File name:	Open・s͜͡etUp✅.zip
Full analysis:	https://app.any.run/tasks/b4e9f861-af35-44ea-8dd0-1aafafa399b8
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	September 20, 2024, 11:42:47
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	lumma stealer
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	11AC625B272C2F8FE82BCAC368CB689B
SHA1:	1B75545F66D1E7B27E8BD2D858D3B8BF8ACE991C
SHA256:	1CD8C4AED45E0AE23F474668D07D8BD3017CAA078A6AC4799314FEBB202C2E6B
SSDEEP:	196608:8FkQotG4U2pbojxMnXIDPlPWWoTjfhZmkzkK7HpEYU:8VoM4v1ojO4DPlOWoHfhZmkzkB

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)


(PID) Process:	(2328) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2328) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2328) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2328) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(2328) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\General\Toolbar\Layout
Operation:	write	Name:	Band76_0
Value: 4C000000730100000402000000000000F0F0F0000000000000000000000000000000000000000000C403050000000000000000003B000000B402000000000000000000000000000001000000
(PID) Process:	(2328) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\General\Toolbar\Layout
Operation:	write	Name:	Band76_1
Value: 4C000000730100000500000000000000F0F0F0000000000000000000000000000000000000000000C20305000000000000000000180000002A00000000000000000000000000000002000000
(PID) Process:	(2328) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\General\Toolbar\Layout
Operation:	write	Name:	Band76_2
Value: 4C000000730100000400000000000000F0F0F0000000000000000000000000000000000000000000AA020B000000000000000000180000006400000000000000000000000000000003000000
(PID) Process:	(6332) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 1
(PID) Process:	(6332) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6332) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80

PID	Process	Filename		Type
6332	WinRAR.exe	C:\Users\admin\Desktop\Open・s͜͡etUp✅.zip\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT		text
		MD5:3EA4A9A2765040C721374CCBB8E7BD59	SHA256:AE8FDF0311FE249EE1A3E08FE36C394CA2DA791C622B665DDEBCB623AC248903
6332	WinRAR.exe	C:\Users\admin\Desktop\Open・s͜͡etUp✅.zip\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT		text
		MD5:65D7C9205E1A1393B8530670ADD4E596	SHA256:32FA83C6F8AD346E66E544640942906E0A91CC0D2075324B7F244695DE5740A5
6332	WinRAR.exe	C:\Users\admin\Desktop\Open・s͜͡etUp✅.zip\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT		text
		MD5:002134C7EA7F619246BBF445CAAD9F08	SHA256:7CB16A0B949F8573B06F22F091C44A1EA251CC9904591FCEB2743475302C4640
6332	WinRAR.exe	C:\Users\admin\Desktop\Open・s͜͡etUp✅.zip\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT		text
		MD5:0FBAD8E1C335AC42617936AA6F89EC89	SHA256:83246B8C942CBACF1031445A99E62ACBB4733EF4167BEBFBA2BD852869824EAB
6332	WinRAR.exe	C:\Users\admin\Desktop\Open・s͜͡etUp✅.zip\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT		text
		MD5:DB4ED5C205FDDD693DC9CE69CCCAD036	SHA256:10738CD5BBA3B23C02D3655BF2AFDF72DAEAAEF778CDA562C6D10AE8D25CA591
6332	WinRAR.exe	C:\Users\admin\Desktop\Open・s͜͡etUp✅.zip\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT		text
		MD5:2926366654DBC6711EE71BA2589161C3	SHA256:F87ED4480CFDDB8F5F6226292338CA407CCC7B1A543F3832F1D20AFF6CB72A58
6332	WinRAR.exe	C:\Users\admin\Desktop\Open・s͜͡etUp✅.zip\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT		text
		MD5:93FB108016F8A1E87E4129B21FE9984B	SHA256:FCA3AB5882F0A562794F05D7F15A39157C59D7C07FCBAC79AB7CF3D12C979541
6332	WinRAR.exe	C:\Users\admin\Desktop\Open・s͜͡etUp✅.zip\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT		text
		MD5:6B77BAAC03038B028948D2A667EFDAA1	SHA256:2D36BEC3E1ECBF2B6DE8A37C98717AE21CA8C5BC0B487556996B3FFF2B6F6FD9
6332	WinRAR.exe	C:\Users\admin\Desktop\Open・s͜͡etUp✅.zip\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT		text
		MD5:88E9B5216B90D0332BD2CD4FCEE88A22	SHA256:F53D0FFB7F3C8182794331CFDD2FBCF77FF6DBDB05B415C98CC8D6FC49DCE2FB
6332	WinRAR.exe	C:\Users\admin\Desktop\Open・s͜͡etUp✅.zip\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT		text
		MD5:5C36E2CBA7FDD612C575D50974EF708A	SHA256:F353D83DEF5C9632FFD1925A0F1480E3DC0E00C096AFF5680E448CBFD97FAD05

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2120	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1288	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	—	188.114.96.3:443	https://pang-scrooge-carnage.shop/am.bin	unknown	—	—	—
—	—	GET	200	104.26.2.16:443	https://rentry.co/mb5grod8/raw	unknown	text	2.74 Kb	—

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	13.89.179.10:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
1288	svchost.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2120	MoUsoCoreWorker.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7164	GlimmerEmblaze.a3x	188.114.97.3:443	nationattwllwqm.shop	CLOUDFLARENET	NL	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 20.73.194.208	whitelisted
google.com	216.58.206.78	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
browser.pipe.aria.microsoft.com	40.79.173.41	whitelisted
nationattwllwqm.shop	188.114.97.3 188.114.96.3	unknown
pang-scrooge-carnage.shop	188.114.97.3 188.114.96.3	unknown
rentry.co	172.67.75.40 104.26.3.16 104.26.2.16	unknown
fileworld.shop	—	unknown

PID	Process	Class	Message
7164	GlimmerEmblaze.a3x	A Network Trojan was detected	STEALER [ANY.RUN] Lumma Stealer TLS Connection
2256	svchost.exe	Misc activity	ET INFO Pastebin Service Domain in DNS Lookup (rentry .co)
7164	GlimmerEmblaze.a3x	Misc activity	ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)

General Info

Open・s͜͡etUp✅.zip

11AC625B272C2F8FE82BCAC368CB689B

1B75545F66D1E7B27E8BD2D858D3B8BF8ACE991C

1CD8C4AED45E0AE23F474668D07D8BD3017CAA078A6AC4799314FEBB202C2E6B

196608:8FkQotG4U2pbojxMnXIDPlPWWoTjfhZmkzkK7HpEYU:8VoM4v1ojO4DPlOWoHfhZmkzkB

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Stealers network behavior

Probably downloads file via BitsAdmin (POWERSHELL)

LUMMA has been detected (SURICATA)

Changes powershell execution policy (Bypass)

Actions looks like stealing of personal data

Bypass execution policy to execute commands

SUSPICIOUS

Process drops legitimate windows executable

The process creates files with name similar to system file names

Executable content was dropped or overwritten

Starts application with an unusual extension

Gets or sets the security protocol (POWERSHELL)

Extracts files to a directory (POWERSHELL)

Starts POWERSHELL.EXE for commands execution

The process executes Powershell scripts

INFO

The process uses the downloaded file

Manual execution by a user

Creates files or folders in the user directory

Executable content was dropped or overwritten

Reads the computer name

Checks supported languages

Create files in a temporary directory

Reads the software policy settings

Script raised an exception (POWERSHELL)

Checks if a key exists in the options dictionary (POWERSHELL)

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings