File name:	Wave-Executor-master.zip
Full analysis:	https://app.any.run/tasks/58999663-7dc2-4b3f-b808-ca452eba5dad
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 05, 2025, 16:07:00
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec lumma stealer loader
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	19AE9F95C107D9A1D9E8DF04708B5B9A
SHA1:	BC7408E2A870600384C017C708285D9F3DC2AFAB
SHA256:	3A703FE4BC4E4C19F7569B7BA00F1D4DC75BDFFC605528E588E54FD789A51301
SSDEEP:	98304:Mz/egMVqR2/A/l9iRXmtmMhfYMgnZrN2JZP8peIWaKywbCXazqa6LGirgjlqxDh6:idj6p3RcIjtavOJIoZI5jtavOJIoZIC

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2025:01:04 08:07:52
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	Wave-Executor-master/


(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\Wave-Executor-master.zip
(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan
Operation:	write	Name:	DefScanner
Value: Windows Defender

PID	Process	Filename		Type
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\.idea\codeStyles\Project.xml		text
		MD5:4F587234B0249796EA2B568A0F074D09	SHA256:3E6E800773B39B852A3CCFAF00CFE423A6FAB2B454110FE0965E65A14D217B51
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\.idea\misc.xml		xml
		MD5:45DB03D9E4AB5B65FD3A22407B791860	SHA256:9FC294279C6DB10BEDD87B2109C008CD60EAB9862EB7A35431932A0DD595F224
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\.gitignore		text
		MD5:E7E21A651E1F05A6F046F32145ECF35B	SHA256:6D10394BC973B7DE27D9484CC29ECF09C6D743FE2B2A62079165382022CCB205
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\.idea\vcs.xml		xml
		MD5:166ACEF3D301BD241D0D6DA15BC5AD3C	SHA256:55768F1F84FB117F1D0FC383E180B5D0AA5E5E6584C8C4A2995C15B4237F0972
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\.idea\gradle.xml		xml
		MD5:630BDAAADA40B14E4C5A3899762EC2F0	SHA256:9744F825593089C7CC7A25E725E2CADDD512CA1EEAB08E69DEE08CD3DA97795C
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\app\proguard-rules.pro		text
		MD5:ADF6F233B18261975991F1825834AFC7	SHA256:1CF8C57E8F79C250B0AF9C1A5A4EDAD71A5C348A79AB70243B6BAE086C150AD2
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\app\src\main\ic_launcher-web.png		image
		MD5:F07EE94DC2F7595CA62603A972A9042B	SHA256:31BC5961E0C856101D6F02DF9A4322081F599D552A588BE29BABA96942431EC2
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\app\src\main\AndroidManifest.xml		xml
		MD5:EE26779B96C389A5969219191FF291A9	SHA256:17804933CE0E06E03013DD3675F25AE770179B93EA6F49562F7129A8A9B58F37
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\app\src\main\java\com\ari\bokingguide\AddGuideActivity.java		text
		MD5:F7E0640D2B4D45781AA3A9B44D0C7D4D	SHA256:A57FDA5C223044D5D80FF2AF19C9FFD4DB961BCAC867709061A25D21DEBC0909
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\app\src\main\java\com\ari\bokingguide\AddDestinasiActivity.java		text
		MD5:8E085681A4544DFF7C1A4DB662DF62D2	SHA256:539CFA9D5A91BECAE37C5E8D67CC1CCC47DB769C8DC80E47A7E14642B300F31F

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6076	svchost.exe	GET	200	2.16.164.24:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.24:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6076	svchost.exe	GET	200	184.30.230.103:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.230.103:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	104.21.112.1:443	https://fancywaxxers.shop/api	unknown	text	2 b	malicious
—	—	POST	200	104.21.32.1:443	https://fancywaxxers.shop/api	unknown	text	18.3 Kb	malicious
—	—	POST	200	104.21.48.1:443	https://fancywaxxers.shop/api	unknown	text	14 b	malicious
—	—	POST	200	104.21.64.1:443	https://fancywaxxers.shop/api	unknown	text	14 b	malicious
—	—	POST	200	104.21.96.1:443	https://fancywaxxers.shop/api	unknown	text	14 b	malicious
—	—	POST	200	104.21.16.1:443	https://fancywaxxers.shop/api	unknown	text	14 b	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6076	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.23.227.205:443	www.bing.com	Ooredoo Q.S.C.	QA	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
6076	svchost.exe	2.16.164.24:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.24:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
6076	svchost.exe	184.30.230.103:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
4712	MoUsoCoreWorker.exe	184.30.230.103:80	www.microsoft.com	AKAMAI-AS	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158	whitelisted
www.bing.com	2.23.227.205 2.23.227.202 2.23.227.198 2.23.227.208	unknown
google.com	216.58.206.78	whitelisted
crl.microsoft.com	2.16.164.24 2.16.164.10 2.16.164.129 2.16.164.17 2.16.164.107 2.16.164.58 2.16.164.49 2.16.164.9 2.16.164.122	whitelisted
www.microsoft.com	184.30.230.103	whitelisted
fancywaxxers.shop	104.21.32.1 104.21.16.1 104.21.96.1 104.21.64.1 104.21.48.1 104.21.80.1 104.21.112.1	malicious
self.events.data.microsoft.com	20.42.65.90	unknown

PID	Process	Class	Message
7132	aspnet_regiis.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
2192	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop)
7132	aspnet_regiis.exe	A Network Trojan was detected	STEALER [ANY.RUN] Lumma Stealer TLS Connection
7132	aspnet_regiis.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
7132	aspnet_regiis.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
7132	aspnet_regiis.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
7132	aspnet_regiis.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
7132	aspnet_regiis.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
7132	aspnet_regiis.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
7132	aspnet_regiis.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 23

General Info

Wave-Executor-master.zip

19AE9F95C107D9A1D9E8DF04708B5B9A

BC7408E2A870600384C017C708285D9F3DC2AFAB

3A703FE4BC4E4C19F7569B7BA00F1D4DC75BDFFC605528E588E54FD789A51301

98304:Mz/egMVqR2/A/l9iRXmtmMhfYMgnZrN2JZP8peIWaKywbCXazqa6LGirgjlqxDh6:idj6p3RcIjtavOJIoZI5jtavOJIoZIC

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LUMMA has been detected (SURICATA)

LUMMA mutex has been found

Connects to the CnC server

Actions looks like stealing of personal data

Steals credentials from Web Browsers

LUMMA has been detected (YARA)

SUSPICIOUS

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Reads security settings of Internet Explorer

Process drops legitimate windows executable

Executable content was dropped or overwritten

Contacting a server suspected of hosting an CnC

Connects to the server without a host name

Process requests binary or script from the Internet

INFO

Manual execution by a user

Checks supported languages

Reads the computer name

Create files in a temporary directory

The sample compiled with english language support

The process uses the downloaded file

Creates files or folders in the user directory

Reads the software policy settings

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings