File name:

Setup.exe

Full analysis: https://app.any.run/tasks/bc021df6-7ad0-48da-b86b-0f9e0ac95ebd
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 12:06:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autoit
lumma
stealer
autoit-loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

CE1B37396E8137D1D16707B60FAFBD4A

SHA1:

40AFB0B4E91462CCAD12B91063774D067F6D2B05

SHA256:

F1A371F40F50BB0C9382F28EC5D415D07550CAB72B1211D4F3E0035252798DB4

SSDEEP:

49152:+OH9zsVFCD172Sk2qbzBfkrdaNh2eGDAosyUCKP3Niq8FYClvNSAPeaES8vs7QSx:+azeFE172SknbQcNAeEA3ZP3Ni9YKDeC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Setup.exe (PID: 6280)

    • AutoIt loader has been detected (YARA)

      • Jose.com (PID: 6828)

    • LUMMA mutex has been found

      • Jose.com (PID: 6828)

    • Steals credentials from Web Browsers

      • Jose.com (PID: 6828)

    • Changes powershell execution policy (Bypass)

      • Jose.com (PID: 6828)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7040)

    • Actions looks like stealing of personal data

      • Jose.com (PID: 6828)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Setup.exe (PID: 6280)

    • Executing commands from ".cmd" file

      • Setup.exe (PID: 6280)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6332)

    • Starts CMD.EXE for commands execution

      • Setup.exe (PID: 6280)
      • cmd.exe (PID: 6332)

    • Get information on the list of running processes

      • cmd.exe (PID: 6332)

    • Application launched itself

      • cmd.exe (PID: 6332)

    • The executable file from the user directory is run by the CMD process

      • Jose.com (PID: 6828)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 6332)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6332)

    • The process executes Powershell scripts

      • Jose.com (PID: 6828)

    • Starts POWERSHELL.EXE for commands execution

      • Jose.com (PID: 6828)

  • INFO

    • Checks supported languages

      • Setup.exe (PID: 6280)
      • Jose.com (PID: 6828)

    • Reads the computer name

      • Setup.exe (PID: 6280)
      • Jose.com (PID: 6828)

    • Process checks computer location settings

      • Setup.exe (PID: 6280)

    • Create files in a temporary directory

      • Setup.exe (PID: 6280)

    • Reads mouse settings

      • Jose.com (PID: 6828)

    • Creates a new folder

      • cmd.exe (PID: 6732)

    • Reads the software policy settings

      • Jose.com (PID: 6828)

