File name:

ASmartService.exe

Full analysis: https://app.any.run/tasks/9407c6a5-dbe9-4d3e-952e-f020758b715b
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: November 13, 2024, 15:50:55
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

9E41FBE1FAA9BE3423DDB2436DDEC81C

SHA1:

8C04DCAF25DDE9D33F36F7E4200B799001F4B913

SHA256:

C85174305B73A50C23742EBE66BAAE64820C04AEB48DE1FF5FABFF0497989E6F

SSDEEP:

49152:swLm/cpgox5cYDGXr74kB3lY+9wfHeXph6vRn0KZXvgE7A5L6rkuzEw1:pLm/woYEcW3f9wWXpkvRn0ovV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Stealers network behavior

      • ASmartService.exe (PID: 7088)

    • LUMMA has been detected (SURICATA)

      • ASmartService.exe (PID: 7088)

    • LUMMA has been detected (YARA)

      • ASmartService.exe (PID: 7088)

    • Actions looks like stealing of personal data

      • ASmartService.exe (PID: 7088)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Checks supported languages

      • ASmartService.exe (PID: 7088)

    • Reads the computer name

      • ASmartService.exe (PID: 7088)

    • Reads the software policy settings

      • ASmartService.exe (PID: 7088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:09:07 22:48:23+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 1372672
InitializedDataSize: 682496
UninitializedDataSize: -
EntryPoint: 0x124b1f
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 5.250.2.14352
ProductVersionNumber: 5.250.2.14352
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
LegalTrademarks: Fortress is a trademark of Fortress Technologies
ProductName: Fortress
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #LUMMA asmartservice.exe

Process information

PID
CMD
Path
Indicators
Parent process
7088"C:\Users\admin\AppData\Local\Temp\ASmartService.exe" C:\Users\admin\AppData\Local\Temp\ASmartService.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\asmartservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
427
Read events
427
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
43
DNS requests
20
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
624
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5236
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5236
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6572
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2.23.209.161:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5488
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6944
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4020
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.209.161
  • 2.23.209.154
  • 2.23.209.160
  • 2.23.209.150
  • 2.23.209.144
  • 2.23.209.153
  • 2.23.209.151
  • 2.23.209.143
  • 2.23.209.156
  • 2.16.110.192
  • 2.16.110.147
  • 2.16.110.169
  • 2.16.110.160
  • 2.16.110.146
  • 2.16.110.152
  • 2.16.110.170
  • 2.16.110.176
  • 2.16.110.193
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 23.52.120.96
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
google.com
  • 142.250.186.46
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.2
  • 20.190.159.0
  • 20.190.159.23
  • 20.190.159.75
  • 20.190.159.71
  • 20.190.159.73
  • 20.190.159.64
whitelisted
giftedbonus.cyou
  • 188.114.96.3
  • 188.114.97.3
unknown
go.microsoft.com
  • 23.213.170.81
whitelisted
th.bing.com
  • 2.16.110.145
  • 2.16.110.121
  • 2.16.110.138
  • 2.16.110.123
  • 2.16.110.146
  • 2.16.110.160
  • 2.16.110.152
  • 2.16.110.131
  • 2.16.110.147
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
STEALER [ANY.RUN] Lumma Stealer TLS Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ASmartService.exe