URL:	https://www.mediafire.com/file/pdz6dpi43ibqs1t/#Pa$w0rD__6678--0peɴ_Set-Up@#.zip/file
Full analysis:	https://app.any.run/tasks/29eb38ab-3d28-4753-b566-2f5e21192597
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 26, 2025, 10:01:14
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	autoit stealer lumma
Indicators:
MD5:	B6922E453D95553FD1D6B75699D4B697
SHA1:	B36DB852C2568C1C57D17F08E1C6787C864D2935
SHA256:	D0C1D3D6560AAFAC8D73B26180962792290FC99AC04AA3603CAAD95F5978309F
SSDEEP:	3:N8DSLw3eGUofMHUTsBBS9jH8LcY9:2OLw3eGLMHUTOS9jfo


(PID) Process:	(3564) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(3564) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(3564) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(3564) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(3564) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:	write	Name:	S-1-5-21-1693682860-607145093-2874071422-1001
Value: 48AF1D532F8B2F00
(PID) Process:	(3564) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328228
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {4A7DD2D2-7403-4CCD-9666-76A68215C38A}
(PID) Process:	(3564) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:	write	Name:	S-1-5-21-1693682860-607145093-2874071422-1001
Value: 5F8F2A532F8B2F00
(PID) Process:	(3564) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328228
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {3AEDE421-12E8-43C7-932F-03DE3B626C64}
(PID) Process:	(3564) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328228
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {929B6790-8EF0-4ADE-AB96-5098EEDBBE27}
(PID) Process:	(3564) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328228
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {96A2734A-3716-4055-A314-F43D6C9B8034}

PID	Process	Filename		Type
3564	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF1358d1.TMP		—
		MD5:—	SHA256:—
3564	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1358d1.TMP		—
		MD5:—	SHA256:—
3564	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
3564	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF1358d1.TMP		—
		MD5:—	SHA256:—
3564	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1358e1.TMP		—
		MD5:—	SHA256:—
3564	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
3564	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—
3564	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
3564	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF1358e1.TMP		—
		MD5:—	SHA256:—
3564	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	401	13.107.6.158:443	https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox	unknown	—	—	—
—	—	GET	200	104.16.79.73:443	https://static.cloudflareinsights.com/beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015	unknown	—	—	—
—	—	POST	204	216.239.34.36:443	https://region1.analytics.google.com/g/collect?v=2&tid=G-K68XP6D85D&gtm=45je51n0v887485693z86304663za200zb6304663&_p=1737885681302&_gaz=1&gcd=13l3lPl2l1l1&npa=1&dma_cps=syphamo&dma=1&tag_exp=102067555~102067808~102081485~102123608&cid=1004184966.1737885682&ul=en-us&sr=1280x720&uaa=x86&uab=64&uafvl=Chromium%3B122.0.6261.70%7CNot(A%253ABrand%3B24.0.0.0%7CMicrosoft%2520Edge%3B122.0.2365.59&uamb=0&uam=&uap=Windows&uapv=10.0.0&uaw=0&frm=0&pscdl=noapi&_s=1&sid=1737885682&sct=1&seg=0&dl=https%3A%2F%2Fwww.mediafire.com%2Ffile%2Fpdz6dpi43ibqs1t%2F&dt=%23Pa%24%24w0rD__6678--0pe%C9%B4_Set-Up%40%23&en=page_view&_fv=1&_nsi=1&_ss=1&up.page_url=https%3A%2F%2Fwww.mediafire.com%2Ffile%2Fpdz6dpi43ibqs1t%2F&tfd=2078	unknown	—	—	—
—	—	POST	204	142.250.186.110:443	https://stats.g.doubleclick.net/g/collect?v=2&tid=G-K68XP6D85D&cid=1004184966.1737885682&gtm=45je51n0v887485693z86304663za200zb6304663&aip=1&dma=1&dma_cps=syphamo&gcd=13l3lPl2l1l1&npa=1&frm=0&tag_exp=102067555~102067808~102081485~102123608	unknown	—	—	—
—	—	GET	200	172.217.18.8:443	https://www.googletagmanager.com/gtag/js?id=UA-829541-1	unknown	binary	215 Kb	whitelisted
—	—	GET	200	18.245.86.69:443	https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.js	unknown	binary	67.8 Kb	whitelisted
—	—	OPTIONS	504	23.48.23.152:443	https://bzib.nelreports.net/api/report?cat=bingbusiness	unknown	html	278 b	whitelisted
—	—	GET	200	172.217.18.8:443	https://www.googletagmanager.com/gtm.js?id=GTM-53LP4T	unknown	binary	309 Kb	whitelisted
—	—	GET	200	142.250.186.110:443	https://www.google-analytics.com/analytics.js	unknown	binary	51.6 Kb	whitelisted
—	—	GET	200	142.250.186.174:443	https://translate.google.com/translate_a/element.js?cb=googHeadTranslate	unknown	binary	78.4 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	92.123.104.64:443	www.bing.com	Akamai International B.V.	DE	whitelisted
1488	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3564	msedge.exe	239.255.255.250:1900	—	—	—	whitelisted
6352	msedge.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6352	msedge.exe	104.17.151.117:443	www.mediafire.com	—	—	shared
6352	msedge.exe	13.107.21.239:443	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
www.bing.com	92.123.104.64 92.123.104.54 92.123.104.65 92.123.104.59 92.123.104.52 92.123.104.61 92.123.104.60 92.123.104.58 92.123.104.62 92.123.104.10 92.123.104.5 92.123.104.67 92.123.104.7 92.123.104.44 92.123.104.49 92.123.104.47 92.123.104.40 92.123.104.38 92.123.104.43 92.123.104.34 92.123.104.46 92.123.104.51	whitelisted
google.com	142.250.186.78	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
www.mediafire.com	104.17.151.117 104.17.150.117	shared
edge.microsoft.com	13.107.21.239 204.79.197.239	whitelisted
edge-mobile-static.azureedge.net	13.107.246.45	whitelisted
business.bing.com	13.107.6.158	whitelisted
www.googletagmanager.com	142.250.185.72	whitelisted
static.mediafire.com	104.17.151.117 104.17.150.117	shared
bzib.nelreports.net	23.48.23.152 23.48.23.151	whitelisted

