File name:

Nexol.exe

Full analysis: https://app.any.run/tasks/d02c7d86-a5ee-4b70-945b-e07251879ec9
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: February 21, 2025, 22:19:11
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
golang
stealer
lumma
exfiltration
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 7 sections
MD5:

FFEABED249DD14435B8D7E7AF599C360

SHA1:

7049C3CD0C2F6246366CDAB6754351621F7D90F5

SHA256:

A54E6AB607CB2DF90BEF8F59DF83DC7E849D1B41EBF115A77DEAB66883515283

SSDEEP:

98304:mN/EuX4lJ0QOTFllTd+vIK6JusveIh5y:mZ5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA mutex has been found

      • BitLockerToGo.exe (PID: 4520)

    • Actions looks like stealing of personal data

      • BitLockerToGo.exe (PID: 4520)

    • Steals credentials from Web Browsers

      • BitLockerToGo.exe (PID: 4520)

    • LUMMA has been detected (YARA)

      • BitLockerToGo.exe (PID: 4520)

  • SUSPICIOUS

    • There is functionality for communication over UDP network (YARA)

      • Nexol.exe (PID: 3532)

    • Searches for installed software

      • BitLockerToGo.exe (PID: 4520)

    • There is functionality for taking screenshot (YARA)

      • BitLockerToGo.exe (PID: 4520)

  • INFO

    • Detects GO elliptic curve encryption (YARA)

      • Nexol.exe (PID: 3532)

    • Checks supported languages

      • BitLockerToGo.exe (PID: 4520)
      • Nexol.exe (PID: 3532)

    • Reads the machine GUID from the registry

      • Nexol.exe (PID: 3532)
      • BitLockerToGo.exe (PID: 4520)

    • Application based on Golang

      • Nexol.exe (PID: 3532)

    • Reads the software policy settings

      • BitLockerToGo.exe (PID: 4520)

    • Creates files in the program directory

      • BitLockerToGo.exe (PID: 4520)

    • Reads the computer name

      • BitLockerToGo.exe (PID: 4520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, 32-bit, No debug
PEType: PE32
LinkerVersion: 3
CodeSize: 2961408
InitializedDataSize: 345600
UninitializedDataSize: -
EntryPoint: 0x64ef0
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 1.1.0.0
ProductVersionNumber: 1.1.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Ryujinx
FileDescription: Ryujinx
FileVersion: 1.1.0.0
InternalName: Ryujinx.dll
LegalCopyright:
OriginalFileName: Ryujinx.dll
ProductName: Ryujinx
ProductVersion: 1.1.0-dirty+b4cac89
AssemblyVersion: 1.1.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start nexol.exe no specs #LUMMA bitlockertogo.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3532"C:\Users\admin\Desktop\Nexol.exe" C:\Users\admin\Desktop\Nexol.exeexplorer.exe
User:
admin
Company:
Ryujinx
Integrity Level:
MEDIUM
Description:
Ryujinx
Exit code:
666
Version:
1.1.0.0
Modules
Images
c:\users\admin\desktop\nexol.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4520"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Nexol.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BitLocker To Go Reader
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
Total events
3 574
Read events
3 574
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
13
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4520BitLockerToGo.exeC:\ProgramData\8A7C042FE5CAFD5E.dat
MD5:
SHA256:
4520BitLockerToGo.exeC:\ProgramData\DB28CEBB423FDAE5.datbinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
4520BitLockerToGo.exeC:\ProgramData\DA139A5A718D21DB.datbinary
MD5:0B2213BCE3950F1E95FEEB8E8B3B9543
SHA256:71DB3D87713A320BA9FD3043392509B430630CFCF574EE84118406D6471CFC5A
4520BitLockerToGo.exeC:\ProgramData\A190A16B2F650769.datbinary
MD5:DC9ADB7DE19A6753CE90AE94738BFDEF
SHA256:884B04032E2E70A002956218E8EC3491F2B753C4596CEE6E4894DC49AFA0A681
4520BitLockerToGo.exeC:\ProgramData\62B6AF46E58B7A07.datbinary
MD5:1E1F96F03DCB32CBEDE6A33AF67A44A7
SHA256:B6DCEC10039FBA99019A6DE818D433847EFAD62FAE59851E328EC42396DFD9CB
4520BitLockerToGo.exeC:\ProgramData\E6717317BFC0F84C.datbinary
MD5:FDDE63730E15DD2E18C540BA52B6A945
SHA256:40740EAABD14FC0E08D3B5EE340C1E1B372E158F61EF58AEED1EE4B3A3F4492E
4520BitLockerToGo.exeC:\ProgramData\6BB42FF0F14F9377.datbinary
MD5:C52CD961FB8188CE1B3D97815AA02978
SHA256:FE95CAC7B0F158D55188CE091428A8623DB31C927EDA38DC35411D4CB67EA71E
4520BitLockerToGo.exeC:\ProgramData\C3B0BE077CB0F19B.datbinary
MD5:06AD9E737639FDC745B3B65312857109
SHA256:C8925892CA8E213746633033AE95ACFB8DD9531BC376B82066E686AC6F40A404
4520BitLockerToGo.exeC:\ProgramData\0F36C5E03AA7BC6F.datbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
4520BitLockerToGo.exeC:\ProgramData\D33A61A921A35C21.datbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
24
DNS requests
8
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4652
svchost.exe
GET
200
23.48.23.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
648
RUXIMICS.exe
GET
200
23.48.23.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
648
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4652
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
104.21.48.1:443
https://uncertainyelemz.bet/api
unknown
text
14 b
malicious
POST
200
104.21.80.1:443
https://uncertainyelemz.bet/api
unknown
text
14 b
malicious
POST
200
104.21.112.1:443
https://uncertainyelemz.bet/api
unknown
text
14 b
malicious
POST
200
104.21.16.1:443
https://uncertainyelemz.bet/api
unknown
text
18.3 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
648
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4652
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
648
RUXIMICS.exe
23.48.23.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4652
svchost.exe
23.48.23.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
648
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.48.23.176
  • 23.48.23.141
  • 23.48.23.147
  • 23.48.23.158
  • 23.48.23.156
  • 23.48.23.162
  • 23.48.23.167
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
wqanderludreams.tech
unknown
uncertainyelemz.bet
  • 104.21.32.1
  • 104.21.48.1
  • 104.21.112.1
  • 104.21.16.1
  • 104.21.64.1
  • 104.21.96.1
  • 104.21.80.1
malicious
self.events.data.microsoft.com
  • 20.42.73.25
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE Lumma Stealer Related Activity
A Network Trojan was detected
ET MALWARE Lumma Stealer CnC Host Checkin
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Check-In
A Network Trojan was detected
ET MALWARE Lumma Stealer CnC Host Checkin
Malware Command and Control Activity Detected
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Exfiltration
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Check-In
A Network Trojan was detected
ET MALWARE Lumma Stealer CnC Host Checkin
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Nexol.exe