File name:

Factura-ba9712c8-c998-4585-8c26-e4386a5ed910.zip

Full analysis: https://app.any.run/tasks/d504ab0b-cfcb-45da-9bb0-c2c1b2856d93
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: July 04, 2024, 11:57:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

29B90F24305D8D29B029A108C354CEA9

SHA1:

7F0D72D9C7347375D222018A267B9F1DE3E156A9

SHA256:

CE09808A3F1D7E2D68450A1AA94A52BA56F842DBB72DAC12C843B0048261E010

SSDEEP:

98304:VL96RfHDP6B9XZPGlHWY4pOBns0muFX9x+dptrleNzS/+2ajuw0n6UllZ1qZvdLO:Wa3XdWw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Application launched itself

      • Factura-c6d92962-bac5-4a5a-9f36-fbf59f21a7f8.exe (PID: 6236)

  • INFO

    • Manual execution by a user

      • Factura-c6d92962-bac5-4a5a-9f36-fbf59f21a7f8.exe (PID: 6236)

    • Reads the computer name

      • Factura-c6d92962-bac5-4a5a-9f36-fbf59f21a7f8.exe (PID: 6236)
      • Factura-c6d92962-bac5-4a5a-9f36-fbf59f21a7f8.exe (PID: 6652)

    • Checks supported languages

      • Factura-c6d92962-bac5-4a5a-9f36-fbf59f21a7f8.exe (PID: 6652)
      • Factura-c6d92962-bac5-4a5a-9f36-fbf59f21a7f8.exe (PID: 6236)

    • Checks proxy server information

      • slui.exe (PID: 6832)

    • Reads the software policy settings

      • slui.exe (PID: 6952)
      • slui.exe (PID: 6832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:06:17 17:38:16
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Factura Junio/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
6
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs sppextcomobj.exe no specs slui.exe factura-c6d92962-bac5-4a5a-9f36-fbf59f21a7f8.exe factura-c6d92962-bac5-4a5a-9f36-fbf59f21a7f8.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
652"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Factura-ba9712c8-c998-4585-8c26-e4386a5ed910.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6236"C:\Users\admin\Desktop\Factura-c6d92962-bac5-4a5a-9f36-fbf59f21a7f8.exe" C:\Users\admin\Desktop\Factura-c6d92962-bac5-4a5a-9f36-fbf59f21a7f8.exe
explorer.exe
User:
admin
Company:
RAPOO
Integrity Level:
HIGH
Description:
KB&MS Driver
Exit code:
0
Version:
1.7.0.0
Modules
Images
c:\users\admin\desktop\factura-c6d92962-bac5-4a5a-9f36-fbf59f21a7f8.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6652"C:\Users\admin\Desktop\Factura-c6d92962-bac5-4a5a-9f36-fbf59f21a7f8.exe"C:\Users\admin\Desktop\Factura-c6d92962-bac5-4a5a-9f36-fbf59f21a7f8.exeFactura-c6d92962-bac5-4a5a-9f36-fbf59f21a7f8.exe
User:
admin
Company:
RAPOO
Integrity Level:
HIGH
Description:
KB&MS Driver
Exit code:
0
Version:
1.7.0.0
Modules
Images
c:\users\admin\desktop\factura-c6d92962-bac5-4a5a-9f36-fbf59f21a7f8.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
6832C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6920C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
6952"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
6 776
Read events
6 766
Write events
10
Delete events
0

Modification events

(PID) Process:(652) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(652) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(652) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(652) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Factura-ba9712c8-c998-4585-8c26-e4386a5ed910.zip
(PID) Process:(652) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(652) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(652) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(652) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(652) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(6832) slui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:@%SystemRoot%\System32\sppcomapi.dll,-3200
Value:
Software Licensing
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
652WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb652.6498\Factura Junio\Factura-c6d92962-bac5-4a5a-9f36-fbf59f21a7f8.exe
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
71
DNS requests
30
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1828
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4656
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
unknown
1828
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
3992
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
7008
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
7008
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
3560
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
4264
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
3040
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4032
svchost.exe
239.255.255.250:1900
whitelisted
2476
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4656
SearchApp.exe
2.19.120.11:443
Akamai International B.V.
DE
unknown
2064
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1828
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1828
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1828
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1828
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 184.30.21.171
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.23
  • 40.126.31.71
  • 20.190.159.2
  • 40.126.31.73
  • 20.190.159.68
  • 40.126.31.67
  • 20.190.159.75
  • 20.190.159.64
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.bing.com
  • 104.126.37.130
  • 104.126.37.178
  • 104.126.37.163
  • 104.126.37.171
  • 104.126.37.177
  • 104.126.37.185
  • 104.126.37.170
  • 104.126.37.123
  • 104.126.37.128
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted

Threats

PID
Process
Class
Message
2168
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (marathonbeedksow .shop)
2168
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (richardflorespoew .shop)
2168
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (marathonbeedksow .shop)
2168
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (raiseboltskdlwpow .shop)
2168
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (feighminoritsjda .shop)
2168
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (strwawrunnygjwu .shop)
2168
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pleasurenarrowsdla .shop)
2168
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (justifycanddidatewd .shop)
2168
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (falseaudiencekd .shop)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Factura-ba9712c8-c998-4585-8c26-e4386a5ed910.zip