Analysis Overview
SHA256
eae4aa0f083a86a6b40dd4d5451129411f549fd9f736737b9364450ad4fb3690
Threat Level: Known bad
The file random.exe was found to be: Known bad.
Malicious Activity Summary
Lumma family
Lumma Stealer, LummaC
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Identifies Wine through registry keys
Checks BIOS information in registry
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-06-30 18:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-06-30 18:07
Reported
2025-06-30 18:09
Platform
win10v2004-20250619-en
Max time kernel
105s
Max time network
145s
Command Line
Signatures
Lumma Stealer, LummaC
Lumma family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\random.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rbmlh.xyz | udp |
| US | 144.172.115.212:443 | rbmlh.xyz | tcp |
| US | 144.172.115.212:443 | rbmlh.xyz | tcp |
| US | 144.172.115.212:443 | rbmlh.xyz | tcp |
| US | 144.172.115.212:443 | rbmlh.xyz | tcp |
| US | 144.172.115.212:443 | rbmlh.xyz | tcp |
| US | 144.172.115.212:443 | rbmlh.xyz | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
Files
memory/60-0-0x0000000000C80000-0x000000000111A000-memory.dmp
memory/60-1-0x00000000055F0000-0x00000000055F1000-memory.dmp
memory/60-4-0x0000000000C80000-0x000000000111A000-memory.dmp
memory/60-6-0x0000000005600000-0x0000000005601000-memory.dmp
memory/60-5-0x0000000005610000-0x0000000005611000-memory.dmp
memory/60-7-0x0000000000C80000-0x000000000111A000-memory.dmp
memory/60-9-0x0000000000C80000-0x000000000111A000-memory.dmp