Analysis Overview
SHA256
22ee4beeaace3960a33f67bc9579959cbfd96e14c686e65b5699eab9bbf0e248
Threat Level: Known bad
The file rl_22ee4beeaace3960a33f67bc9579959cbfd96e14c686e65b5699eab9bbf0e248 was found to be: Known bad.
Malicious Activity Summary
Lumma family
Lumma Stealer, LummaC
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Reads user/profile data of local email clients
Identifies Wine through registry keys
Reads user/profile data of web browsers
Checks BIOS information in registry
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
System Location Discovery: System Language Discovery
Unsigned PE
Browser Information Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-01 07:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-01 07:23
Reported
2025-07-01 07:25
Platform
win10v2004-20250610-en
Max time kernel
103s
Max time network
139s
Command Line
Signatures
Lumma Stealer, LummaC
Lumma family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\rl_22ee4beeaace3960a33f67bc9579959cbfd96e14c686e65b5699eab9bbf0e248.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\rl_22ee4beeaace3960a33f67bc9579959cbfd96e14c686e65b5699eab9bbf0e248.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\rl_22ee4beeaace3960a33f67bc9579959cbfd96e14c686e65b5699eab9bbf0e248.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\rl_22ee4beeaace3960a33f67bc9579959cbfd96e14c686e65b5699eab9bbf0e248.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rl_22ee4beeaace3960a33f67bc9579959cbfd96e14c686e65b5699eab9bbf0e248.exe | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rl_22ee4beeaace3960a33f67bc9579959cbfd96e14c686e65b5699eab9bbf0e248.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\rl_22ee4beeaace3960a33f67bc9579959cbfd96e14c686e65b5699eab9bbf0e248.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\rl_22ee4beeaace3960a33f67bc9579959cbfd96e14c686e65b5699eab9bbf0e248.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\rl_22ee4beeaace3960a33f67bc9579959cbfd96e14c686e65b5699eab9bbf0e248.exe
"C:\Users\Admin\AppData\Local\Temp\rl_22ee4beeaace3960a33f67bc9579959cbfd96e14c686e65b5699eab9bbf0e248.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rbmlh.xyz | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 144.172.115.212:443 | rbmlh.xyz | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 144.172.115.212:443 | rbmlh.xyz | tcp |
| US | 144.172.115.212:443 | rbmlh.xyz | tcp |
| US | 144.172.115.212:443 | rbmlh.xyz | tcp |
| US | 144.172.115.212:443 | rbmlh.xyz | tcp |
| US | 144.172.115.212:443 | rbmlh.xyz | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
Files
memory/4024-0-0x0000000000DA0000-0x0000000001255000-memory.dmp
memory/4024-1-0x0000000004E50000-0x0000000004E51000-memory.dmp
memory/4024-4-0x0000000004E70000-0x0000000004E71000-memory.dmp
memory/4024-6-0x0000000004E60000-0x0000000004E61000-memory.dmp
memory/4024-5-0x0000000000DA0000-0x0000000001255000-memory.dmp
memory/4024-7-0x0000000000DA0000-0x0000000001255000-memory.dmp
memory/4024-9-0x0000000000DA0000-0x0000000001255000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-01 07:23
Reported
2025-07-01 07:25
Platform
win11-20250610-en
Max time kernel
38s
Max time network
149s
Command Line
Signatures
Lumma Stealer, LummaC
Lumma family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\rl_22ee4beeaace3960a33f67bc9579959cbfd96e14c686e65b5699eab9bbf0e248.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\rl_22ee4beeaace3960a33f67bc9579959cbfd96e14c686e65b5699eab9bbf0e248.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\rl_22ee4beeaace3960a33f67bc9579959cbfd96e14c686e65b5699eab9bbf0e248.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-903960561-1545645218-4290906778-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\rl_22ee4beeaace3960a33f67bc9579959cbfd96e14c686e65b5699eab9bbf0e248.exe | N/A |
Reads user/profile data of local email clients
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rl_22ee4beeaace3960a33f67bc9579959cbfd96e14c686e65b5699eab9bbf0e248.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rl_22ee4beeaace3960a33f67bc9579959cbfd96e14c686e65b5699eab9bbf0e248.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\rl_22ee4beeaace3960a33f67bc9579959cbfd96e14c686e65b5699eab9bbf0e248.exe
"C:\Users\Admin\AppData\Local\Temp\rl_22ee4beeaace3960a33f67bc9579959cbfd96e14c686e65b5699eab9bbf0e248.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rbmlh.xyz | udp |
| US | 144.172.115.212:443 | rbmlh.xyz | tcp |
| US | 144.172.115.212:443 | rbmlh.xyz | tcp |
| US | 144.172.115.212:443 | rbmlh.xyz | tcp |
Files
memory/3592-0-0x0000000000270000-0x0000000000725000-memory.dmp
memory/3592-1-0x0000000004C10000-0x0000000004C11000-memory.dmp
memory/3592-4-0x0000000004C60000-0x0000000004C61000-memory.dmp
memory/3592-5-0x0000000004C30000-0x0000000004C31000-memory.dmp
memory/3592-6-0x0000000004C20000-0x0000000004C21000-memory.dmp
memory/3592-7-0x0000000000270000-0x0000000000725000-memory.dmp