File name:	1riageFiddlershit.zip
Full analysis:	https://app.any.run/tasks/ed646016-3e24-4b0a-a53c-3a8a323cdcb7
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 05, 2025, 12:15:19
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec lumma stealer arch-doc netreactor github loader telegram evasion ims-api generic stealerium
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	7DEC47DD246B6A81C9F0992091EF2D03
SHA1:	C46E9ADDF83D24ADEB036B8ED33A6DD13C024EDE
SHA256:	28327D9E90781C714D6951C767B3FA88396048B81178E9B691AB8EDEF0E59CF7
SSDEEP:	393216:m5sVPBesf7zE08aO7zE0moC06CN2LabyJ:m5srNnETnEroCuNSabyJ

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2025:01:05 06:34:24
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	scriptzip/


(PID) Process:	(4308) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(4308) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(4308) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(4308) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\1riageFiddlershit.zip
(PID) Process:	(4308) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(4308) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(4308) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(4308) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(4308) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:	write	Name:	ArcSort
Value: 32
(PID) Process:	(5548) SolaraV3.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Windows Update
Value: "C:\Users\admin\AppData\Roaming\SubDir\SolaraV3.exe"

PID	Process	Filename		Type
5256	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Script.exe_c61d39ef61d6ecce6d62d7e8c29f64e77e9e7ef_6f1b0a17_7a1dca79-716b-4e9d-a7bd-a7181b883bc2\Report.wer		—
		MD5:—	SHA256:—
5256	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\Script.exe.3436.dmp		—
		MD5:—	SHA256:—
2496	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_26dacd3f4f67e47739badf514e5a52ba36391642_7a76fa63_381c8fc5-bd26-42f8-a67e-54bb6cfb5fb2\Report.wer		—
		MD5:—	SHA256:—
2496	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\svchost.exe.5528.dmp		—
		MD5:—	SHA256:—
5536	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_26dacd3f4f67e47739badf514e5a52ba36391642_7a76fa63_91bded63-bdfb-4fcb-a861-484619d41ee5\Report.wer		—
		MD5:—	SHA256:—
5548	SolaraV3.exe	C:\Users\admin\AppData\Roaming\SubDir\SolaraV3.exe		executable
		MD5:3DB0C6FB25D98EDE3749C5C296227708	SHA256:604E26E36C395712913A141EF96BC461385EEA54D2182D170196DFEE458EA82F
3816	update.exe	C:\Users\admin\AppData\Local\7363a32209c4413867f264e7dcee772e\admin@DESKTOP-JGLLJLD_en-US\Messenger\Skype\Local Storage\leveldb\000003.log		binary
		MD5:D5ED573943BC049C36F07D1C7256835A	SHA256:251289CE147173263C5FB4529DD91AC4D78139046493F825B11CB02CC6CCC94A
3640	SolaraV3.exe	C:\Users\admin\AppData\Local\Temp\BvUtOjM2kZ7X.bat		text
		MD5:E091176F24CBAD652A21AC0A0FE1815A	SHA256:5D15FB7AF14F3A7B86559B09346993A6D0849EEA11F3CB144F574642D9610F4C
5536	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER11B3.tmp.WERInternalMetadata.xml		xml
		MD5:0AE02F682F800B51D92B73AF1FCF5A1B	SHA256:D3EAA40871D3DAE1282BA271CBC9C585ADFF2ADCDF985764A31DF5DA9E83CD75
3816	update.exe	C:\Users\admin\AppData\Roaming\svchost.exe		executable
		MD5:67CA41C73D556CC4CFC67FC5B425BBBD	SHA256:23D2E491A8C7F2F7F344764E6879D9566C9A3E55A3788038E48B346C068DDE5B

