File name:	GqHQWNMv.txt
Full analysis:	https://app.any.run/tasks/d63691b1-079f-4e63-a582-402d727ca11c
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 24, 2024, 11:09:03
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer lumma
Indicators:
MIME:	text/plain
File info:	ASCII text, with very long lines (65265), with CRLF line terminators
MD5:	17917B9AB6492A66D3751C21C4EBB768
SHA1:	CDC619BAC0FD3BEA62FCB5DA052CA6B8380CFA0B
SHA256:	F8278FE32A0916F85BD703AA8975D4E559466EE96A188F68BD2A2816FDBB18A8
SSDEEP:	49152:NuviW4pThmwMmgZGnCFpZXo2p3qjNibnvLXa89D3PQxBPm7aN2rtYYcd0Bke2GfQ:T


(PID) Process:	(4132) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	NetUtilityApp
Value: C:\Users\admin\AppData\Roaming\YrsbtdxL\mdnsresponder.exe

PID	Process	Filename		Type
4132	powershell.exe	C:\Users\admin\AppData\Roaming\YrsbtdxL\HEIC-NET.dll		executable
		MD5:F71EAB315B80F78427311034A6BB46E2	SHA256:4F27E6E32F1DFF1BC6B0F4E79B32A07DA5554844CE4820A7920E5107C67F2F40
4132	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kfqnzkj3.35c.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4132	powershell.exe	C:\Users\admin\AppData\Roaming\LuLUoTPN.zip		compressed
		MD5:336AE4F91BDAAB9FD548A0BB96E85BF3	SHA256:B9068030CEDBF08F1149951AD6AFDDE65025383E3D27E2123ECE23F6363DDE51
4132	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms		binary
		MD5:8C080D077E76C8CDC16108EE5704AB72	SHA256:B062653B421044CCC1E30F63F510BD8D1F9E67C7DF9CBCA728025C16528BD6B7
4132	powershell.exe	C:\Users\admin\AppData\Roaming\YrsbtdxL\HEIC_SWIG_DLL_v142.dll		executable
		MD5:0EDD60513A12689189309B50261E8979	SHA256:54F9E01DF5A6061A4D84BDC0FC0D263A70F4FA2BAE307146BAE9D00B90226DAB
4132	powershell.exe	C:\Users\admin\AppData\Roaming\YrsbtdxL\Microsoft.AppCenter.dll		executable
		MD5:DC07B593904DB4B5B6D54DCBBBFA99EF	SHA256:3313F9C5A9788A0C70B7418F81DEC119C7E95D563B316E48B6A1FBA8C94FE7AF
4132	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_h5qlz2ii.0ve.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4132	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF13c14f.TMP		binary
		MD5:D040F64E9E7A2BB91ABCA5613424598E	SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
4132	powershell.exe	C:\Users\admin\AppData\Roaming\YrsbtdxL\HtmlRenderer.PdfSharp.dll		executable
		MD5:F8730360B74E1FBFD46B6EC8E4209ACC	SHA256:BDDC95E5EED0A68A54FCF2DFA99548642966DFDBF9B91940FF028E1EBF0ACDBD
4132	powershell.exe	C:\Users\admin\AppData\Roaming\YrsbtdxL\mdnsresponder.exe		executable
		MD5:EC539C4A9C60B3690FBD891E19333362	SHA256:1D60149CE640F4E07BCEEB8940950441025277F1EBA4F501F8AFE558030B34FE

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6068	svchost.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6068	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	172.67.193.71:443	https://sturdy-operated.cyou/api	unknown	text	2 b	—
—	—	POST	200	104.21.20.178:443	https://sturdy-operated.cyou/api	unknown	text	17.1 Kb	—
—	—	POST	200	172.67.193.71:443	https://sturdy-operated.cyou/api	unknown	text	15 b	—
—	—	POST	200	104.21.20.178:443	https://sturdy-operated.cyou/api	unknown	text	15 b	—
—	—	POST	200	104.21.20.178:443	https://sturdy-operated.cyou/api	unknown	text	15 b	—
—	—	POST	200	172.67.193.71:443	https://sturdy-operated.cyou/api	unknown	text	15 b	—

PID	Process	IP	Domain	ASN	CN	Reputation
6068	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6068	svchost.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6068	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3976	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	142.250.74.206	whitelisted
crl.microsoft.com	23.53.40.176 23.53.40.178	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
sturdy-operated.cyou	104.21.20.178 172.67.193.71	unknown
self.events.data.microsoft.com	13.69.239.77	whitelisted

General Info

GqHQWNMv.txt

17917B9AB6492A66D3751C21C4EBB768

CDC619BAC0FD3BEA62FCB5DA052CA6B8380CFA0B

F8278FE32A0916F85BD703AA8975D4E559466EE96A188F68BD2A2816FDBB18A8

49152:NuviW4pThmwMmgZGnCFpZXo2p3qjNibnvLXa89D3PQxBPm7aN2rtYYcd0Bke2GfQ:T

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Bypass execution policy to execute commands

Actions looks like stealing of personal data

Steals credentials from Web Browsers

LUMMA has been detected (YARA)

SUSPICIOUS

Gets file extension (POWERSHELL)

Uses base64 encoding (POWERSHELL)

Executable content was dropped or overwritten

Process drops legitimate windows executable

The process drops C-runtime libraries

Uses sleep to delay execution (POWERSHELL)

Process drops SQLite DLL files

Writes data into a file (POWERSHELL)

Starts application with an unusual extension

INFO

Manual execution by a user

Reads security settings of Internet Explorer

The process uses the downloaded file

Checks supported languages

Checks whether the specified file exists (POWERSHELL)

Checks if a key exists in the options dictionary (POWERSHELL)

Reads the computer name

Creates files or folders in the user directory

Reads the software policy settings

Create files in a temporary directory

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings