File name:

SalexCheat.exe

Full analysis: https://app.any.run/tasks/51248920-9730-46ba-8a9b-ad1cf39838fd
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: August 11, 2024, 16:30:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

9F4B0933354A7B7D61865AA32C2BA3AB

SHA1:

C8D586FF835D73EF2BD73329F96F1F42A390F0E8

SHA256:

F06C84598BD3FBC67381C7A6EF2A0B5296496E3E641F07977C97B506D2ADC36C

SSDEEP:

24576:2QcL2Nd+zjtSOBRajM0c3U3C7Ri+H0FdwKFM9l/u2IbJN:2QcL2Nd+zjtSOBRajM0WU3C7Ri+HWdwW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • aspnet_regiis.exe (PID: 6632)

    • Connects to the CnC server

      • svchost.exe (PID: 2256)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2256)
      • aspnet_regiis.exe (PID: 6632)

    • LUMMA has been detected (YARA)

      • aspnet_regiis.exe (PID: 6632)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • SalexCheat.exe (PID: 6548)

    • Drops the executable file immediately after the start

      • SalexCheat.exe (PID: 6548)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2256)
      • aspnet_regiis.exe (PID: 6632)

    • Searches for installed software

      • aspnet_regiis.exe (PID: 6632)

  • INFO

    • Checks supported languages

      • SalexCheat.exe (PID: 6548)
      • aspnet_regiis.exe (PID: 6632)

    • Reads the computer name

      • aspnet_regiis.exe (PID: 6632)
      • SalexCheat.exe (PID: 6548)

    • Reads the software policy settings

      • aspnet_regiis.exe (PID: 6632)

    • Creates files or folders in the user directory

      • SalexCheat.exe (PID: 6548)

    • Reads the machine GUID from the registry

      • aspnet_regiis.exe (PID: 6632)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(6632) aspnet_regiis.exe
C2 (9)bassizcellskz.shop
deallerospfosu.shop
complaintsipzzx.shop
cancedhoeysopzv.shop
languagedscie.shop
writerospzm.shop
mennyudosirso.shop
celebratioopz.shop
quialitsuzoxm.shop
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:08:11 14:15:04+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 735744
InitializedDataSize: 2560
UninitializedDataSize: -
EntryPoint: 0xb588e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
FileVersionNumber: 1.3.0.5
ProductVersionNumber: 1.3.0.5
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Connecting the world through cutting-edge digital solutions.
CompanyName: AetherLink Inc.
FileDescription: AetherLink Technologies
FileVersion: 1.3.0.5
InternalName: Edward928Penny.pdf
LegalCopyright: Copyright © 2024
LegalTrademarks: AetherLink Technologies Trademark
OriginalFileName: Edward928Penny.pdf
ProductName: AetherLink Advanced Suite
ProductVersion: 1.3.0.5
AssemblyVersion: 1.3.0.5
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start salexcheat.exe conhost.exe no specs #LUMMA aspnet_regiis.exe #LUMMA svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6548"C:\Users\admin\Desktop\SalexCheat.exe" C:\Users\admin\Desktop\SalexCheat.exe
explorer.exe
User:
admin
Company:
AetherLink Inc.
Integrity Level:
MEDIUM
Description:
AetherLink Technologies
Exit code:
0
Version:
1.3.0.5
Modules
Images
c:\users\admin\desktop\salexcheat.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6556\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSalexCheat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6632"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
SalexCheat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
aspnet_regiis.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\aspnet_regiis.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
Lumma
(PID) Process(6632) aspnet_regiis.exe
C2 (9)bassizcellskz.shop
deallerospfosu.shop
complaintsipzzx.shop
cancedhoeysopzv.shop
languagedscie.shop
writerospzm.shop
mennyudosirso.shop
celebratioopz.shop
quialitsuzoxm.shop
Total events
3 874
Read events
3 874
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6548SalexCheat.exeC:\Users\admin\AppData\Roaming\d3d9x.dllexecutable
MD5:CE301A5873DA627136DB3E73C1C49A64
SHA256:ED4A5E158B2BDFC451F544211A3AC1B90DA6E18E320F89301D051ACB9849BE3E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
21
DNS requests
8
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
null:443
https://writerospzm.shop/api
unknown
text
2 b
POST
200
null:443
https://writerospzm.shop/api
unknown
text
18 b
POST
200
null:443
https://writerospzm.shop/api
unknown
text
18 b
POST
200
null:443
https://writerospzm.shop/api
unknown
text
18 b
POST
200
null:443
https://writerospzm.shop/api
unknown
text
16.5 Kb
POST
200
null:443
https://writerospzm.shop/api
unknown
text
18 b
POST
200
null:443
https://writerospzm.shop/api
unknown
text
48 b
POST
200
null:443
https://writerospzm.shop/api
unknown
text
18 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
4060
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1184
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
6632
aspnet_regiis.exe
172.67.166.231:443
writerospzm.shop
CLOUDFLARENET
US
unknown
4
System
192.168.100.255:137
whitelisted
4060
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4324
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.206
whitelisted
cancedhoeysopzv.shop
malicious
celebratioopz.shop
malicious
writerospzm.shop
  • 172.67.166.231
  • 104.21.16.74
malicious

Threats

PID
Process
Class
Message
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (celebratioopz .shop)
2256
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (writerospzm .shop)
6632
aspnet_regiis.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Lumma Stealer Related Domain (writerospzm .shop in TLS SNI)
6632
aspnet_regiis.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Lumma Stealer Related Domain (writerospzm .shop in TLS SNI)
6632
aspnet_regiis.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Lumma Stealer Related Domain (writerospzm .shop in TLS SNI)
6632
aspnet_regiis.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Lumma Stealer Related Domain (writerospzm .shop in TLS SNI)
6632
aspnet_regiis.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Lumma Stealer Related Domain (writerospzm .shop in TLS SNI)
6632
aspnet_regiis.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Lumma Stealer Related Domain (writerospzm .shop in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SalexCheat.exe