    • Reads the machine GUID from the registry

      • Jose.com (PID: 6828)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: 6
OSVersion: 5
EntryPoint: 0x38af
UninitializedDataSize: 16896
InitializedDataSize: 544256
CodeSize: 29696
LinkerVersion: 10
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2012:02:24 19:20:04+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
14
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start setup.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs #LUMMA jose.com choice.exe no specs powershell.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6280"C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\Desktop\Setup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
6332"C:\Windows\System32\cmd.exe" /c copy Multi Multi.cmd && Multi.cmdC:\Windows\SysWOW64\cmd.exeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6344\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6524tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6532findstr /I "opssvc wrsa" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6668tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6676findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6732cmd /c md 559810C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6788findstr /V "Election" Anderson C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6808cmd /c copy /b ..\Make + ..\Hydrogen + ..\Oxford + ..\Confirmation + ..\Elliott + ..\Sas + ..\Volkswagen y C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
7 830
Read events
7 830
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
21
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
6280Setup.exeC:\Users\admin\AppData\Local\Temp\Sasbinary
MD5:A0ACEDC35B1FBFE24366FD2AF3E4BA1A
SHA256:198A0250B25BC267856F9178E649EE924A8D002B8AB5D38F972C15E117CFB8C4
6280Setup.exeC:\Users\admin\AppData\Local\Temp\Makebinary
MD5:C1C51D418E57E3890204B317BAE54934
SHA256:44C6DC68351661EA6DFA9974CCC6B6CCE8E852A5A7AF8D81E95514E01D5FCB72
6280Setup.exeC:\Users\admin\AppData\Local\Temp\Syntaxbinary
MD5:B0D56EC11C9F5E2BE5EC10EE9EC29438
SHA256:C090ED1C6E9A558FE54FFFA401AAD2198FDEF68A420D2F5CE8DE74D087ECCE2B
6280Setup.exeC:\Users\admin\AppData\Local\Temp\Oxfordbinary
MD5:59BE39C1AE910E0778C1BC40523E08AE
SHA256:2012EC70F0430818BC9BC18EFB5B1B87F3496374514676EF4447B971CAA4D531
6280Setup.exeC:\Users\admin\AppData\Local\Temp\Palbinary
MD5:D5120019D0EC7CE464BDC3FDFD8AAA33
SHA256:595D11A850A089EB802390BDE9CE133DEE109EC6CD78109D3224465CE5875012
6280Setup.exeC:\Users\admin\AppData\Local\Temp\Quotationsbinary
MD5:773031B58B37D74B08EFB3D7E6C3D047
SHA256:2FBC9DC356CFABA63365EDDD7BC12A793E07902902576054271CE2739A2A4EE2
6280Setup.exeC:\Users\admin\AppData\Local\Temp\Passedabr
MD5:B000FC5FF715128DBE7E99E1165990DE
SHA256:BDC99B9AA5CA405460ADC1C83028A4D8548DFA4082B4B41C86D8BEFEA534E43B
6280Setup.exeC:\Users\admin\AppData\Local\Temp\Representativebinary
MD5:8A7A703BB2167D017E564C2C00437D0F
SHA256:19C2F84AC83244EE201B17E7549ADE191475B8BC6977DCFE539B61D44B635B2F
6280Setup.exeC:\Users\admin\AppData\Local\Temp\Andersonbinary
MD5:B8567F25208AE1BC3C33AA9A4D0AE810
SHA256:CF068ECAB80EBAC1EA2D6E086195FD78B430FC7ED2868EB3399CECE7CA2D711A
6280Setup.exeC:\Users\admin\AppData\Local\Temp\Relatebinary
MD5:1472CAC52594968BFBC79744363AED17
SHA256:687F45170A0ED1E626779655A4C8341686830717D96304AAFFEC378CDBE69115
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
28
DNS requests
10
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.17:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
188.114.97.3:443
https://formydamagero.click/api
unknown
text
16 b
POST
200
188.114.97.3:443
https://formydamagero.click/api
unknown
text
2 b
POST
200
188.114.96.3:443
https://formydamagero.click/api
unknown
text
16 b
GET
200
104.26.2.16:443
https://rentry.co/feouewe5/raw
unknown
html
5.53 Kb
POST
200
188.114.96.3:443
https://formydamagero.click/api
unknown
text
16 b
POST
200
188.114.97.3:443
https://formydamagero.click/api
unknown
text
16 b
POST
200
188.114.96.3:443
https://formydamagero.click/api
unknown
text
18.2 Kb
POST
200
188.114.97.3:443
https://formydamagero.click/api
unknown
text
16 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1380
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.209.130:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.17:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1380
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
www.bing.com
  • 2.23.209.130
  • 2.23.209.177
  • 2.23.209.148
  • 2.23.209.185
  • 2.23.209.176
  • 2.23.209.187
  • 2.23.209.140
  • 2.23.209.189
  • 2.23.209.179
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 2.16.164.17
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
XCOTYjutjvYWaIGlF.XCOTYjutjvYWaIGlF
unknown
formydamagero.click
  • 188.114.97.3
  • 188.114.96.3
unknown
rentry.co
  • 104.26.3.16
  • 172.67.75.40
  • 104.26.2.16
unknown
self.events.data.microsoft.com
  • 20.50.201.205
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Pastebin Service Domain in DNS Lookup (rentry .co)
Misc activity
ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Setup.exe