File name:	sample.zip
Full analysis:	https://app.any.run/tasks/9690f29f-6b18-4eef-95a9-91c3ff5f98fc
Verdict:	Malicious activity
Threats:	HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 24, 2024, 16:09:52
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	python hijackloader loader lumma stealer
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	4501D61ED00C1D8AC0A281D8951A0F31
SHA1:	6CF40207E325E8DFC504F5D2544050AA7581576D
SHA256:	2924BA5DBC28096149D847B2C6843D7978F034D620930D9CD93644F309B52EE2
SSDEEP:	98304:mDfxwDVPJ3nOh7EA068gIRM0cHqsM9rxxpvjoX7j7DVnehTEiX8il7cvKg2Z1Bsb:L2ffBjkerrLLIpVeSCaAVlww+iNJ

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2024:05:16 03:03:44
ZipCRC:	0x2cac3414
ZipCompressedSize:	47806
ZipUncompressedSize:	97000
ZipFileName:	Setup.exe


(PID) Process:	(4340) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(4340) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(4340) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(4340) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\sample.zip
(PID) Process:	(4340) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(4340) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(4340) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(4340) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(4340) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	name
Value: 256
(PID) Process:	(4340) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	size
Value: 80

PID	Process	Filename		Type
4340	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa4340.34558\python310.dll		executable
		MD5:854459684E529745F811BB42EFBA70C4	SHA256:07A8F318D28220DDA5373075D9A8D9846A0100A2029ADE86240AAD715A710CA9
4340	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa4340.34558\x64\ComExtractor		executable
		MD5:36848DD965FF265D696FFF4F2D51935E	SHA256:D66EE1D1E44FEB03D7821062CE27E92DA0FA78F7E47A451B7B1D4B94860DD309
4340	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa4340.34558\phenothiazine.mp3		binary
		MD5:532547938E453D08E077053E0A4CE91D	SHA256:FE96FEAA19C2115DD64372E6E9B3F68D3B82D90CCCD9997BA48EC5AD2FC189E0
4340	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa4340.34558\vcruntime140.dll		executable
		MD5:49C96CECDA5C6C660A107D378FDFC3D4	SHA256:69320F278D90EFAAEB67E2A1B55E5B0543883125834C812C8D9C39676E0494FC
4340	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa4340.34558\x64\App.xbf		xbf
		MD5:FC6F983B839F1D0702C0D40F107313FB	SHA256:358B9F84ED4326FC989FB70F5D6D17E8E268EABB476B9E3EF6270872B00189F3
4340	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa4340.34558\x64\AzureKeyVaultDgssLib.dll		executable
		MD5:34AE0787CDFCB920753763251DCF83DE	SHA256:3EEE708FDCC68FE76AC4CC7ADBA90201912C63CD815717F91A5EABBA1170AF0D
4340	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa4340.34558\calfskin.dwg		binary
		MD5:6B89F1FCD2AAEE22AB998A7C2294CC12	SHA256:5C09E3F22F62EAB57C12DEC41E3CA7FCA196052D4DAF2E96CB434C5EF328319C
4340	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa4340.34558\x64\NvStereoUtilityOGL_[1MB]_[1].exe		executable
		MD5:017CD77D01314E72A973FF0C7882453D	SHA256:C2C71318A17F7F767E5D203D22B48F27EECAE46A4F37082D7B413C51DA6183B3
4340	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa4340.34558\x64\WinUiBootstrapper.dll		executable
		MD5:290538FCEAE682F2CFC3580E01FA7D28	SHA256:C0CFD5ECD4FA7C78EEE91C4A2E7963E805513A88AD376772108B9B0C54BB8551
4340	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa4340.34558\x64\RepackagerStartPage.xbf		xbf
		MD5:B77B52B21F44A30643F800322C78F9F9	SHA256:19643ABF5047635E3D9A81F94BBF2B7E0EA6D2631D0BEAACE56511692ACF6E14

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	4.231.128.59:443	https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.3758&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4	unknown	binary	3.41 Kb	unknown
2908	OfficeClickToRun.exe	POST	—	20.189.173.4:443	https://self.events.data.microsoft.com/OneCollector/1.0/	unknown	—	—	unknown
1016	Autha.au3	POST	200	null:443	https://evokeoutlooklits.shop/api	unknown	text	10.5 Kb	unknown
1016	Autha.au3	POST	200	null:443	https://evokeoutlooklits.shop/api	unknown	text	2 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	239.255.255.250:1900	—	—	—	unknown
—	—	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1016	Autha.au3	188.114.96.3:443	evokeoutlooklits.shop	CLOUDFLARENET	NL	unknown
2908	OfficeClickToRun.exe	20.189.173.4:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown

Domain	IP	Reputation
evokeoutlooklits.shop	188.114.96.3 188.114.97.3	malicious
self.events.data.microsoft.com	20.189.173.4	whitelisted

PID	Process	Class	Message
2184	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (evokeoutlooklits .shop)
1016	Autha.au3	Domain Observed Used for C2 Detected	ET MALWARE Observed Lumma Stealer Related Domain (evokeoutlooklits .shop in TLS SNI)
1016	Autha.au3	A Network Trojan was detected	STEALER [ANY.RUN] Lumma Stealer TLS Connection

General Info

sample.zip

4501D61ED00C1D8AC0A281D8951A0F31

6CF40207E325E8DFC504F5D2544050AA7581576D

2924BA5DBC28096149D847B2C6843D7978F034D620930D9CD93644F309B52EE2

98304:mDfxwDVPJ3nOh7EA068gIRM0cHqsM9rxxpvjoX7j7DVnehTEiX8il7cvKg2Z1Bsb:L2ffBjkerrLLIpVeSCaAVlww+iNJ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

HIJACKLOADER has been detected (YARA)

LUMMA has been detected (YARA)

LUMMA has been detected (SURICATA)

SUSPICIOUS

The process creates files with name similar to system file names

Process drops legitimate windows executable

Loads Python modules

Reads security settings of Internet Explorer

The process drops C-runtime libraries

Executable content was dropped or overwritten

Starts application with an unusual extension

Contacting a server suspected of hosting an CnC

Executes application which crashes

INFO

Checks supported languages

Reads the computer name

Creates files or folders in the user directory

Executable content was dropped or overwritten

Create files in a temporary directory

Drops the executable file immediately after the start

Manual execution by a user

Reads the machine GUID from the registry

Reads the software policy settings

Malware configuration

Lumma

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Malware configuration

Lumma

Information

Modules

Information

Modules

Malware configuration

Lumma

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats