File name:

asd.exe

Full analysis: https://app.any.run/tasks/0991e411-0200-4136-bf2a-cdd22c47b988
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: January 08, 2025, 09:11:46
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

48AE927FF130DD0E9883D41A9CDF6514

SHA1:

9AFA190D5E46E32AEC767E2F3D366E268CE5B0CE

SHA256:

E6C75BA5D611E79D680EA437A8D874D2D001003FD2297C0F20F1ED06471BC002

SSDEEP:

12288:B5iyJN/bYncps/VveGtTdWdFuZys9CUvgza4Rc:BxTaVveGtwFuZys9CUCTRc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • svchost.exe (PID: 2192)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2192)

  • SUSPICIOUS

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2192)

    • Executes application which crashes

      • asd.exe (PID: 6132)

  • INFO

    • Reads the software policy settings

      • asd.exe (PID: 6132)
      • WerFault.exe (PID: 1296)

    • Reads the machine GUID from the registry

      • asd.exe (PID: 6132)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 1296)

    • Checks supported languages

      • asd.exe (PID: 6132)

    • Checks proxy server information

      • WerFault.exe (PID: 1296)

    • Reads the computer name

      • asd.exe (PID: 6132)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:20 22:19:17+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 388096
InitializedDataSize: 69120
UninitializedDataSize: -
EntryPoint: 0x871b
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 61.0.0.0
ProductVersionNumber: 71.0.0.0
FileFlagsMask: 0x765a
FileFlags: (none)
FileOS: Unknown (0x326)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Unknown (0324)
CharacterSet: Unknown (14E2)
FileVersions: 21.61.85.6
InternalName: ChickenPlanes
FileDescription: Micrar
OriginalFilenames: Odilemio
ProductVersions: 17.21.14.17
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start asd.exe #LUMMA svchost.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
1296C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6132 -s 644C:\Windows\SysWOW64\WerFault.exe
asd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6132"C:\Users\admin\Desktop\asd.exe" C:\Users\admin\Desktop\asd.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\asd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msimg32.dll
Total events
9 151
Read events
9 151
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1296WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_asd.exe_61c5959f5fa884b224fe8127d1a5716d2ad95c_cd7cc746_4112e28f-a1ee-4830-ae76-bba1d4115c68\Report.wer
MD5:
SHA256:
1296WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER6BAF.tmp.WERInternalMetadata.xmlxml
MD5:553568870E8754B894D7B21E4EF1D255
SHA256:D6A0F5DC4E3CEF96F443039A8BE8A6F8A0ADDC9F61786ADC6A7D55C89B4A365B
1296WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER6AF2.tmp.dmpbinary
MD5:2DDB79B20BE7BDE53CE2D94706C3AFC3
SHA256:DC57AB72FA20FA3C87FCC6442C333B03E3FE611EFC02B05CC666FCF4E5E3F00B
1296WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\asd.exe.6132.dmpbinary
MD5:AED935C751D317B1331F4F9B9560BB0C
SHA256:1E790805C3861A75F4F5FB660D963BD5B69F6BB7C74970AE562A52CF4C9CD1BC
1296WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER6BCF.tmp.xmlxml
MD5:7320125F672B0CB5465E54F13FD71BA9
SHA256:08A155C5C47F3EDF75F87B214AC837A7E6900481AD5A39B3D941D2332CC86D53
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
17
DNS requests
18
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
104.102.49.254:443
https://steamcommunity.com/profiles/76561199724331900
unknown
html
25.0 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
372
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6132
asd.exe
104.102.49.254:443
steamcommunity.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1296
WerFault.exe
52.168.117.173:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
372
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.46
whitelisted
brendon-sharjen.biz
malicious
immureprech.biz
malicious
deafeninggeh.biz
malicious
effecterectz.xyz
malicious
diffuculttan.xyz
malicious
debonairnukk.xyz
malicious
wrathful-jammy.cyou
unknown
awake-weaves.cyou
malicious

Threats

PID
Process
Class
Message
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brendon-sharjen .biz)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
asd.exe