analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

regex-extractor.exe

Full analysis: https://app.any.run/tasks/fa425d50-2602-4e87-9d98-d1c4f3050180
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: June 17, 2024, 18:20:07
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
exfiltration
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

56938B9C811ED1AA3EAF390C00570CCB

SHA1:

5B159882C4D0FF29337352FA3D5D6462DB8E31B1

SHA256:

F46E01801A3EEF706518F826FEA8C0F3A6FEDE929E2C9654E541B17B9BCBE230

SSDEEP:

98304:u+cX4dnZyqMtjF+B6TPbxKMbctRqXqPXK4laJTixD7+BVzliBZId6fx+A3DdpZKl:g5Ude+Ude4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • regex-extractor.exe (PID: 800)

    • LUMMA has been detected (SURICATA)

      • regex-extractor.exe (PID: 800)

    • LUMMA has been detected (YARA)

      • regex-extractor.exe (PID: 800)

    • Actions looks like stealing of personal data

      • regex-extractor.exe (PID: 800)

  • SUSPICIOUS

    • Searches for installed software

      • regex-extractor.exe (PID: 800)

  • INFO

    • Checks supported languages

      • regex-extractor.exe (PID: 800)

    • Reads the software policy settings

      • regex-extractor.exe (PID: 800)

    • Reads the computer name

      • regex-extractor.exe (PID: 800)

    • Reads the machine GUID from the registry

      • regex-extractor.exe (PID: 800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(800) regex-extractor.exe
C2 (9)justifycanddidatewd.shop
raiseboltskdlwpow.shop
discoverymaidykew.shop
pleasurenarrowsdla.shop
strwawrunnygjwu.shop
marathonbeedksow.shop
feighminoritsjda.shop
richardflorespoew.shop
falseaudiencekd.shop
No Malware configuration.

TRiD

.exe | Inno Setup installer (62.7)
.exe | Win32 EXE PECompact compressed (generic) (23.7)
.scr | Windows screen saver (7.4)
.exe | Win32 Executable (generic) (2.5)
.exe | Win16/32 Executable Delphi generic (1.1)

EXIF

EXE

ProductVersion: 2.5.0.0
ProductName: RegEx Extractor
OriginalFileName:
LegalCopyright: © vovsoft.com
FileVersion: 2.5.0.0
FileDescription: RegEx Extractor Setup
CompanyName: VOVSOFT
Comments: This installation was built with Inno Setup.
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 2.5.0.0
FileVersionNumber: 2.5.0.0
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: 6
OSVersion: 6
EntryPoint: 0xb5eec
UninitializedDataSize: -
InitializedDataSize: 120832
CodeSize: 741888
LinkerVersion: 2.25
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
TimeStamp: 2023:02:15 14:54:16+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
119
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #LUMMA regex-extractor.exe

Process information

PID
CMD
Path
Indicators
Parent process
800"C:\Users\admin\AppData\Local\Temp\regex-extractor.exe" C:\Users\admin\AppData\Local\Temp\regex-extractor.exe
explorer.exe
User:
admin
Company:
VOVSOFT
Integrity Level:
MEDIUM
Description:
RegEx Extractor Setup
Exit code:
0
Version:
2.5.0.0
Modules
Images
c:\users\admin\appdata\local\temp\regex-extractor.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Lumma
(PID) Process(800) regex-extractor.exe
C2 (9)justifycanddidatewd.shop
raiseboltskdlwpow.shop
discoverymaidykew.shop
pleasurenarrowsdla.shop
strwawrunnygjwu.shop
marathonbeedksow.shop
feighminoritsjda.shop
richardflorespoew.shop
falseaudiencekd.shop
Total events
3 564
Read events
3 564
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
22
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
null:443
https://discoverymaidykew.shop/api
unknown
POST
200
null:443
https://discoverymaidykew.shop/api
unknown
18 b
POST
200
null:443
https://discoverymaidykew.shop/api
unknown
18 b
POST
null:443
https://discoverymaidykew.shop/api
unknown
POST
null:443
https://discoverymaidykew.shop/api
unknown
POST
200
null:443
https://discoverymaidykew.shop/api
unknown
18 b
POST
200
null:443
https://discoverymaidykew.shop/api
unknown
text
18 b
POST
200
20.189.173.28:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4364
svchost.exe
239.255.255.250:1900
unknown
4
System
192.168.100.255:138
whitelisted
5140
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2392
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4380
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
800
regex-extractor.exe
104.21.18.240:443
discoverymaidykew.shop
CLOUDFLARENET
unknown
5456
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2908
OfficeClickToRun.exe
20.52.64.201:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
discoverymaidykew.shop
  • 104.21.18.240
  • 172.67.183.233
unknown
self.events.data.microsoft.com
  • 20.52.64.201
whitelisted

Threats

PID
Process
Class
Message
800
regex-extractor.exe
A Network Trojan was detected
STEALER [ANY.RUN] Lumma Stealer TLS Connection
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Check-In
A Network Trojan was detected
ET MALWARE Lumma Stealer Related Activity
A Network Trojan was detected
ET MALWARE Lumma Stealer Related Activity M2
Malware Command and Control Activity Detected
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Exfiltration
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
regex-extractor.exe