File name: | regex-extractor.exe |
Full analysis: | https://app.any.run/tasks/fa425d50-2602-4e87-9d98-d1c4f3050180 |
Verdict: | Malicious activity |
Threats: | Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. |
Analysis date: | June 17, 2024, 18:20:07 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 56938B9C811ED1AA3EAF390C00570CCB |
SHA1: | 5B159882C4D0FF29337352FA3D5D6462DB8E31B1 |
SHA256: | F46E01801A3EEF706518F826FEA8C0F3A6FEDE929E2C9654E541B17B9BCBE230 |
SSDEEP: | 98304:u+cX4dnZyqMtjF+B6TPbxKMbctRqXqPXK4laJTixD7+BVzliBZId6fx+A3DdpZKl:g5Ude+Ude4 |
.exe | | | Inno Setup installer (62.7) |
---|---|---|
.exe | | | Win32 EXE PECompact compressed (generic) (23.7) |
.scr | | | Windows screen saver (7.4) |
.exe | | | Win32 Executable (generic) (2.5) |
.exe | | | Win16/32 Executable Delphi generic (1.1) |
ProductVersion: | 2.5.0.0 |
---|---|
ProductName: | RegEx Extractor |
OriginalFileName: | |
LegalCopyright: | © vovsoft.com |
FileVersion: | 2.5.0.0 |
FileDescription: | RegEx Extractor Setup |
CompanyName: | VOVSOFT |
Comments: | This installation was built with Inno Setup. |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 2.5.0.0 |
FileVersionNumber: | 2.5.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 6 |
ImageVersion: | 6 |
OSVersion: | 6 |
EntryPoint: | 0xb5eec |
UninitializedDataSize: | - |
InitializedDataSize: | 120832 |
CodeSize: | 741888 |
LinkerVersion: | 2.25 |
PEType: | PE32 |
ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
TimeStamp: | 2023:02:15 14:54:16+00:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
800 | "C:\Users\admin\AppData\Local\Temp\regex-extractor.exe" | C:\Users\admin\AppData\Local\Temp\regex-extractor.exe | explorer.exe | ||||||||||||
User: admin Company: VOVSOFT Integrity Level: MEDIUM Description: RegEx Extractor Setup Exit code: 0 Version: 2.5.0.0 Modules
Lumma(PID) Process(800) regex-extractor.exe C2 (9)justifycanddidatewd.shop raiseboltskdlwpow.shop discoverymaidykew.shop pleasurenarrowsdla.shop strwawrunnygjwu.shop marathonbeedksow.shop feighminoritsjda.shop richardflorespoew.shop falseaudiencekd.shop |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | POST | — | null:443 | https://discoverymaidykew.shop/api | unknown | — | — | — |
— | — | POST | 200 | null:443 | https://discoverymaidykew.shop/api | unknown | — | 18 b | — |
— | — | POST | 200 | null:443 | https://discoverymaidykew.shop/api | unknown | — | 18 b | — |
— | — | POST | — | null:443 | https://discoverymaidykew.shop/api | unknown | — | — | — |
— | — | POST | — | null:443 | https://discoverymaidykew.shop/api | unknown | — | — | — |
— | — | POST | 200 | null:443 | https://discoverymaidykew.shop/api | unknown | — | 18 b | — |
— | — | POST | 200 | null:443 | https://discoverymaidykew.shop/api | unknown | text | 18 b | — |
— | — | POST | 200 | 20.189.173.28:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | unknown | binary | 9 b | — |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4364 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5140 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2392 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4380 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
800 | regex-extractor.exe | 104.21.18.240:443 | discoverymaidykew.shop | CLOUDFLARENET | — | unknown |
5456 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2908 | OfficeClickToRun.exe | 20.52.64.201:443 | self.events.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | DE | unknown |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
discoverymaidykew.shop |
| unknown |
self.events.data.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
800 | regex-extractor.exe | A Network Trojan was detected | STEALER [ANY.RUN] Lumma Stealer TLS Connection |
— | — | Malware Command and Control Activity Detected | STEALER [ANY.RUN] Win32/Lumma Stealer Check-In |
— | — | A Network Trojan was detected | ET MALWARE Lumma Stealer Related Activity |
— | — | A Network Trojan was detected | ET MALWARE Lumma Stealer Related Activity M2 |
— | — | Malware Command and Control Activity Detected | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration |
— | — | Malware Command and Control Activity Detected | STEALER [ANY.RUN] Win32/Lumma Stealer Exfiltration |