analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Setup.exe

Full analysis: https://app.any.run/tasks/7b90dd8a-e27a-4a32-a73d-bc6579b83228
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Analysis date: November 05, 2024, 04:58:06
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
amadey
botnet
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

65BB8F238E7AB57D49BB97571E96ABBE

SHA1:

91D2BA33479066D957B917B59CE5DD4091C645BB

SHA256:

CACC573A567A5B3DD379E8D9CBAC8E5B4F325F77D8C2814BC3B678BB084D71DC

SSDEEP:

98304:23Vj8l+OF4wAgIVHqGg7qYOE7qH0jdCflzJcJvx5CukXy910ohYIWZAuQIQmW9V9:HP8dzWh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2172)
      • Kobzar.pif (PID: 6336)
    • Connects to the CnC server

      • svchost.exe (PID: 2172)
      • explorer.exe (PID: 6552)
    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6368)
    • Stealers network behavior

      • svchost.exe (PID: 2172)
    • Changes powershell execution policy (Bypass)

      • Kobzar.pif (PID: 6336)
    • AMADEY has been detected (SURICATA)

      • explorer.exe (PID: 6552)
  • SUSPICIOUS

    • Starts application with an unusual extension

      • choice.exe (PID: 6676)
    • Executable content was dropped or overwritten

      • choice.exe (PID: 6676)
      • Kobzar.pif (PID: 6336)
      • AutoIt3.exe (PID: 7024)
    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2172)
      • Kobzar.pif (PID: 6336)
      • explorer.exe (PID: 6552)
    • Starts POWERSHELL.EXE for commands execution

      • Kobzar.pif (PID: 6336)
    • The process executes Powershell scripts

      • Kobzar.pif (PID: 6336)
    • Starts itself from another location

      • Kobzar.pif (PID: 6336)
  • INFO

    • Checks supported languages

      • Setup.exe (PID: 6548)
    • Reads the computer name

      • Setup.exe (PID: 6548)
    • Create files in a temporary directory

      • Setup.exe (PID: 6548)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (21.9)
.exe | Win64 Executable (generic) (14.1)
.exe | Win32 Executable (generic) (2.3)
.exe | Generic Win/DOS Executable (1)

EXIF

EXE

ProductVersion: 3.8.21.1854
ProductName: UDL Client
OriginalFileName:
LegalCopyright: Argon Digital, 2023
FileVersion: 3.8.21.1854
FileDescription: UDL Client Installer
CompanyName: Argon Digital FZ-LLC
Comments: This installation was built with Inno Setup.
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 3.8.21.1854
FileVersionNumber: 3.8.21.1854
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x7d090
UninitializedDataSize: -
InitializedDataSize: 6190592
CodeSize: 3918848
LinkerVersion: 9
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2018:07:03 09:45:42+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
181
Monitored processes
52
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start setup.exe no specs choice.exe conhost.exe no specs #LUMMA kobzar.pif #LUMMA svchost.exe w153rev153vsix6zanppodpwytt9ec.exe no specs powershell.exe no specs conhost.exe no specs choice.exe no specs conhost.exe no specs autoit3.exe microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs microsoftedgeupdatecore.exe no specs #AMADEY explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
6548"C:\Users\admin\AppData\Local\Temp\Setup.exe" C:\Users\admin\AppData\Local\Temp\Setup.exeexplorer.exe
User:
admin
Company:
Argon Digital FZ-LLC
Integrity Level:
MEDIUM
Description:
UDL Client Installer
Exit code:
1
Version:
3.8.21.1854
Modules
Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
6676C:\WINDOWS\SysWOW64\choice.exeC:\Windows\SysWOW64\choice.exe
Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Offers the user a choice
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6660\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exechoice.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6336C:\Users\admin\AppData\Local\Temp\Kobzar.pifC:\Users\admin\AppData\Local\Temp\Kobzar.pif
choice.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script (Beta)
Exit code:
0
Version:
3, 3, 15, 1
Modules
Images
c:\users\admin\appdata\local\temp\has
c:\users\admin\appdata\local\temp\kobzar.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
2172C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5084"C:\Users\admin\AppData\Local\Temp\W153REV153VSIX6ZANPPODPWYTT9EC.exe"C:\Users\admin\AppData\Local\Temp\W153REV153VSIX6ZANPPODPWYTT9EC.exeKobzar.pif
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\w153rev153vsix6zanppodpwytt9ec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\msvcrt.dll
6368powershell -exec bypass -f "C:\Users\admin\AppData\Local\Temp\JCMQLS4E1VBJ5RSFDW84ARL5OB8.ps1"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKobzar.pif
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
7144\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6364C:\WINDOWS\SysWOW64\choice.exeC:\Windows\SysWOW64\choice.exeW153REV153VSIX6ZANPPODPWYTT9EC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Offers the user a choice
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll
4692\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exechoice.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
5 949
Read events
5 944
Write events
5
Delete events
0