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.114:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	—	142.250.74.195:443	https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=122	unknown	—	—	—
3816	update.exe	GET	200	104.16.185.241:80	http://icanhazip.com/	unknown	—	—	shared
—	—	GET	—	142.250.185.132:443	https://www.google.com/async/ddljson?async=ntp:2	unknown	—	—	—
—	—	GET	—	142.250.185.132:443	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	unknown	—	—	—
4712	MoUsoCoreWorker.exe	GET	200	184.30.230.103:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5604	WmiPrvSE.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5604	WmiPrvSE.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl	unknown	—	—	whitelisted
—	—	GET	—	142.250.185.132:443	https://www.google.com/async/newtab_promos	unknown	—	—	—
—	—	GET	—	142.250.185.132:443	https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.23.227.208:443	www.bing.com	Ooredoo Q.S.C.	QA	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.114:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	184.30.230.103:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
4320	Script.exe	104.21.112.1:443	fancywaxxers.shop	CLOUDFLARENET	—	malicious
3884	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
www.bing.com	2.23.227.208 2.23.227.215	whitelisted
google.com	142.250.186.46	whitelisted
crl.microsoft.com	2.16.164.114 2.16.164.72 23.48.23.156 23.48.23.143 23.48.23.166	whitelisted
www.microsoft.com	184.30.230.103 23.35.229.160	whitelisted
fancywaxxers.shop	104.21.112.1 104.21.16.1 104.21.48.1 104.21.96.1 104.21.80.1 104.21.64.1 104.21.32.1	malicious
watson.events.data.microsoft.com	20.189.173.22 52.168.117.173 104.208.16.94 52.182.143.212	whitelisted
raw.githubusercontent.com	185.199.110.133 185.199.111.133 185.199.109.133 185.199.108.133	shared
api.telegram.org	149.154.167.220	shared
icanhazip.com	104.16.185.241 104.16.184.241	shared

PID	Process	Class	Message
2192	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop)
4320	Script.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
4320	Script.exe	A Network Trojan was detected	STEALER [ANY.RUN] Lumma Stealer TLS Connection
4320	Script.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
4320	Script.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
4320	Script.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
4320	Script.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
4320	Script.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
4320	Script.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
2192	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub

Process	Message
svchost.exe	CLR: Managed code called FailFast without specifying a reason.
svchost.exe	CLR: Managed code called FailFast without specifying a reason.
chrome.exe	RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Google\Chrome\User Data directory exists )
svchost.exe	CLR: Managed code called FailFast without specifying a reason.
msedge.exe	RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Microsoft\Edge\User Data directory exists )
msedge.exe	RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Microsoft\Edge\User Data directory exists )
svchost.exe	CLR: Managed code called FailFast without specifying a reason.
svchost.exe	CLR: Managed code called FailFast without specifying a reason.

General Info

1riageFiddlershit.zip

7DEC47DD246B6A81C9F0992091EF2D03

C46E9ADDF83D24ADEB036B8ED33A6DD13C024EDE

28327D9E90781C714D6951C767B3FA88396048B81178E9B691AB8EDEF0E59CF7

393216:m5sVPBesf7zE08aO7zE0moC06CN2LabyJ:m5srNnETnEroCuNSabyJ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Stealers network behavior

Connects to the CnC server

LUMMA has been detected (SURICATA)

Actions looks like stealing of personal data

Steals credentials from Web Browsers

LUMMA has been detected (YARA)

LUMMA mutex has been found

Changes the autorun value in the registry

STEALERIUM has been detected (YARA)

SUSPICIOUS

Application launched itself

Executes application which crashes

Contacting a server suspected of hosting an CnC

Executable content was dropped or overwritten

Starts itself from another location

Reads security settings of Internet Explorer

Runs PING.EXE to delay simulation

Starts CMD.EXE for commands execution

Reads the date of Windows installation

Executing commands from a ".bat" file

Starts application with an unusual extension

The process creates files with name similar to system file names

Process drops legitimate windows executable

The executable file from the user directory is run by the CMD process

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Possible usage of Discord/Telegram API has been detected (YARA)

Using 'findstr.exe' to search for text patterns in files and output

Uses NETSH.EXE to obtain data on the network

Checks for external IP

MS Edge headless start

Loads DLL from Mozilla Firefox

Uses TASKKILL.EXE to kill process

Uses TIMEOUT.EXE to delay execution

INFO

The sample compiled with english language support

Checks supported languages

Reads the machine GUID from the registry

Reads the computer name

Reads Microsoft Office registry keys

Manual execution by a user

Creates files or folders in the user directory

Checks proxy server information

Reads the software policy settings

.NET Reactor protector has been detected

Create files in a temporary directory

Reads Environment values

The process uses the downloaded file

Reads security settings of Internet Explorer

Process checks computer location settings

Changes the display of characters in the console

Disables trace logs

Sends debugging messages

Attempting to use instant messaging service

Drops encrypted VBS script (Microsoft Script Encoder)

Reads CPU info

Application launched itself

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information