File name:	0d76ffbe0f98581de1d01105354f58e5.exe
Full analysis:	https://app.any.run/tasks/fc2c4494-200f-469a-b8b9-d39c53f964a5
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 29, 2025, 05:43:11
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	telegram lumma stealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	0D76FFBE0F98581DE1D01105354F58E5
SHA1:	03AEF18BF46298BAF402D558120386118D814E9F
SHA256:	D0835A76B47F973764829A2AD73FBCD42308B23A7B2A73743070BCDD47AB1921
SSDEEP:	12288:Q8lxdKiIyc3kIsq55MXrxM97fU7MFNlreGM4:xGjdXP3

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:04:18 16:09:26+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	310272
InitializedDataSize:	38400
UninitializedDataSize:	-
EntryPoint:	0xb550
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	304	52.149.20.212:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
5868	SIHClient.exe	GET	200	23.32.238.112:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5868	SIHClient.exe	GET	200	23.32.238.112:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
5868	SIHClient.exe	GET	200	23.38.73.129:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
5868	SIHClient.exe	GET	200	23.32.238.112:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
—	—	GET	200	52.149.20.212:443	https://slscr.update.microsoft.com/sls/ping	unknown	—	—	—
—	—	GET	304	52.149.20.212:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
5868	SIHClient.exe	GET	200	23.38.73.129:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
5868	SIHClient.exe	GET	200	23.38.73.129:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
—	—	GET	200	20.242.39.171:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
1228	0d76ffbe0f98581de1d01105354f58e5.exe	149.154.167.99:443	t.me	Telegram Messenger Inc	GB	whitelisted
1228	0d76ffbe0f98581de1d01105354f58e5.exe	172.67.210.170:443	lemurz.digital	CLOUDFLARENET	US	unknown
5868	SIHClient.exe	52.149.20.212:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5868	SIHClient.exe	23.32.238.112:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5868	SIHClient.exe	23.38.73.129:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5868	SIHClient.exe	40.69.42.241:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	172.217.18.14	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
t.me	149.154.167.99	whitelisted
lemurz.digital	172.67.210.170 104.21.66.252	unknown
slscr.update.microsoft.com	52.149.20.212	whitelisted
crl.microsoft.com	23.32.238.112 23.32.238.107	whitelisted
www.microsoft.com	23.38.73.129	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

PID	Process	Class	Message
1228	0d76ffbe0f98581de1d01105354f58e5.exe	Misc activity	ET INFO Observed Telegram Domain (t .me in TLS SNI)
2196	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lemurz .digital)
1228	0d76ffbe0f98581de1d01105354f58e5.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (lemurz .digital) in TLS SNI
1228	0d76ffbe0f98581de1d01105354f58e5.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (lemurz .digital) in TLS SNI
1228	0d76ffbe0f98581de1d01105354f58e5.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (lemurz .digital) in TLS SNI
1228	0d76ffbe0f98581de1d01105354f58e5.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (lemurz .digital) in TLS SNI
1228	0d76ffbe0f98581de1d01105354f58e5.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (lemurz .digital) in TLS SNI
1228	0d76ffbe0f98581de1d01105354f58e5.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (lemurz .digital) in TLS SNI
1228	0d76ffbe0f98581de1d01105354f58e5.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (lemurz .digital) in TLS SNI

General Info

0d76ffbe0f98581de1d01105354f58e5.exe

0D76FFBE0F98581DE1D01105354F58E5

03AEF18BF46298BAF402D558120386118D814E9F

D0835A76B47F973764829A2AD73FBCD42308B23A7B2A73743070BCDD47AB1921

12288:Q8lxdKiIyc3kIsq55MXrxM97fU7MFNlreGM4:xGjdXP3

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Connects to the CnC server

LUMMA has been detected (SURICATA)

LUMMA mutex has been found

Actions looks like stealing of personal data

LUMMA has been detected (YARA)

SUSPICIOUS

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Contacting a server suspected of hosting an CnC

There is functionality for taking screenshot (YARA)

Searches for installed software

INFO

Checks supported languages

Reads the software policy settings

Reads the computer name

Attempting to use instant messaging service

Reads the machine GUID from the registry

Checks proxy server information

Malware configuration

Lumma

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Malware configuration

Lumma

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings