File name:	Setup.exe
Full analysis:	https://app.any.run/tasks/b2af196c-438b-462a-b645-fc7f50b8f5a6
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 18, 2025, 19:56:09
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	autoit stealer lumma autoit-loader
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	E010CD53F9377D356D547E3C4D298506
SHA1:	2409F485F42D285CD1157EE0EA6CA9881A90BEAB
SHA256:	B58EA28950BA3C0B5B67CF3B62A60C4BA8A2ADA384540CCD0D90C5D9A77EC230
SSDEEP:	98304:q6IenQfaamReZ0Epb3WrW3oZRftZK9tUfs71QFyik:q

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2010:04:10 12:19:23+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	25600
InitializedDataSize:	431104
UninitializedDataSize:	16896
EntryPoint:	0x33e9
OSVersion:	5
ImageVersion:	6
SubsystemVersion:	5
Subsystem:	Windows GUI


(PID) Process:	(7712) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(7712) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(7712) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(7712) Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0

PID	Process	Filename		Type
7712	Setup.exe	C:\Users\admin\AppData\Local\Temp\Hearings.aifc		text
		MD5:945A05710563D0544235367C3B2EF304	SHA256:E5F4A86988507C7DF8DF97EF6F0AA1B51B57906F254585431D133006ADBA0E6E
7712	Setup.exe	C:\Users\admin\AppData\Local\Temp\Loops.aifc		binary
		MD5:6996E5A280F6221D2C880D12A2877B96	SHA256:0C7BBFAC1902CA77E89F2C1CDCBBA688BB2A8CE74056DBE6445A32284DC3E80A
7712	Setup.exe	C:\Users\admin\AppData\Local\Temp\Og.aifc		binary
		MD5:51D2E55A1FDF92D303ABF0348862D9A9	SHA256:92AEE67AD0CAC6514583A59ABB8E6DAD13D61D9EDA8869A04DD11A289F3B8F44
8112	extrac32.exe	C:\Users\admin\AppData\Local\Temp\Talks		binary
		MD5:6F244785B7EF3AC38CF014121705EFFD	SHA256:7B1BE577475B08DD5074AA4219EE2578F8CDF2298EED10C9C08D92D968B71CE5
7712	Setup.exe	C:\Users\admin\AppData\Local\Temp\Specialist.aifc		binary
		MD5:E4EBD3D05E5780E04B2028D00BC93D1A	SHA256:C48603D10DCC3C7E30A3334015ADB6DFA6961B909D774AA948DBD6A45A0432D5
7712	Setup.exe	C:\Users\admin\AppData\Local\Temp\Pocket.aifc		compressed
		MD5:12592CC2C5AA803E51BBC449C3A9A3E7	SHA256:FC7DE7EC45E4FAD1CE326DAA68CCDDE3C9108B61792B04965C322950B50E7099
7712	Setup.exe	C:\Users\admin\AppData\Local\Temp\Tutorials.aifc		binary
		MD5:0BAA8B80BFD199B5A9DC3608F6D4EF2D	SHA256:1FAA07435E9D7E913A842EAE914ADE487B04FCD3B01329E3BBC945A18E7223E4
8112	extrac32.exe	C:\Users\admin\AppData\Local\Temp\Appreciation		binary
		MD5:52C4F125B02A3834B01C9FE33421F9CE	SHA256:B3A30E9AB1BD485DD48DF3268A800A6E44BC0D016A847513D98DCF05504D4B43
7712	Setup.exe	C:\Users\admin\AppData\Local\Temp\Subscriber.aifc		binary
		MD5:7F3EAC07241DD012B3BC9D833E1B19A7	SHA256:A9E137FE48A0A1A538E33DA686653C5A60A75BA32D5A506952CD3FF019C5D3A1
7804	cmd.exe	C:\Users\admin\AppData\Local\Temp\Hearings.aifc.bat		text
		MD5:945A05710563D0544235367C3B2EF304	SHA256:E5F4A86988507C7DF8DF97EF6F0AA1B51B57906F254585431D133006ADBA0E6E

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4944	RUXIMICS.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4944	RUXIMICS.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7236	SIHClient.exe	GET	200	23.48.23.169:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
7236	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
7236	SIHClient.exe	GET	200	23.48.23.169:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
7236	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7236	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
7236	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
7236	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4944	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4944	RUXIMICS.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4944	RUXIMICS.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
7236	SIHClient.exe	4.245.163.56:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7236	SIHClient.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.124.78.146	whitelisted
google.com	142.250.185.238	whitelisted
crl.microsoft.com	2.16.241.12 2.16.241.19 23.48.23.169 23.48.23.171 23.48.23.180 23.48.23.168 23.48.23.134 23.48.23.185 23.48.23.174 23.48.23.173 23.48.23.193	whitelisted
www.microsoft.com	2.23.246.101 184.30.21.171	whitelisted
client.wns.windows.com	172.211.123.249 172.211.123.248	whitelisted
WFfoWhHGBeMs.WFfoWhHGBeMs	—	unknown
slscr.update.microsoft.com	4.245.163.56	whitelisted
narrathfpt.top	104.21.83.105 172.67.222.194	unknown
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted
h1.jockstrapdisown.today	104.21.66.148 172.67.205.51	unknown

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET INFO HTTP Request to a *.top domain
2196	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile

General Info

Setup.exe

E010CD53F9377D356D547E3C4D298506

2409F485F42D285CD1157EE0EA6CA9881A90BEAB

B58EA28950BA3C0B5B67CF3B62A60C4BA8A2ADA384540CCD0D90C5D9A77EC230

98304:q6IenQfaamReZ0Epb3WrW3oZRftZK9tUfs71QFyik:q

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Steals credentials from Web Browsers

AutoIt loader has been detected (YARA)

LUMMA mutex has been found

Actions looks like stealing of personal data

SUSPICIOUS

Using 'findstr.exe' to search for text patterns in files and output

Starts the AutoIt3 executable file

Starts CMD.EXE for commands execution

Application launched itself

Starts application with an unusual extension

The executable file from the user directory is run by the CMD process

Get information on the list of running processes

There is functionality for taking screenshot (YARA)

Searches for installed software

Reads security settings of Internet Explorer

Reads the date of Windows installation

Executing commands from a ".bat" file

INFO

Checks supported languages

Process checks computer location settings

Creates a new folder

Create files in a temporary directory

Reads mouse settings

Reads the computer name

Reads the software policy settings

Reads the machine GUID from the registry

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings