File name:

PASS-1234.exe

Full analysis: https://app.any.run/tasks/c4f3d886-4abf-41c3-9a73-cf192f7a67e9
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: August 01, 2024, 21:00:25
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
exfiltration
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

84A9C6CE9BBA17F0F6687555C73BEBB8

SHA1:

59240C3B11B160067A02400B0D484FF0FE33AA4D

SHA256:

BC634B24B95A01A85984C55D7F37A2E1BE6242BBC750A8F5C6CB4B7979F3CD2B

SSDEEP:

12288:DxxI6xVUdh75UlVRAtugzZ766KcMuFad9kq42CWc50UqICLadUNH6i9MbglKt00l:DxLzk7PM6/qsxvgEx9q/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Stealers network behavior

      • aspnet_regiis.exe (PID: 6704)

    • Drops the executable file immediately after the start

      • PASS-1234.exe (PID: 6524)

    • LUMMA has been detected (SURICATA)

      • aspnet_regiis.exe (PID: 6704)

    • LUMMA has been detected (YARA)

      • aspnet_regiis.exe (PID: 6704)

    • Actions looks like stealing of personal data

      • aspnet_regiis.exe (PID: 6704)

  • SUSPICIOUS

    • Searches for installed software

      • aspnet_regiis.exe (PID: 6704)

    • Executable content was dropped or overwritten

      • PASS-1234.exe (PID: 6524)

  • INFO

    • Creates files or folders in the user directory

      • PASS-1234.exe (PID: 6524)

    • Checks supported languages

      • aspnet_regiis.exe (PID: 6704)
      • PASS-1234.exe (PID: 6524)

    • Reads the computer name

      • PASS-1234.exe (PID: 6524)
      • aspnet_regiis.exe (PID: 6704)

    • Reads the machine GUID from the registry

      • aspnet_regiis.exe (PID: 6704)

    • Reads the software policy settings

      • aspnet_regiis.exe (PID: 6704)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(6704) aspnet_regiis.exe
C2 (9)boattyownerwrv.shop
definitonizmnx.shop
assumedtribsosp.shop
chippyfroggsyhz.shop
budgetttysnzm.shop
creepydxzoxmj.shop
deadpannsjzvn.shop
empiredzmwnx.shop
rainbowmynsjn.shop
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:08:01 20:48:23+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 1654784
InitializedDataSize: 2560
UninitializedDataSize: -
EntryPoint: 0x195fce
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Delivering next-generation solutions for a dynamic world.
CompanyName: EchoWave Technologies Inc.
FileDescription: EchoWave Systems
FileVersion: 1.0.0.0
InternalName: Jessica500Edward.pdf
LegalCopyright: Copyright © 2026
LegalTrademarks: EchoWave Technologies Trademark
OriginalFileName: Jessica500Edward.pdf
ProductName: EchoWave Suite
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start pass-1234.exe conhost.exe no specs #LUMMA aspnet_regiis.exe

Process information

PID
CMD
Path
Indicators
Parent process
6524"C:\Users\admin\Desktop\PASS-1234.exe" C:\Users\admin\Desktop\PASS-1234.exe
explorer.exe
User:
admin
Company:
EchoWave Technologies Inc.
Integrity Level:
MEDIUM
Description:
EchoWave Systems
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\pass-1234.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6532\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exePASS-1234.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6704"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PASS-1234.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
aspnet_regiis.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\aspnet_regiis.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
Lumma
(PID) Process(6704) aspnet_regiis.exe
C2 (9)boattyownerwrv.shop
definitonizmnx.shop
assumedtribsosp.shop
chippyfroggsyhz.shop
budgetttysnzm.shop
creepydxzoxmj.shop
deadpannsjzvn.shop
empiredzmwnx.shop
rainbowmynsjn.shop
Total events
3 766
Read events
3 766
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6524PASS-1234.exeC:\Users\admin\AppData\Roaming\d3d9.dllexecutable
MD5:4F40431E9375FBB150C597F15605CF3A
SHA256:F609445CDB501448C057F43C3B8C2EFCF868A7B402C1512FFF791831179E84C3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
20
DNS requests
4
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
null:443
https://deadpannsjzvn.shop/api
unknown
text
2 b
POST
200
null:443
https://deadpannsjzvn.shop/api
unknown
text
16.5 Kb
POST
200
null:443
https://deadpannsjzvn.shop/api
unknown
text
17 b
POST
200
null:443
https://deadpannsjzvn.shop/api
unknown
text
17 b
POST
200
null:443
https://deadpannsjzvn.shop/api
unknown
text
17 b
POST
200
null:443
https://deadpannsjzvn.shop/api
unknown
text
17 b
POST
200
null:443
https://deadpannsjzvn.shop/api
unknown
text
48 b
POST
200
null:443
https://deadpannsjzvn.shop/api
unknown
text
17 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted
3036
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
4708
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6704
aspnet_regiis.exe
188.114.96.3:443
deadpannsjzvn.shop
CLOUDFLARENET
NL
unknown
4708
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4324
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.14
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
deadpannsjzvn.shop
  • 188.114.96.3
  • 188.114.97.3
unknown

Threats

PID
Process
Class
Message
6704
aspnet_regiis.exe
A Network Trojan was detected
STEALER [ANY.RUN] Lumma Stealer TLS Connection
A Network Trojan was detected
ET MALWARE Lumma Stealer Related Activity
A Network Trojan was detected
ET MALWARE Lumma Stealer CnC Host Checkin
A Network Trojan was detected
ET MALWARE Lumma Stealer Related Activity M2
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Check-In
A Network Trojan was detected
ET MALWARE Lumma Stealer CnC Host Checkin
Malware Command and Control Activity Detected
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Exfiltration
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Check-In
A Network Trojan was detected
ET MALWARE Lumma Stealer CnC Host Checkin
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PASS-1234.exe