File name:	SynapseX-main.zip
Full analysis:	https://app.any.run/tasks/6390f219-ec16-45f2-8ba6-b3e6075f4372
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 09, 2025, 16:30:10
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec arch-doc pastebin susp-powershell github telegram lumma stealer loader
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	B63740B78249D314210C88CD9221D240
SHA1:	5FE2B04212B83EA95BC1FF00056939EECBE98AB6
SHA256:	247861BBF29F9D124D5C87550E9A69FE649145160DFC31EBDB88669EA0BF2775
SSDEEP:	12288:tWaaTGNnt5TkCMykHoVO7U/u1x0In3dSaytKS:tWamGNnt5TkQaql/u1x1NSaytKS

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2025:04:06 07:11:52
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	SynapseX-main/


(PID) Process:	(7532) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(7532) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(7532) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(7532) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\SynapseX-main.zip
(PID) Process:	(7532) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(7532) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(7532) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(7532) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(7532) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:	write	Name:	ArcSort
Value: 32
(PID) Process:	(7532) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan
Operation:	write	Name:	DefScanner
Value: Windows Defender

PID	Process	Filename		Type
7656	SynapseX.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0nyxcszf.ony.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7532	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR7532.14611\SynapseX-main.zip\SynapseX-main\LICENSE		text
		MD5:8E3494BF8CF1967AFD3B1016FBBE5BB0	SHA256:319917F5CCD09878DB6F67C9A77DEE846055644CA49EB535628B9E020A87261E
7972	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:B6FA7FE21E2A80AAD6FF966103ACB283	SHA256:9B4C2CFB3B40D2F25487275A1043D90641865986C0662C58193CD516F8C062E3
7972	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_umk0k0rd.w1i.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7532	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR7532.14611\SynapseX-main.zip\SynapseX-main\requirements.txt		text
		MD5:84E1021A2F9073DBACAD1349B6C9E4D3	SHA256:1EAE2E450EEAC1C395F714F2639F09AE83CB959AC09A596151E4CABB9225939E
7972	powershell.exe	C:\Users\admin\AppData\Roaming\m2h5o05t.3k50.exe		executable
		MD5:0A519E6ABB78AE0C4DB60EB42E1D1AEB	SHA256:C91D47F794B05024B5D3C8C1DA31DBF43232D3A268AD0283B45B9A64ECF90D45
7020	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_t2lotfwc.ps0.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7532	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR7532.14611\SynapseX-main.zip\SynapseX-main\SynapseX.exe		executable
		MD5:65D53D68126B91CDCABBFFB58ED3C66C	SHA256:479B3C923BE6125530E99F24E611547AA5D8861D1E88B75A03CE5527A2052213
7532	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR7532.14611\Rar$Scan117409.bat		text
		MD5:6074DE35C593934013B9011961059C29	SHA256:6C151D79BF1C3E71AB840142893830BC1187385E4DC6370684ED4AC0DE22841F
7656	SynapseX.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ndpeourr.tk0.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	302	140.82.121.4:443	https://github.com/lendsh1/c0de02/raw/refs/heads/main/LIB.exe	unknown	—	—	—
—	—	GET	304	172.202.163.200:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
—	—	POST	200	40.126.32.72:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	POST	400	40.126.32.72:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	40.126.31.73:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	40.126.31.2:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	20.190.159.0:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	GET	200	104.22.68.199:443	https://pastebin.com/raw/RhwXFFwF	unknown	text	61 b	whitelisted
—	—	POST	400	40.126.31.73:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4892	RUXIMICS.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	2.19.11.105:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	20.190.160.3:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2104	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7972	powershell.exe	172.67.25.94:443	pastebin.com	CLOUDFLARENET	US	whitelisted

Domain	IP	Reputation
google.com	142.250.185.78	whitelisted
crl.microsoft.com	2.19.11.105 2.19.11.120 23.216.77.39 23.216.77.10 23.216.77.11 23.216.77.36 23.216.77.21 23.216.77.17 23.216.77.38 23.216.77.19 23.216.77.18	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
login.live.com	20.190.160.3 40.126.32.138 20.190.160.132 20.190.160.128 20.190.160.131 20.190.160.2 40.126.32.140 40.126.32.76	whitelisted
settings-win.data.microsoft.com	20.73.194.208 51.104.136.2 40.127.240.158	whitelisted
pastebin.com	172.67.25.94 104.22.68.199 104.22.69.199	whitelisted
github.com	140.82.121.4	whitelisted
raw.githubusercontent.com	185.199.110.133 185.199.109.133 185.199.111.133 185.199.108.133	whitelisted
t.me	149.154.167.99	whitelisted
zealjkh.digital	104.21.16.1 104.21.64.1 104.21.32.1 104.21.96.1 104.21.48.1 104.21.112.1 104.21.80.1	unknown

PID	Process	Class	Message
2196	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Online Pastebin Text Storage
2196	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
—	—	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
—	—	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
—	—	Misc activity	ET HUNTING EXE Downloaded from Github
2692	MSBuild.exe	Misc activity	ET INFO Observed Telegram Domain (t .me in TLS SNI)
2196	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zealjkh .digital)
2692	MSBuild.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (zealjkh .digital) in TLS SNI
2692	MSBuild.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (zealjkh .digital) in TLS SNI
2692	MSBuild.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (zealjkh .digital) in TLS SNI

General Info

SynapseX-main.zip

B63740B78249D314210C88CD9221D240

5FE2B04212B83EA95BC1FF00056939EECBE98AB6

247861BBF29F9D124D5C87550E9A69FE649145160DFC31EBDB88669EA0BF2775

12288:tWaaTGNnt5TkCMykHoVO7U/u1x0In3dSaytKS:tWamGNnt5TkQaql/u1x1NSaytKS

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

Script downloads file (POWERSHELL)

Downloads the requested resource (POWERSHELL)

Steals credentials from Web Browsers

LUMMA has been detected (SURICATA)

LUMMA mutex has been found

Connects to the CnC server

Actions looks like stealing of personal data

SUSPICIOUS

Reads security settings of Internet Explorer

Starts POWERSHELL.EXE for commands execution

Base64-obfuscated command line is found

Application launched itself

BASE64 encoded PowerShell command has been detected

Executable content was dropped or overwritten

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Contacting a server suspected of hosting an CnC

Searches for installed software

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

INFO

Checks supported languages

Manual execution by a user

Create files in a temporary directory

Reads Microsoft Office registry keys

Reads the machine GUID from the registry

Reads security settings of Internet Explorer

Reads the computer name

Reads Environment values

Reads the software policy settings

Found Base64 encoded file access via PowerShell (YARA)

Found Base64 encoded access to Windows Defender via PowerShell (YARA)

Checks proxy server information

Disables trace logs

Gets data length (POWERSHELL)

Found Base64 encoded reflection usage via PowerShell (YARA)

The executable file from the user directory is run by the Powershell process

Executable content was dropped or overwritten

The sample compiled with english language support

Script raised an exception (POWERSHELL)

Checks if a key exists in the options dictionary (POWERSHELL)

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information