File name:	Wave-Executor-master.zip
Full analysis:	https://app.any.run/tasks/58999663-7dc2-4b3f-b808-ca452eba5dad
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 05, 2025, 16:07:00
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec lumma stealer loader
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	19AE9F95C107D9A1D9E8DF04708B5B9A
SHA1:	BC7408E2A870600384C017C708285D9F3DC2AFAB
SHA256:	3A703FE4BC4E4C19F7569B7BA00F1D4DC75BDFFC605528E588E54FD789A51301
SSDEEP:	98304:Mz/egMVqR2/A/l9iRXmtmMhfYMgnZrN2JZP8peIWaKywbCXazqa6LGirgjlqxDh6:idj6p3RcIjtavOJIoZI5jtavOJIoZIC

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2025:01:04 08:07:52
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	Wave-Executor-master/


(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\Wave-Executor-master.zip
(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan
Operation:	write	Name:	DefScanner
Value: Windows Defender

PID	Process	Filename		Type
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\README.md		text
		MD5:99AF5D699061B9561CF090C309AF1E98	SHA256:1948607A5EB75655814910082BB903EE043B530136606DEF309F3228B5AE1F99
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\app\src\main\ic_launcher-web.png		image
		MD5:F07EE94DC2F7595CA62603A972A9042B	SHA256:31BC5961E0C856101D6F02DF9A4322081F599D552A588BE29BABA96942431EC2
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\.idea\misc.xml		xml
		MD5:45DB03D9E4AB5B65FD3A22407B791860	SHA256:9FC294279C6DB10BEDD87B2109C008CD60EAB9862EB7A35431932A0DD595F224
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\.idea\gradle.xml		xml
		MD5:630BDAAADA40B14E4C5A3899762EC2F0	SHA256:9744F825593089C7CC7A25E725E2CADDD512CA1EEAB08E69DEE08CD3DA97795C
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\app\src\main\java\com\ari\bokingguide\AddGuideActivity.java		text
		MD5:F7E0640D2B4D45781AA3A9B44D0C7D4D	SHA256:A57FDA5C223044D5D80FF2AF19C9FFD4DB961BCAC867709061A25D21DEBC0909
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\app\build.gradle		text
		MD5:000D3F35359D8203593C95226AEC3C99	SHA256:1096A8FCDE1FB061595DCC535D88A611B5A25EB1EDE70C21F7B6EB1647DE356C
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\.idea\runConfigurations.xml		xml
		MD5:E9E1B64A01DAA4C987B8FB1E927D8273	SHA256:42D6B42D21F506765A2C77D216C7747B3BD8B9FAFB050EC2B3719A457C6343EC
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\app\src\main\AndroidManifest.xml		xml
		MD5:EE26779B96C389A5969219191FF291A9	SHA256:17804933CE0E06E03013DD3675F25AE770179B93EA6F49562F7129A8A9B58F37
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\app\.gitignore		text
		MD5:48961F264CD3FBEEB72A6691FC80D102	SHA256:5B46EB48D96E8571E8C93E4EF4F6FFBE6807B6D7350664A36A064E1167A32718
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\app\src\androidTest\java\com\ari\bokingguide\ExampleInstrumentedTest.java		html
		MD5:89F2A1686C249BE9E8EB2224F2B66C82	SHA256:FE41E892159381E04E8B9FA3526B94F62388A5D856A4436AD54596B62D719F47

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6076	svchost.exe	GET	200	2.16.164.24:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.24:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6076	svchost.exe	GET	200	184.30.230.103:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.230.103:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7132	aspnet_regiis.exe	GET	—	147.45.47.81:80	http://147.45.47.81/conhost.exe	unknown	—	—	unknown
—	—	POST	200	104.21.32.1:443	https://fancywaxxers.shop/api	unknown	text	18.3 Kb	malicious
—	—	POST	200	104.21.48.1:443	https://fancywaxxers.shop/api	unknown	text	14 b	malicious
—	—	POST	200	104.21.96.1:443	https://fancywaxxers.shop/api	unknown	text	14 b	malicious
—	—	POST	200	104.21.112.1:443	https://fancywaxxers.shop/api	unknown	text	2 b	malicious
—	—	POST	200	104.21.16.1:443	https://fancywaxxers.shop/api	unknown	text	14 b	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6076	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.23.227.205:443	www.bing.com	Ooredoo Q.S.C.	QA	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
6076	svchost.exe	2.16.164.24:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.24:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
6076	svchost.exe	184.30.230.103:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
4712	MoUsoCoreWorker.exe	184.30.230.103:80	www.microsoft.com	AKAMAI-AS	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158	whitelisted
www.bing.com	2.23.227.205 2.23.227.202 2.23.227.198 2.23.227.208	unknown
google.com	216.58.206.78	whitelisted
crl.microsoft.com	2.16.164.24 2.16.164.10 2.16.164.129 2.16.164.17 2.16.164.107 2.16.164.58 2.16.164.49 2.16.164.9 2.16.164.122	whitelisted
www.microsoft.com	184.30.230.103	whitelisted
fancywaxxers.shop	104.21.32.1 104.21.16.1 104.21.96.1 104.21.64.1 104.21.48.1 104.21.80.1 104.21.112.1	malicious
self.events.data.microsoft.com	20.42.65.90	unknown

PID	Process	Class	Message
7132	aspnet_regiis.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
2192	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop)
7132	aspnet_regiis.exe	A Network Trojan was detected	STEALER [ANY.RUN] Lumma Stealer TLS Connection
7132	aspnet_regiis.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
7132	aspnet_regiis.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
7132	aspnet_regiis.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
7132	aspnet_regiis.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
7132	aspnet_regiis.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
7132	aspnet_regiis.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
7132	aspnet_regiis.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 23

General Info

Wave-Executor-master.zip

19AE9F95C107D9A1D9E8DF04708B5B9A

BC7408E2A870600384C017C708285D9F3DC2AFAB

3A703FE4BC4E4C19F7569B7BA00F1D4DC75BDFFC605528E588E54FD789A51301

98304:Mz/egMVqR2/A/l9iRXmtmMhfYMgnZrN2JZP8peIWaKywbCXazqa6LGirgjlqxDh6:idj6p3RcIjtavOJIoZI5jtavOJIoZIC

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LUMMA has been detected (SURICATA)

LUMMA has been detected (YARA)

Connects to the CnC server

LUMMA mutex has been found

Actions looks like stealing of personal data

Steals credentials from Web Browsers

SUSPICIOUS

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Executable content was dropped or overwritten

Contacting a server suspected of hosting an CnC

Connects to the server without a host name

Process requests binary or script from the Internet

INFO

Reads the computer name

The sample compiled with english language support

Create files in a temporary directory

Checks supported languages

Manual execution by a user

The process uses the downloaded file

Creates files or folders in the user directory

Reads the software policy settings

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings