Analysis Overview
SHA256
f0e261b72e77b25d687144f96606809f6ec6fedad389cc33a3f887aa6326ed41
Threat Level: Known bad
The file random.exe was found to be: Known bad.
Malicious Activity Summary
Lumma family
Lumma Stealer, LummaC
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Identifies Wine through registry keys
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Checks BIOS information in registry
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-06-30 18:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-06-30 18:06
Reported
2025-06-30 18:08
Platform
win10v2004-20250619-en
Max time kernel
103s
Max time network
141s
Command Line
Signatures
Lumma Stealer, LummaC
Lumma family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3008489981-1977616533-741913813-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
Reads user/profile data of local email clients
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rbmlh.xyz | udp |
| US | 144.172.115.212:443 | rbmlh.xyz | tcp |
| US | 144.172.115.212:443 | rbmlh.xyz | tcp |
| US | 144.172.115.212:443 | rbmlh.xyz | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
Files
memory/2320-0-0x00000000002D0000-0x000000000077B000-memory.dmp
memory/2320-1-0x0000000004EE0000-0x0000000004EE1000-memory.dmp
memory/2320-4-0x0000000004F00000-0x0000000004F01000-memory.dmp
memory/2320-5-0x0000000004EF0000-0x0000000004EF1000-memory.dmp
memory/2320-6-0x00000000002D0000-0x000000000077B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-06-30 18:06
Reported
2025-06-30 18:08
Platform
win11-20250619-en
Max time kernel
108s
Max time network
109s
Command Line
Signatures
Lumma Stealer, LummaC
Lumma family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rbmlh.xyz | udp |
| US | 144.172.115.212:443 | rbmlh.xyz | tcp |
| US | 144.172.115.212:443 | rbmlh.xyz | tcp |
| US | 144.172.115.212:443 | rbmlh.xyz | tcp |
| US | 144.172.115.212:443 | rbmlh.xyz | tcp |
| US | 144.172.115.212:443 | rbmlh.xyz | tcp |
| US | 144.172.115.212:443 | rbmlh.xyz | tcp |
Files
memory/2432-0-0x0000000000490000-0x000000000093B000-memory.dmp
memory/2432-1-0x0000000005020000-0x0000000005021000-memory.dmp
memory/2432-5-0x0000000005040000-0x0000000005041000-memory.dmp
memory/2432-4-0x0000000005060000-0x0000000005061000-memory.dmp
memory/2432-7-0x0000000005030000-0x0000000005031000-memory.dmp
memory/2432-6-0x0000000005050000-0x0000000005051000-memory.dmp
memory/2432-8-0x0000000000490000-0x000000000093B000-memory.dmp
memory/2432-9-0x0000000005070000-0x0000000005071000-memory.dmp
memory/2432-10-0x0000000000490000-0x000000000093B000-memory.dmp