File name:

2024-12-14_7eaae0a4e47c256e0ff0519023999395_frostygoop_poet-rat_snatch

Full analysis: https://app.any.run/tasks/33930d84-5815-46e2-a833-71ed9efb9cc1
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 01:11:27
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
lumma
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 7 sections
MD5:

7EAAE0A4E47C256E0FF0519023999395

SHA1:

A6BC54BB527CDC54F410D7B0418D754710E55590

SHA256:

E15A9FA593FF375FCC468F70AB1711E7AE0E38DF238C072F082276532EAEC11C

SSDEEP:

49152:aH97br5elIt6TujRGJx7XloLxMJ7PVJq8DHyqbsRx4D9QVm6/BImENohHqC5ybZc:meeRw2iehHZ5m+uXrwnm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • BitLockerToGo.exe (PID: 6004)

    • Steals credentials from Web Browsers

      • BitLockerToGo.exe (PID: 6004)

    • LUMMA mutex has been found

      • BitLockerToGo.exe (PID: 6004)

    • LUMMA has been detected (YARA)

      • BitLockerToGo.exe (PID: 6004)

  • SUSPICIOUS

    • There is functionality for communication over UDP network (YARA)

      • 2024-12-14_7eaae0a4e47c256e0ff0519023999395_frostygoop_poet-rat_snatch.exe (PID: 3688)

  • INFO

    • Drops encrypted JS script (Microsoft Script Encoder)

      • 2024-12-14_7eaae0a4e47c256e0ff0519023999395_frostygoop_poet-rat_snatch.exe (PID: 3688)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • 2024-12-14_7eaae0a4e47c256e0ff0519023999395_frostygoop_poet-rat_snatch.exe (PID: 3688)

    • Reads the computer name

      • BitLockerToGo.exe (PID: 6004)

    • Reads the machine GUID from the registry

      • BitLockerToGo.exe (PID: 6004)

    • The sample compiled with english language support

      • 2024-12-14_7eaae0a4e47c256e0ff0519023999395_frostygoop_poet-rat_snatch.exe (PID: 3688)

    • Reads the software policy settings

      • BitLockerToGo.exe (PID: 6004)

    • Checks supported languages

      • 2024-12-14_7eaae0a4e47c256e0ff0519023999395_frostygoop_poet-rat_snatch.exe (PID: 3688)
      • BitLockerToGo.exe (PID: 6004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, 32-bit, No debug
PEType: PE32
LinkerVersion: 3
CodeSize: 2289152
InitializedDataSize: 247296
UninitializedDataSize: -
EntryPoint: 0x64500
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 8.3.14.0
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: -
CompanyName: AbstractSpoon Software
FileDescription: TDLUpdate
FileVersion: 8.3.14.0
InternalName: TDLUpdate
LegalCopyright: Copyright (c) AbstractSpoon 2015-20
LegalTrademarks: -
OriginalFileName: TDLUpdate.exe
PrivateBuild: -
ProductName: TDLUpdate
ProductVersion: 1, 0, 0, 1
SpecialBuild: -
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2024-12-14_7eaae0a4e47c256e0ff0519023999395_frostygoop_poet-rat_snatch.exe no specs reg.exe no specs conhost.exe no specs #LUMMA bitlockertogo.exe

Process information

PID
CMD
Path
Indicators
Parent process
3688"C:\Users\admin\Desktop\2024-12-14_7eaae0a4e47c256e0ff0519023999395_frostygoop_poet-rat_snatch.exe" C:\Users\admin\Desktop\2024-12-14_7eaae0a4e47c256e0ff0519023999395_frostygoop_poet-rat_snatch.exeexplorer.exe
User:
admin
Company:
AbstractSpoon Software
Integrity Level:
MEDIUM
Description:
TDLUpdate
Exit code:
666
Version:
8.3.14.0
Modules
Images
c:\users\admin\desktop\2024-12-14_7eaae0a4e47c256e0ff0519023999395_frostygoop_poet-rat_snatch.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5460reg query HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon /v versionC:\Windows\SysWOW64\reg.exe2024-12-14_7eaae0a4e47c256e0ff0519023999395_frostygoop_poet-rat_snatch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5472\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6004"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
2024-12-14_7eaae0a4e47c256e0ff0519023999395_frostygoop_poet-rat_snatch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BitLocker To Go Reader
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
Total events
3 515
Read events
3 515
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
23
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2736
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2736
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
104.21.16.1:443
https://ceaselesdu.click/api
unknown
text
16 b
POST
200
104.21.96.1:443
https://ceaselesdu.click/api
unknown
text
16 b
POST
200
104.21.80.1:443
https://ceaselesdu.click/api
unknown
text
16 b
POST
200
104.21.64.1:443
https://ceaselesdu.click/api
unknown
text
18.2 Kb
POST
200
104.21.112.1:443
https://ceaselesdu.click/api
unknown
text
76 b
POST
200
104.21.32.1:443
https://ceaselesdu.click/api
unknown
text
16 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2736
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2736
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2736
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2736
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 172.217.16.142
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
ceaselesdu.click
  • 104.21.32.1
  • 104.21.64.1
  • 104.21.48.1
  • 104.21.16.1
  • 104.21.112.1
  • 104.21.96.1
  • 104.21.80.1
unknown
self.events.data.microsoft.com
  • 40.79.150.121
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2024-12-14_7eaae0a4e47c256e0ff0519023999395_frostygoop_poet-rat_snatch