File name:	2025-05-15_b3edc4d046207f50b2075c84430ffbc8_black-basta_cobalt-strike_ryuk_satacom
Full analysis:	https://app.any.run/tasks/ab27a25f-2de1-49b1-aa4b-912cdcef8290
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 15, 2025, 15:15:27
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	telegram lumma stealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 9 sections
MD5:	B3EDC4D046207F50B2075C84430FFBC8
SHA1:	0289F4006361A7DC3A20A95F27C4C12DC0E9F0CA
SHA256:	C0E19BB95FB9541F2F82FAF23AEA1B917611EF9364E82474927F5B89E32A7743
SSDEEP:	49152:oSZQqnIi1cSHmuWZ8xbqf8EXHjBvjCV15VIpXAmA35ux1ulRGHCD+NHZ30+qf8EY:oSZWiD68xIDTB7GIpp1ulGxNHZ30VDTk

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2025:05:14 17:59:14+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14
CodeSize:	222720
InitializedDataSize:	68096
UninitializedDataSize:	-
EntryPoint:	0x21538
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI

PID	Process	Filename		Type
7540	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2025-05-15_b3edc_1d8c1bf8295fd7b8179a49815f70d1c21801983_19bd7236_0e921849-44f0-437b-9470-b4211a511394\Report.wer		—
		MD5:—	SHA256:—
7540	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERD563.tmp.dmp		binary
		MD5:BFE579FC7B805FF01DD6B08713AA547D	SHA256:ADD253899F48496CEBECAC9E7EFFEFCEF164CFB7834CD77E23988E818FD9E172
7540	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERD63F.tmp.xml		xml
		MD5:63C1EB897EC31D0E765F2DC8740019EC	SHA256:2A3C26C892A635305792E00F4B2FEA440D7B5A0E60020C52869BC076CF5305EE
7540	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERD610.tmp.WERInternalMetadata.xml		binary
		MD5:50AC7AB402762224E82DF5020E7CF433	SHA256:28F4B15A40E04489B7DF6647EE9A0CD870CE8C29FBB3DBB18A51BE6143838418
7540	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\2025-05-15_b3edc4d046207f50b2075c84430ffbc8_black-basta_cobalt-strike_ryuk_satacom.exe.7388.dmp		binary
		MD5:6CD392F50D8F0FEBCB62F66E32A92CD6	SHA256:1938F59AB8C97D3F84D47F074DF3A2113E6E15FEFB7C370EDDB44A777353BE1C

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7860	SIHClient.exe	GET	200	23.48.23.163:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7860	SIHClient.exe	GET	200	23.48.23.163:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
7860	SIHClient.exe	GET	200	23.48.23.163:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
7860	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
7860	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7860	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
7860	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
7860	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
7420	MSBuild.exe	149.154.167.99:443	t.me	Telegram Messenger Inc	GB	whitelisted
7420	MSBuild.exe	104.21.50.36:443	anesthwtcm.run	CLOUDFLARENET	—	unknown
7860	SIHClient.exe	4.245.163.56:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7860	SIHClient.exe	23.48.23.163:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
7860	SIHClient.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
7860	SIHClient.exe	40.69.42.241:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	142.250.185.206	whitelisted
client.wns.windows.com	172.211.123.249 172.211.123.248	whitelisted
t.me	149.154.167.99	whitelisted
anesthwtcm.run	104.21.50.36 172.67.156.51	unknown
slscr.update.microsoft.com	4.245.163.56	whitelisted
crl.microsoft.com	23.48.23.163 23.48.23.164 23.48.23.171 23.48.23.159 23.48.23.162 23.48.23.169 23.48.23.168 23.48.23.166 23.48.23.161	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

General Info

2025-05-15_b3edc4d046207f50b2075c84430ffbc8_black-basta_cobalt-strike_ryuk_satacom

B3EDC4D046207F50B2075C84430FFBC8

0289F4006361A7DC3A20A95F27C4C12DC0E9F0CA

C0E19BB95FB9541F2F82FAF23AEA1B917611EF9364E82474927F5B89E32A7743

49152:oSZQqnIi1cSHmuWZ8xbqf8EXHjBvjCV15VIpXAmA35ux1ulRGHCD+NHZ30+qf8EY:oSZWiD68xIDTB7GIpp1ulGxNHZ30VDTk

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LUMMA mutex has been found

LUMMA has been detected (YARA)

Steals credentials from Web Browsers

Actions looks like stealing of personal data

SUSPICIOUS

Executes application which crashes

Process communicates with Telegram (possibly using it as an attacker's C2 server)

There is functionality for taking screenshot (YARA)

Searches for installed software

INFO

Checks supported languages

Attempting to use instant messaging service

Reads the computer name

Creates files or folders in the user directory

Reads the machine GUID from the registry

Reads the software policy settings

Checks proxy server information

Malware configuration

Lumma

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Malware configuration

Lumma

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings