File name:

Sigmanly_f049d17717ff192c1ceded3b17c38c340dad6311f697a1646f6d4defecec735a

Full analysis: https://app.any.run/tasks/8e296459-377c-4fd3-a802-d9496b2831c7
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 16:11:35
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
telegram
lumma
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 12 sections
MD5:

8589E83701B9C0AA56357E890291379A

SHA1:

33DADF42FD7EE111661B1FB6B9DE420E559BF911

SHA256:

F049D17717FF192C1CEDED3B17C38C340DAD6311F697A1646F6D4DEFECEC735A

SSDEEP:

49152:foO2O1Pr3SNgurv953EF7VZ4bZkQmed3uD0gA6JP62c953EF7VZ4bZkQmed3uD0Y:nP6VA1VZ4bnN87cA1VZ4bnN87b

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Sigmanly_f049d17717ff192c1ceded3b17c38c340dad6311f697a1646f6d4defecec735a.exe (PID: 7144)

    • LUMMA mutex has been found

      • MSBuild.exe (PID: 960)

    • Actions looks like stealing of personal data

      • MSBuild.exe (PID: 960)

    • Steals credentials from Web Browsers

      • MSBuild.exe (PID: 960)

    • LUMMA has been detected (YARA)

      • MSBuild.exe (PID: 960)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • Sigmanly_f049d17717ff192c1ceded3b17c38c340dad6311f697a1646f6d4defecec735a.exe (PID: 7144)

    • Process drops legitimate windows executable

      • Sigmanly_f049d17717ff192c1ceded3b17c38c340dad6311f697a1646f6d4defecec735a.exe (PID: 7144)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • MSBuild.exe (PID: 960)

    • There is functionality for taking screenshot (YARA)

      • MSBuild.exe (PID: 960)

    • Searches for installed software

      • MSBuild.exe (PID: 960)

  • INFO

    • The sample compiled with english language support

      • Sigmanly_f049d17717ff192c1ceded3b17c38c340dad6311f697a1646f6d4defecec735a.exe (PID: 7144)

    • Checks supported languages

      • MSBuild.exe (PID: 960)
      • Sigmanly_f049d17717ff192c1ceded3b17c38c340dad6311f697a1646f6d4defecec735a.exe (PID: 7144)

    • Reads the software policy settings

      • MSBuild.exe (PID: 960)
      • slui.exe (PID: 1512)

    • Reads the computer name

      • MSBuild.exe (PID: 960)

    • Reads the machine GUID from the registry

      • MSBuild.exe (PID: 960)

    • Attempting to use instant messaging service

      • MSBuild.exe (PID: 960)

    • Checks proxy server information

      • slui.exe (PID: 1512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(960) MSBuild.exe
C2 (11)featurlyin.top/pdal
overcovtcg.top/juhd
blackswmxc.top/bgry
https://t.me/wermnjgk34
zmedtipp.live/mnvzx
barmgek.digital/bmx
flowerexju.bet/lanz
posseswsnc.top/akds
venaetdqfn.run/gjud
araucahkbm.live/baneb
easterxeen.run/zavc
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:10 13:27:14+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 331776
InitializedDataSize: 70656
UninitializedDataSize: -
EntryPoint: 0x3c0c8
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.19041.1
ProductVersionNumber: 10.0.19041.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: TCP/IP Netstat Command
FileVersion: 10.0.19041.1 (WinBuild.160101.0800)
InternalName: netstat.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: netstat.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sigmanly_f049d17717ff192c1ceded3b17c38c340dad6311f697a1646f6d4defecec735a.exe no specs #LUMMA msbuild.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
960"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Sigmanly_f049d17717ff192c1ceded3b17c38c340dad6311f697a1646f6d4defecec735a.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
Lumma
(PID) Process(960) MSBuild.exe
C2 (11)featurlyin.top/pdal
overcovtcg.top/juhd
blackswmxc.top/bgry
https://t.me/wermnjgk34
zmedtipp.live/mnvzx
barmgek.digital/bmx
flowerexju.bet/lanz
posseswsnc.top/akds
venaetdqfn.run/gjud
araucahkbm.live/baneb
easterxeen.run/zavc
1512C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7144"C:\Users\admin\Desktop\Sigmanly_f049d17717ff192c1ceded3b17c38c340dad6311f697a1646f6d4defecec735a.exe" C:\Users\admin\Desktop\Sigmanly_f049d17717ff192c1ceded3b17c38c340dad6311f697a1646f6d4defecec735a.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Netstat Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\sigmanly_f049d17717ff192c1ceded3b17c38c340dad6311f697a1646f6d4defecec735a.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
Total events
6 801
Read events
6 801
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
49
DNS requests
18
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2564
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2564
RUXIMICS.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5072
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5072
SIHClient.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5072
SIHClient.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5072
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5072
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5072
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
5072
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2564
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2564
RUXIMICS.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2564
RUXIMICS.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
960
MSBuild.exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
whitelisted
960
MSBuild.exe
104.21.80.1:443
venaetdqfn.run
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.46
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 95.101.149.131
whitelisted
t.me
  • 149.154.167.99
whitelisted
venaetdqfn.run
  • 104.21.80.1
  • 104.21.64.1
  • 104.21.32.1
  • 104.21.112.1
  • 104.21.48.1
  • 104.21.16.1
  • 104.21.96.1
unknown
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
960
MSBuild.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Sigmanly_f049d17717ff192c1ceded3b17c38c340dad6311f697a1646f6d4defecec735a