File name:	Wave-Executor-master.zip
Full analysis:	https://app.any.run/tasks/58999663-7dc2-4b3f-b808-ca452eba5dad
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 05, 2025, 16:07:00
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec lumma stealer loader
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	19AE9F95C107D9A1D9E8DF04708B5B9A
SHA1:	BC7408E2A870600384C017C708285D9F3DC2AFAB
SHA256:	3A703FE4BC4E4C19F7569B7BA00F1D4DC75BDFFC605528E588E54FD789A51301
SSDEEP:	98304:Mz/egMVqR2/A/l9iRXmtmMhfYMgnZrN2JZP8peIWaKywbCXazqa6LGirgjlqxDh6:idj6p3RcIjtavOJIoZI5jtavOJIoZIC

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2025:01:04 08:07:52
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	Wave-Executor-master/


(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\Wave-Executor-master.zip
(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6484) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan
Operation:	write	Name:	DefScanner
Value: Windows Defender

PID	Process	Filename		Type
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\.idea\codeStyles\Project.xml		text
		MD5:4F587234B0249796EA2B568A0F074D09	SHA256:3E6E800773B39B852A3CCFAF00CFE423A6FAB2B454110FE0965E65A14D217B51
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\.idea\gradle.xml		xml
		MD5:630BDAAADA40B14E4C5A3899762EC2F0	SHA256:9744F825593089C7CC7A25E725E2CADDD512CA1EEAB08E69DEE08CD3DA97795C
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\app\proguard-rules.pro		text
		MD5:ADF6F233B18261975991F1825834AFC7	SHA256:1CF8C57E8F79C250B0AF9C1A5A4EDAD71A5C348A79AB70243B6BAE086C150AD2
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\app\release\output.json		ini
		MD5:2E51CB0F4FB2A64351AEDFCB707CAF26	SHA256:0C6086E086013FA78597A4BC1558695E831407A0D1574F1533EB6C20E77FE82D
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\.idea\runConfigurations.xml		xml
		MD5:E9E1B64A01DAA4C987B8FB1E927D8273	SHA256:42D6B42D21F506765A2C77D216C7747B3BD8B9FAFB050EC2B3719A457C6343EC
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\Wave.zip		compressed
		MD5:0707A71B6509E07354C9D5D822D5E04B	SHA256:141F5C08E669F61C0B5343C4AB8B570FC3D74FAE27E1C8E0D026E45C2C93349C
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\.idea\misc.xml		xml
		MD5:45DB03D9E4AB5B65FD3A22407B791860	SHA256:9FC294279C6DB10BEDD87B2109C008CD60EAB9862EB7A35431932A0DD595F224
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\README.md		text
		MD5:99AF5D699061B9561CF090C309AF1E98	SHA256:1948607A5EB75655814910082BB903EE043B530136606DEF309F3228B5AE1F99
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\.idea\vcs.xml		xml
		MD5:166ACEF3D301BD241D0D6DA15BC5AD3C	SHA256:55768F1F84FB117F1D0FC383E180B5D0AA5E5E6584C8C4A2995C15B4237F0972
6484	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR6484.6942\Wave-Executor-master.zip\Wave-Executor-master\app\src\main\AndroidManifest.xml		xml
		MD5:EE26779B96C389A5969219191FF291A9	SHA256:17804933CE0E06E03013DD3675F25AE770179B93EA6F49562F7129A8A9B58F37

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6076	svchost.exe	GET	200	2.16.164.24:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.24:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.230.103:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6076	svchost.exe	GET	200	184.30.230.103:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7132	aspnet_regiis.exe	GET	—	147.45.47.81:80	http://147.45.47.81/conhost.exe	unknown	—	—	unknown
—	—	POST	200	104.21.96.1:443	https://fancywaxxers.shop/api	unknown	text	14 b	malicious
—	—	POST	200	104.21.32.1:443	https://fancywaxxers.shop/api	unknown	text	13.7 Kb	malicious
—	—	POST	200	104.21.32.1:443	https://fancywaxxers.shop/api	unknown	text	18.3 Kb	malicious
—	—	POST	200	104.21.112.1:443	https://fancywaxxers.shop/api	unknown	text	14 b	malicious
—	—	POST	200	104.21.48.1:443	https://fancywaxxers.shop/api	unknown	text	14 b	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6076	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.23.227.205:443	www.bing.com	Ooredoo Q.S.C.	QA	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
6076	svchost.exe	2.16.164.24:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.24:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
6076	svchost.exe	184.30.230.103:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
4712	MoUsoCoreWorker.exe	184.30.230.103:80	www.microsoft.com	AKAMAI-AS	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158	whitelisted
www.bing.com	2.23.227.205 2.23.227.202 2.23.227.198 2.23.227.208	unknown
google.com	216.58.206.78	whitelisted
crl.microsoft.com	2.16.164.24 2.16.164.10 2.16.164.129 2.16.164.17 2.16.164.107 2.16.164.58 2.16.164.49 2.16.164.9 2.16.164.122	whitelisted
www.microsoft.com	184.30.230.103	whitelisted
fancywaxxers.shop	104.21.32.1 104.21.16.1 104.21.96.1 104.21.64.1 104.21.48.1 104.21.80.1 104.21.112.1	malicious
self.events.data.microsoft.com	20.42.65.90	unknown

PID	Process	Class	Message
7132	aspnet_regiis.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
2192	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop)
7132	aspnet_regiis.exe	A Network Trojan was detected	STEALER [ANY.RUN] Lumma Stealer TLS Connection
7132	aspnet_regiis.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
7132	aspnet_regiis.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
7132	aspnet_regiis.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
7132	aspnet_regiis.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
7132	aspnet_regiis.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
7132	aspnet_regiis.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
7132	aspnet_regiis.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 23

General Info

Wave-Executor-master.zip

19AE9F95C107D9A1D9E8DF04708B5B9A

BC7408E2A870600384C017C708285D9F3DC2AFAB

3A703FE4BC4E4C19F7569B7BA00F1D4DC75BDFFC605528E588E54FD789A51301

98304:Mz/egMVqR2/A/l9iRXmtmMhfYMgnZrN2JZP8peIWaKywbCXazqa6LGirgjlqxDh6:idj6p3RcIjtavOJIoZI5jtavOJIoZIC

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LUMMA has been detected (SURICATA)

Connects to the CnC server

LUMMA mutex has been found

Actions looks like stealing of personal data

Steals credentials from Web Browsers

LUMMA has been detected (YARA)

SUSPICIOUS

Process drops legitimate windows executable

Contacting a server suspected of hosting an CnC

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Reads security settings of Internet Explorer

Connects to the server without a host name

Process requests binary or script from the Internet

Executable content was dropped or overwritten

INFO

Reads the computer name

Reads the software policy settings

Checks supported languages

Reads the machine GUID from the registry

Manual execution by a user

Create files in a temporary directory

The process uses the downloaded file

The sample compiled with english language support

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings