File name:	QuantumHacksv2.exe
Full analysis:	https://app.any.run/tasks/9a97c048-911f-4d30-8fa3-cc5b0cfc47cd
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 29, 2025, 01:59:26
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec stealer lumma
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	AC2040D78A083A189723E1392A3428EE
SHA1:	AA8FE9D0108323673F8BA5D6043B3FA324A264CB
SHA256:	C1D24472DC3C469D7DBDA5CB07D46D22307C8D4F1118E498524E579F15EA9C35
SSDEEP:	98304:CbnKllghKmvuBPLIp0/o5Wt8COrAJEYk4ytWxuvQQWfgMnIhg4d25/aRh8WbsmvD:iPLXgQ

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2012:05:28 09:05:18+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	8
CodeSize:	102400
InitializedDataSize:	38400
UninitializedDataSize:	-
EntryPoint:	0x1945f
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	3.67.1.0
ProductVersionNumber:	3.67.1.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	FileZilla Project
LegalCopyright:	Copyright (C) 2006-2024
OriginalFileName:	filezilla.exe
Comments:	Version 3.67.1
FileVersion:	3.67.1.0
ProductName:	FileZilla
ProductVersion:	3.67.1.0
InternalName:	FileZilla 3
FileDescription:	FileZilla FTP Client
Created:	7z SFX Constructor v4.6.0.0 (http://usbtor.ru/viewtopic.php?t=798)
Builder:	ahileeeeeess 00:40:20 29/04/2025


(PID) Process:	(4688) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(4688) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(4688) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(4688) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\file_1.zip
(PID) Process:	(4688) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(4688) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(4688) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(4688) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(1616) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(1616) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip

PID	Process	Filename		Type
2088	QuantumHacksv2.exe	C:\Users\admin\AppData\Local\Temp\main\main.bat		text
		MD5:AD15EC748259F4BD9686ABBBA5B29307	SHA256:20D797B8D9D9F6C14C53DAE00B16397885E3DA8A9A95FA1CA5B34B79414C8944
5868	7z.exe	C:\Users\admin\AppData\Local\Temp\main\extracted\file_3.zip		compressed
		MD5:8AA480752BB572C28DD981096D85C8C8	SHA256:6E706719F1472F6D96A8C675064E82AC75300940151ECE70E774734C0DCAED17
2088	QuantumHacksv2.exe	C:\Users\admin\AppData\Local\Temp\main\KillDuplicate.cmd		text
		MD5:68CECDF24AA2FD011ECE466F00EF8450	SHA256:64929489DC8A0D66EA95113D4E676368EDB576EA85D23564D53346B21C202770
2088	QuantumHacksv2.exe	C:\Users\admin\AppData\Local\Temp\main\file.bin		compressed
		MD5:94E17ACF936E453C0CFE3B76420D7FCF	SHA256:6D501C1F888870561B450B6CEAC0ADF18050F52D012CEA1C4FE036916BACE9E3
1056	7z.exe	C:\Users\admin\AppData\Local\Temp\main\extracted\AntiAV.data		text
		MD5:91281AB5814EDD87B7A77F3E754389AD	SHA256:51559F5FB63803D8D4FF81519FAD1E4BA4EAE18AC57976A1FD922702F879F040
6540	cmd.exe	C:\Users\admin\AppData\Local\Temp\main\file.zip		compressed
		MD5:94E17ACF936E453C0CFE3B76420D7FCF	SHA256:6D501C1F888870561B450B6CEAC0ADF18050F52D012CEA1C4FE036916BACE9E3
2088	QuantumHacksv2.exe	C:\Users\admin\AppData\Local\Temp\main\7z.dll		executable
		MD5:72491C7B87A7C2DD350B727444F13BB4	SHA256:34AD9BB80FE8BF28171E671228EB5B64A55CAA388C31CB8C0DF77C0136735891
1056	7z.exe	C:\Users\admin\AppData\Local\Temp\main\extracted\file_2.zip		compressed
		MD5:0392499ABBA75FBAC3866FFC3F6C24DE	SHA256:9FE534C0F8D0011939AEF3F785F3911F63119265E5EFB24CAABC0D9BCD2B251B
2088	QuantumHacksv2.exe	C:\Users\admin\AppData\Local\Temp\main\7z.exe		executable
		MD5:619F7135621B50FD1900FF24AADE1524	SHA256:344F076BB1211CB02ECA9E5ED2C0CE59BCF74CCBC749EC611538FA14ECB9AAD2
6540	cmd.exe	C:\Users\admin\AppData\Local\Temp\main\svchost64.exe		executable
		MD5:5E36978CE37CD85EE2DCFF0E330685EC	SHA256:7E5DD8554E22DCB9FEC7ACA7AAA6B5A61DC8B2A8C1E66B6A95CE99FC723F1CE1

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	POST	522	188.114.97.3:443	https://mobitront.run/dsiu	unknown	—	—	malicious
—	—	POST	200	172.67.190.162:443	https://zenithcorde.top/auid	unknown	binary	32.7 Kb	unknown
—	—	POST	200	172.67.190.162:443	https://zenithcorde.top/auid	unknown	binary	69 b	unknown
—	—	POST	200	104.21.51.232:443	https://zenithcorde.top/auid	unknown	binary	69 b	unknown
—	—	POST	200	104.21.51.232:443	https://zenithcorde.top/auid	unknown	binary	32.7 Kb	unknown
—	—	POST	200	172.67.190.162:443	https://zenithcorde.top/auid	unknown	binary	69 b	unknown
—	—	POST	200	104.21.51.232:443	https://zenithcorde.top/auid	unknown	binary	69 b	unknown
—	—	POST	200	104.21.51.232:443	https://zenithcorde.top/auid	unknown	binary	69 b	unknown
—	—	POST	200	172.67.190.162:443	https://zenithcorde.top/auid	unknown	binary	69 b	unknown
—	—	POST	200	104.21.51.232:443	https://zenithcorde.top/auid	unknown	binary	69 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
960	calc.exe	188.114.97.3:443	mobitront.run	CLOUDFLARENET	NL	malicious
616	calc.exe	188.114.97.3:443	mobitront.run	CLOUDFLARENET	NL	malicious
960	calc.exe	104.21.51.232:443	zenithcorde.top	CLOUDFLARENET	—	unknown
616	calc.exe	104.21.51.232:443	zenithcorde.top	CLOUDFLARENET	—	unknown
5332	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4188	slui.exe	13.77.207.86:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
google.com	142.250.184.238	whitelisted
mobitront.run	188.114.97.3 188.114.96.3	malicious
zenithcorde.top	104.21.51.232 172.67.190.162	unknown
activation-v2.sls.microsoft.com	20.83.72.98 13.77.207.86	whitelisted

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET INFO HTTP Request to a *.top domain
2196	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile

General Info

QuantumHacksv2.exe

AC2040D78A083A189723E1392A3428EE

AA8FE9D0108323673F8BA5D6043B3FA324A264CB

C1D24472DC3C469D7DBDA5CB07D46D22307C8D4F1118E498524E579F15EA9C35

98304:CbnKllghKmvuBPLIp0/o5Wt8COrAJEYk4ytWxuvQQWfgMnIhg4d25/aRh8WbsmvD:iPLXgQ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LUMMA has been detected (YARA)

LUMMA mutex has been found

Actions looks like stealing of personal data

SUSPICIOUS

Executable content was dropped or overwritten

Drops 7-zip archiver for unpacking

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

The executable file from the user directory is run by the CMD process

Uses ATTRIB.EXE to modify file attributes

There is functionality for taking screenshot (YARA)

Searches for installed software

INFO

Create files in a temporary directory

The sample compiled with english language support

Checks supported languages

Reads the computer name

Process checks computer location settings

Starts MODE.COM to configure console settings

Reads the software policy settings

Manual execution by a user

Reads Microsoft Office registry keys

Checks proxy server information

Malware configuration

Lumma

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Malware configuration

Lumma

Information

Modules

Malware configuration

Lumma

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats