File name:

Setup.exe

Full analysis: https://app.any.run/tasks/bc021df6-7ad0-48da-b86b-0f9e0ac95ebd
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 12:06:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autoit
lumma
stealer
autoit-loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

CE1B37396E8137D1D16707B60FAFBD4A

SHA1:

40AFB0B4E91462CCAD12B91063774D067F6D2B05

SHA256:

F1A371F40F50BB0C9382F28EC5D415D07550CAB72B1211D4F3E0035252798DB4

SSDEEP:

49152:+OH9zsVFCD172Sk2qbzBfkrdaNh2eGDAosyUCKP3Niq8FYClvNSAPeaES8vs7QSx:+azeFE172SknbQcNAeEA3ZP3Ni9YKDeC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Setup.exe (PID: 6280)

    • AutoIt loader has been detected (YARA)

      • Jose.com (PID: 6828)

    • LUMMA mutex has been found

      • Jose.com (PID: 6828)

    • Changes powershell execution policy (Bypass)

      • Jose.com (PID: 6828)

    • Steals credentials from Web Browsers

      • Jose.com (PID: 6828)

    • Actions looks like stealing of personal data

      • Jose.com (PID: 6828)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7040)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Setup.exe (PID: 6280)

    • Executing commands from ".cmd" file

      • Setup.exe (PID: 6280)

    • Starts CMD.EXE for commands execution

      • Setup.exe (PID: 6280)
      • cmd.exe (PID: 6332)

    • Get information on the list of running processes

      • cmd.exe (PID: 6332)

    • Application launched itself

      • cmd.exe (PID: 6332)

    • The executable file from the user directory is run by the CMD process

      • Jose.com (PID: 6828)

    • Starts POWERSHELL.EXE for commands execution

      • Jose.com (PID: 6828)

    • The process executes Powershell scripts

      • Jose.com (PID: 6828)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 6332)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6332)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6332)

  • INFO

    • Create files in a temporary directory

      • Setup.exe (PID: 6280)

    • Reads the computer name

      • Setup.exe (PID: 6280)
      • Jose.com (PID: 6828)

    • Checks supported languages

      • Setup.exe (PID: 6280)
      • Jose.com (PID: 6828)

    • Process checks computer location settings

      • Setup.exe (PID: 6280)

    • Creates a new folder

      • cmd.exe (PID: 6732)

    • Reads the machine GUID from the registry

      • Jose.com (PID: 6828)

    • Reads the software policy settings

      • Jose.com (PID: 6828)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7040)

