| File name: | Yanto.exe |
| Full analysis: | https://app.any.run/tasks/e10cb2f0-5400-45a1-939b-2ded96ef51e3 |
| Verdict: | Malicious activity |
| Threats: | Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. |
| Analysis date: | March 09, 2025, 02:03:10 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 4 sections |
| MD5: | C2533AA5DE41870012CAF4B1DF6B633F |
| SHA1: | 20407ACB1DF0A608E15ECC05AC11FDD5D862D7D5 |
| SHA256: | A47021166FC3E3E36975B0536EDDBBEA90E3AAD67404FD935134B7D638315D35 |
| SSDEEP: | 12288:d0KzYSZ+aXHhRi8dvTgDfDosMN8GFkIrR5gbw04C4kY:d0KzYm+a3hRi8dvTgDDosm8GFBLgs04l |
MALICIOUS
Connects to the CnC server
- svchost.exe (PID: 2196)
LUMMA has been detected (SURICATA)
- svchost.exe (PID: 2196)
SUSPICIOUS
Application launched itself
- Yanto.exe (PID: 6656)
Executes application which crashes
- Yanto.exe (PID: 6656)
Contacting a server suspected of hosting an CnC
- svchost.exe (PID: 2196)
INFO
Reads the computer name
- Yanto.exe (PID: 6656)
- Yanto.exe (PID: 2692)
Checks supported languages
- Yanto.exe (PID: 2692)
- Yanto.exe (PID: 6656)
Reads the machine GUID from the registry
- Yanto.exe (PID: 2692)
Creates files or folders in the user directory
- WerFault.exe (PID: 5772)
Reads the software policy settings
- Yanto.exe (PID: 2692)
- slui.exe (PID: 4208)
Checks proxy server information
- slui.exe (PID: 4208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (81) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (7.2) |
| .exe | | | Win32 Executable (generic) (4.9) |
| .exe | | | Win16/32 Executable Delphi generic (2.2) |
| .exe | | | Generic Win/DOS Executable (2.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2086:03:14 20:14:29+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32 |
| LinkerVersion: | 48 |
| CodeSize: | 7680 |
| InitializedDataSize: | 54784 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x36da |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | - |
| CompanyName: | - |
| FileDescription: | Chamber |
| FileVersion: | 1.0.0.0 |
| InternalName: | Chamber.exe |
| LegalCopyright: | Copyright © 2025 |
| LegalTrademarks: | - |
| OriginalFileName: | Chamber.exe |
| ProductName: | Chamber |
| ProductVersion: | 1.0.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
129
Monitored processes
6
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2692 | "C:\Users\admin\Desktop\Yanto.exe" | C:\Users\admin\Desktop\Yanto.exe | Yanto.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Chamber Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 4208 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5772 | C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6656 -s 840 | C:\Windows\SysWOW64\WerFault.exe | — | Yanto.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5776 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | Yanto.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6656 | "C:\Users\admin\Desktop\Yanto.exe" | C:\Users\admin\Desktop\Yanto.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Chamber Exit code: 3221226505 Version: 1.0.0.0 Modules
| |||||||||||||||
Total events
8 290
Read events
8 290
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
2
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5772 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Yanto.exe_7915526b6f4919945f5c972e1486191982ce29f6_c35497e0_c77f1c7e-aeae-4369-8348-7e175cd8af68\Report.wer | — | |
MD5:— | SHA256:— | |||
| 5772 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\Yanto.exe.6656.dmp | — | |
MD5:— | SHA256:— | |||
| 5772 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WERDDEE.tmp.dmp | binary | |
MD5:B1AB8CB9BE82EA3D2D011618F38B8AD3 | SHA256:F7CF1111EA866D7B4992058DE8C41AC2CF25786050981123147986B58AB3F1B4 | |||
| 5772 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF96.tmp.xml | xml | |
MD5:14D15A526A9A63AA231B350D14182FC9 | SHA256:046C843870B9AAF9820B26CBDAE9EE152E539DEA9860F21E4287199A5DD9A4A8 | |||
| 5772 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF47.tmp.WERInternalMetadata.xml | binary | |
MD5:765E8AB296B89CD79625A060C79F4E63 | SHA256:C963DA71ABA83957BB7801937FC6D4F661A7B49DB64B445F3AEA6E95E1EF27B5 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
18
DNS requests
13
Threats
10
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | GET | 200 | 23.212.216.106:443 | https://steamcommunity.com/profiles/76561199822375128 | unknown | html | 34.8 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4380 | RUXIMICS.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2692 | Yanto.exe | 92.122.104.90:443 | steamcommunity.com | AKAMAI-AS | DE | whitelisted |
2320 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4208 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
soqulfonections.tech |
| unknown |
uncertainyelemz.bet |
| malicious |
prideforgek.fun |
| unknown |
dsfljsdfjewf.info |
| malicious |
pausedcritiaca.fun |
| malicious |
subawhipnator.life |
| malicious |
privileggoe.live |
| malicious |
decreaserid.world |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soqulfonections .tech) |
— | — | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (prideforgek .fun) |
— | — | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (uncertainyelemz .bet) |
— | — | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |
— | — | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (subawhipnator .life) |
— | — | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (governoagoal .pw) |
— | — | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (decreaserid .world) |
— | — | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (privileggoe .live) |
— | — | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pausedcritiaca .fun) |
— | — | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dsfljsdfjewf .info) |