Modification events

(PID) Process:(5084) W153REV153VSIX6ZANPPODPWYTT9EC.exeKey:HKEY_CURRENT_USER\SOFTWARE\PSPad
Operation:writeName:Ready5
Value:
0
(PID) Process:(7024) AutoIt3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:ebhhaeg
Value:
"C:\hbcfbdf\AutoIt3.exe" C:\hbcfbdf\ebhhaeg.a3x
(PID) Process:(6552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
4
Suspicious files
8
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
6676choice.exeC:\Users\admin\AppData\Local\Temp\has
MD5:
SHA256:
6336Kobzar.pifC:\Users\admin\AppData\Local\Temp\N660U5\Afflicted.a3x
MD5:
SHA256:
7024AutoIt3.exeC:\hbcfbdf\ebhhaeg.a3x
MD5:
SHA256:
6364choice.exeC:\Users\admin\AppData\Local\Temp\iaysd
MD5:
SHA256:
6368powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:E151B7AABED40F09105990622E70A176
SHA256:ED86BD513D13694F006EE8B4BFA87636CD45D711054DD7B478E38D38E1E0C811
6548Setup.exeC:\Users\admin\AppData\Local\Temp\7aee7072image
MD5:9C3D83A45EC091D8D3A23117EDE3BCA0
SHA256:831AD01394129B1820DE16B1FCD6042614231E8600E86471BB0C2738626E2C05
6676choice.exeC:\Users\admin\AppData\Local\Temp\Kobzar.pifexecutable
MD5:3F58A517F1F4796225137E7659AD2ADB
SHA256:1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
7024AutoIt3.exeC:\hbcfbdf\AutoIt3.exeexecutable
MD5:3F58A517F1F4796225137E7659AD2ADB
SHA256:1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
5084W153REV153VSIX6ZANPPODPWYTT9EC.exeC:\Users\admin\AppData\Local\Temp\83661d78binary
MD5:2DAAA38C23AFED2FA7FABF05F1CA862D
SHA256:1C143E659F2326ABEE9F59256FAAD47E74964E9ACAC0FCEC03487A28E0708F58
6336Kobzar.pifC:\Users\admin\AppData\Local\Temp\JCMQLS4E1VBJ5RSFDW84ARL5OB8.ps1text
MD5:693E9508C2BA8101E5BF015EB63C2F90
SHA256:E11BACBC5E8CAC30550A8879545F8018AC80F11700CD77A6C4A59B2AFED13485
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
50
DNS requests
32
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
6944
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
unknown
3948
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
6552
explorer.exe
POST
200
104.21.23.211:80
http://moviecentral-petparade.com/g9jvjfd73/index.php
unknown
unknown
5232
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
6552
explorer.exe
POST
200
104.21.23.211:80
http://moviecentral-petparade.com/g9jvjfd73/index.php
unknown
unknown
5232
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
6336
Kobzar.pif
GET
200
142.250.181.227:80
http://c.pki.goog/r/r4.crl
unknown
unknown
6336
Kobzar.pif
GET
200
142.250.181.227:80
http://c.pki.goog/r/gsr1.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
944
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
104.126.37.144:443
www.bing.com
Akamai International B.V.
DE
unknown
5488
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
unknown
6944
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6944
svchost.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
6944
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
5488
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 20.73.194.208
unknown
www.bing.com
  • 104.126.37.144
  • 104.126.37.178
  • 104.126.37.153
  • 104.126.37.139
  • 104.126.37.136
  • 104.126.37.186
  • 104.126.37.131
  • 104.126.37.128
  • 104.126.37.130
  • 104.126.37.137
  • 104.126.37.154
  • 104.126.37.123
  • 104.126.37.145
unknown
google.com
  • 142.250.185.142
unknown
crl.microsoft.com
  • 23.32.238.107
  • 23.32.238.112
unknown
www.microsoft.com
  • 184.30.21.171
unknown
login.live.com
  • 20.190.159.0
  • 40.126.31.71
  • 20.190.159.23
  • 20.190.159.4
  • 20.190.159.73
  • 40.126.31.67
  • 20.190.159.71
  • 20.190.159.75
unknown
ocsp.digicert.com
  • 192.229.221.95
unknown
th.bing.com
  • 104.126.37.130
  • 104.126.37.139
  • 104.126.37.144
  • 104.126.37.137
  • 104.126.37.154
  • 104.126.37.123
  • 104.126.37.145
  • 104.126.37.131
  • 104.126.37.128
unknown
go.microsoft.com
  • 184.30.17.189
unknown
slscr.update.microsoft.com
  • 52.149.20.212
unknown

Threats

PID
Process
Class
Message
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (proggresinvj .cyou)
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (proggresinvj .cyou in TLS SNI)
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (proggresinvj .cyou in TLS SNI)
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (proggresinvj .cyou in TLS SNI)
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (proggresinvj .cyou in TLS SNI)
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (proggresinvj .cyou in TLS SNI)
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (proggresinvj .cyou in TLS SNI)
Domain Observed Used for C2 Detected
STEALER [ANY.RUN] Domain has been identified as part of Lumma Stealer's infrastructure (creative-habitat .shop)
Domain Observed Used for C2 Detected
STEALER [ANY.RUN] Domain has been identified as part of Lumma Stealer's infrastructure (creative-habitat .shop)
Domain Observed Used for C2 Detected
STEALER [ANY.RUN] Domain has been identified as part of Lumma Stealer's infrastructure (creative-habitat .shop)
4 ETPRO signatures available at the full report
No debug info