File name:

packetspoof.exe

Full analysis: https://app.any.run/tasks/de42c9be-8a9c-40b3-b8af-21f0019a12e9
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: January 07, 2025, 12:43:37
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

356BDE316F31CFC2ED244A7CDD359617

SHA1:

8BBF194502F5D3A15EBB6AB28D37EC2FE47F22A4

SHA256:

F37B1604055CFA1D70EA439F2B38CB72A2DA74BF6BBA76B2E080E16146A53A5E

SSDEEP:

98304:J8SbUDNnDlnnOtAkPhModgsbZQ7rdvaMiZFyuvuzp1H+RHK+oX6Eo/yHuc3Mud+L:z1R3Ca7Br

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • packetspoof.exe (PID: 6460)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2192)

    • Connects to the CnC server

      • svchost.exe (PID: 2192)

  • SUSPICIOUS

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2192)

  • INFO

    • Checks supported languages

      • packetspoof.exe (PID: 6460)

    • Reads the machine GUID from the registry

      • packetspoof.exe (PID: 6460)

    • Reads the computer name

      • packetspoof.exe (PID: 6460)

    • Reads the software policy settings

      • packetspoof.exe (PID: 6460)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:11:30 15:09:58+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 1055232
InitializedDataSize: 849408
UninitializedDataSize: -
EntryPoint: 0xb3172
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 8.0.7783.0
ProductVersionNumber: 8.0.7783.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Unknown (4090)
CharacterSet: Windows, Latin1
CompanyName: Paramount Software UK Ltd
FileDescription: Macrium Reflect Disk Imaging and Backup
FileVersion: 8, 0, 7783, 0
InternalName: Macrium Reflection
LegalCopyright: (c) Paramount Software. All rights reserved.
OriginalFileName: ReflectLauncher.exe
ProductName: Macrium Reflect
ProductVersion: 8, 0, 7783, 0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
2
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start packetspoof.exe #LUMMA svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6460"C:\Users\admin\Desktop\packetspoof.exe" C:\Users\admin\Desktop\packetspoof.exe
explorer.exe
User:
admin
Company:
Paramount Software UK Ltd
Integrity Level:
MEDIUM
Description:
Macrium Reflect Disk Imaging and Backup
Exit code:
0
Version:
8, 0, 7783, 0
Modules
Images
c:\users\admin\desktop\packetspoof.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 234
Read events
3 234
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
24
DNS requests
17
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3508
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3508
svchost.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2828
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2828
RUXIMICS.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.214.143.155:443
https://steamcommunity.com/profiles/76561199724331900
unknown
html
25.1 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
3508
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2828
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted
3508
svchost.exe
2.16.164.72:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.72:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2828
RUXIMICS.exe
2.16.164.72:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
3508
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.205
  • 2.23.227.221
  • 2.23.227.208
  • 2.23.227.198
  • 2.23.227.199
whitelisted
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 2.16.164.72
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
spottercurvei.click
unknown
nearycrepso.shop
malicious
abruptyopsn.shop
malicious
wholersorie.shop
malicious
framekgirus.shop
malicious

Threats

PID
Process
Class
Message
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rabidcowse .shop)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nearycrepso .shop)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abruptyopsn .shop)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (framekgirus .shop)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wholersorie .shop)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cloudewahsj .shop)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tirepublicerj .shop)
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (noisycuttej .shop)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
packetspoof.exe