PID	Process	Class	Message
6352	msedge.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
6352	msedge.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup
6352	msedge.exe	Potentially Bad Traffic	ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
6352	msedge.exe	Potentially Bad Traffic	ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
6352	msedge.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
2192	svchost.exe	Misc activity	ET INFO Pastebin Service Domain in DNS Lookup (rentry .co)
7644	AutoIt3.exe	Misc activity	ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)

General Info

https://www.mediafire.com/file/pdz6dpi43ibqs1t/#Pa$w0rD__6678--0peɴ_Set-Up@#.zip/file

B6922E453D95553FD1D6B75699D4B697

B36DB852C2568C1C57D17F08E1C6787C864D2935

D0C1D3D6560AAFAC8D73B26180962792290FC99AC04AA3603CAAD95F5978309F

3:N8DSLw3eGUofMHUTsBBS9jH8LcY9:2OLw3eGLMHUTOS9jfo

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Steals credentials from Web Browsers

LUMMA mutex has been found

Actions looks like stealing of personal data

Bypass execution policy to execute commands

LUMMA has been detected (YARA)

Changes powershell execution policy (Bypass)

SUSPICIOUS

Executable content was dropped or overwritten

Process drops legitimate windows executable

The process creates files with name similar to system file names

Reads security settings of Internet Explorer

Application launched itself

Starts the AutoIt3 executable file

Searches for installed software

There is functionality for taking screenshot (YARA)

Starts POWERSHELL.EXE for commands execution

The process executes Powershell scripts

INFO

Create files in a temporary directory

Reads the computer name

Checks supported languages

The sample compiled with english language support

Executable content was dropped or overwritten

Reads Microsoft Office registry keys

Application launched itself

Reads Environment values

Reads the machine GUID from the registry

Reads the software policy settings

Script raised an exception (POWERSHELL)

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings