640)

    • Reads the software policy settings

      • RegSvcs.exe (PID: 6640)
      • wermgr.exe (PID: 6768)

    • Checks supported languages

      • RegSvcs.exe (PID: 6640)

    • Reads the machine GUID from the registry

      • RegSvcs.exe (PID: 6640)

    • Checks proxy server information

      • wermgr.exe (PID: 6768)

    • Potential library load (Base64 Encoded 'LoadLibrary')

      • powershell.exe (PID: 4944)

    • Potential dynamic function import (Base64 Encoded 'GetProcAddress')

      • powershell.exe (PID: 4944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs #LUMMA regsvcs.exe wermgr.exe #LUMMA svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4944"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\176.113.115.225.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
5720\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6640"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\msvcp_win.dll
6768"C:\WINDOWS\system32\wermgr.exe" "-outproc" "0" "4944" "2520" "2576" "2504" "0" "0" "2668" "0" "0" "0" "0" "0" C:\Windows\System32\wermgr.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wermgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
Total events
15 018
Read events
15 018
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
6768wermgr.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_11dad82227c322c5849eec5b37566e2327c4b39_00000000_8409d03a-3a60-4d22-8889-26f2437f1224\Report.wer
MD5:
SHA256:
4944powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:A03401A592C6308ED2CD7A2C37D554CE
SHA256:1790C56B710549736873089F47A41DE1A473423E9E3FCA4D88313D48CD081EC9
4944powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF137e0d.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
6768wermgr.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER9780.tmp.WERInternalMetadata.xmlbinary
MD5:F44E436A4DAF6F719456F820AA56407B
SHA256:59948723E6151B6B3F04194F41A308E433CD86C1DC661C73D6196572B138E4D7
4944powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:680C2BD10B256413FDB2B5818FD6C441
SHA256:64DA6C2A50A661535641D88F8E8073DF535D62C006990906C5F0A340FF5C8680
4944powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wzzjrpkb.sdl.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4944powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7D5VMVA8G59U287XA88D.tempbinary
MD5:A03401A592C6308ED2CD7A2C37D554CE
SHA256:1790C56B710549736873089F47A41DE1A473423E9E3FCA4D88313D48CD081EC9
4944powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2kw5wtxf.jz0.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6768wermgr.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER97B0.tmp.xmlxml
MD5:A1EB4BA4AC7230D8F61F933C2B825534
SHA256:DB7B5EF4D8CDE03C9605509ADFEB9F2BCE865E64C49A5E5F563192CC6BE34706
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
25
DNS requests
20
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
188.114.96.3:443
https://smiteattacekr.org/api
unknown
text
2 b
POST
172.67.149.66:443
https://toppyneedus.biz/api
unknown
malicious
POST
200
188.114.96.3:443
https://smiteattacekr.org/api
unknown
text
17 b
POST
200
188.114.97.3:443
https://smiteattacekr.org/api
unknown
text
18.3 Kb
POST
200
188.114.97.3:443
https://smiteattacekr.org/api
unknown
text
17 b
GET
200
104.73.234.102:443
https://steamcommunity.com/profiles/76561199724331900
unknown
html
34.7 Kb
whitelisted
POST
200
188.114.97.3:443
https://smiteattacekr.org/api
unknown
text
17 b
POST
200
188.114.96.3:443
https://smiteattacekr.org/api
unknown
text
17 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3296
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6640
RegSvcs.exe
172.67.149.66:443
toppyneedus.biz
CLOUDFLARENET
US
malicious
6768
wermgr.exe
20.189.173.21:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.180
  • 23.48.23.181
  • 23.48.23.132
  • 23.48.23.188
  • 23.48.23.182
  • 23.48.23.195
  • 23.48.23.174
  • 23.48.23.175
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
grapeprivatter.cyou
malicious
impolitewearr.biz
malicious
toppyneedus.biz
  • 172.67.149.66
  • 104.21.29.142
malicious
watson.events.data.microsoft.com
  • 20.189.173.21
whitelisted
lightdeerysua.biz
unknown
suggestyuoz.biz
malicious

Threats

PID
Process
Class
Message
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impolitewearr .biz)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz)
6640
RegSvcs.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lightdeerysua .biz)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (suggestyuoz .biz)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mixedrecipew .biz)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hoursuhouy .biz)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mixedrecipew .biz)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pleasedcfrown .biz)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (affordtempyo .biz)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
176.113.115.225.ps1