    • Reads mouse settings

      • Jose.com (PID: 6828)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:24 19:20:04+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 29696
InitializedDataSize: 544256
UninitializedDataSize: 16896
EntryPoint: 0x38af
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
14
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start setup.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs #LUMMA jose.com choice.exe no specs powershell.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6280"C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\Desktop\Setup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
6332"C:\Windows\System32\cmd.exe" /c copy Multi Multi.cmd && Multi.cmdC:\Windows\SysWOW64\cmd.exeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6344\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6524tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6532findstr /I "opssvc wrsa" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6668tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6676findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6732cmd /c md 559810C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6788findstr /V "Election" Anderson C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6808cmd /c copy /b ..\Make + ..\Hydrogen + ..\Oxford + ..\Confirmation + ..\Elliott + ..\Sas + ..\Volkswagen y C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
7 830
Read events
7 830
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
21
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
6280Setup.exeC:\Users\admin\AppData\Local\Temp\Oxfordbinary
MD5:59BE39C1AE910E0778C1BC40523E08AE
SHA256:2012EC70F0430818BC9BC18EFB5B1B87F3496374514676EF4447B971CAA4D531
6280Setup.exeC:\Users\admin\AppData\Local\Temp\Passedabr
MD5:B000FC5FF715128DBE7E99E1165990DE
SHA256:BDC99B9AA5CA405460ADC1C83028A4D8548DFA4082B4B41C86D8BEFEA534E43B
6280Setup.exeC:\Users\admin\AppData\Local\Temp\Syntaxbinary
MD5:B0D56EC11C9F5E2BE5EC10EE9EC29438
SHA256:C090ED1C6E9A558FE54FFFA401AAD2198FDEF68A420D2F5CE8DE74D087ECCE2B
6280Setup.exeC:\Users\admin\AppData\Local\Temp\Anabinary
MD5:F31A519A17BBC09DDA41E3289B768D5B
SHA256:083358135BC7D5A8D20EC35DF7F0B27FFD6D07865BA5A4C45C66E9AB6A8F3D00
6280Setup.exeC:\Users\admin\AppData\Local\Temp\Hydrogenbinary
MD5:E5B0A8C0C7CB981D89D5E353BC2C1B71
SHA256:9A74177AD280AC50C3D80F42B34E489B5B3B2D9D5196BCF8067C386775D3C442
6280Setup.exeC:\Users\admin\AppData\Local\Temp\Relatebinary
MD5:1472CAC52594968BFBC79744363AED17
SHA256:687F45170A0ED1E626779655A4C8341686830717D96304AAFFEC378CDBE69115
6280Setup.exeC:\Users\admin\AppData\Local\Temp\Drunkbinary
MD5:78A5B9553A44DB4CBC6E3B50EA2189C4
SHA256:4CADED864C93B40ABED4CE13D658CD216E4AB039DD56E46306662B1DABB81663
6280Setup.exeC:\Users\admin\AppData\Local\Temp\Makebinary
MD5:C1C51D418E57E3890204B317BAE54934
SHA256:44C6DC68351661EA6DFA9974CCC6B6CCE8E852A5A7AF8D81E95514E01D5FCB72
6280Setup.exeC:\Users\admin\AppData\Local\Temp\Gossipbinary
MD5:1121D1D42436ACAED44DEFE5A4494885
SHA256:A08FCA449617D6033C99E87A40D8055D4FEE08DC67DA44A2B14BB10940DF5200
6280Setup.exeC:\Users\admin\AppData\Local\Temp\Multitext
MD5:67DBBD22C9D32A125526D8CBF2040E5F
SHA256:638EAC213F42AD11EFB026FAF14FDF3AB9E149820623AE00F5410518680A1395
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
28
DNS requests
10
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.17:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
104.26.2.16:443
https://rentry.co/feouewe5/raw
unknown
html
5.53 Kb
unknown
POST
200
188.114.96.3:443
https://formydamagero.click/api
unknown
text
18.2 Kb
unknown
POST
200
188.114.96.3:443
https://formydamagero.click/api
unknown
text
16 b
unknown
POST
200
188.114.97.3:443
https://formydamagero.click/api
unknown
text
16 b
unknown
POST
200
188.114.96.3:443
https://formydamagero.click/api
unknown
text
16 b
unknown
POST
200
188.114.97.3:443
https://formydamagero.click/api
unknown
text
16 b
unknown
POST
200
188.114.97.3:443
https://formydamagero.click/api
unknown
text
16 b
unknown
POST
200
188.114.96.3:443
https://formydamagero.click/api
unknown
text
16 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1380
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.209.130:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.17:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1380
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
www.bing.com
  • 2.23.209.130
  • 2.23.209.177
  • 2.23.209.148
  • 2.23.209.185
  • 2.23.209.176
  • 2.23.209.187
  • 2.23.209.140
  • 2.23.209.189
  • 2.23.209.179
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 2.16.164.17
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
XCOTYjutjvYWaIGlF.XCOTYjutjvYWaIGlF
unknown
formydamagero.click
  • 188.114.97.3
  • 188.114.96.3
unknown
rentry.co
  • 104.26.3.16
  • 172.67.75.40
  • 104.26.2.16
unknown
self.events.data.microsoft.com
  • 20.50.201.205
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET INFO Pastebin Service Domain in DNS Lookup (rentry .co)
6828
Jose.com
Misc activity
ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Setup.exe