Malware analysis Paypal Checker New 2024 version.rar Malicious activity

Add for printing

File name:	Paypal Checker New 2024 version.rar
Full analysis:	https://app.any.run/tasks/4e6c3023-0c90-4c91-a05e-54638a829686
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	October 31, 2024, 17:14:51
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec arch-doc lumma stealer
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	CE89266D589FC52E395F1A596571AED2
SHA1:	1DDB8372130B4CB8EF38BB90DD9478F69A216790
SHA256:	45EF548F451F98FA4B6C3BEA6D5C74A80292B0A8239E2D2210DA503726374835
SSDEEP:	98304:bIWrNlSVOBOGCEEuHdZMYW4DrzFehjVNfggalm56rMjWSv5hVA1LEuFYIqWUzs+q:DHIZla

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Connects to the CnC server
  - svchost.exe (PID: 2172)
- LUMMA has been detected (SURICATA)
  - svchost.exe (PID: 2172)
  - rtKNzonlBa.exe (PID: 3832)
- Stealers network behavior
  - rtKNzonlBa.exe (PID: 3832)
SUSPICIOUS
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 1576)
- Executes application which crashes
  - Paypal Checker New 2024 version.exe (PID: 300)
  - rtKNzonlBa.exe (PID: 7144)
- Executable content was dropped or overwritten
  - bUULV4cfU7.exe (PID: 5976)
  - Paypal Checker New 2024 version.exe (PID: 5948)
- Application launched itself
  - Paypal Checker New 2024 version.exe (PID: 300)
  - rtKNzonlBa.exe (PID: 7144)
- Contacting a server suspected of hosting an CnC
  - svchost.exe (PID: 2172)
  - rtKNzonlBa.exe (PID: 3832)
INFO
- Manual execution by a user
  - Paypal Checker New 2024 version.exe (PID: 300)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 1576)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion:	RAR v5
CompressedSize:	1024461
UncompressedSize:	1166336
OperatingSystem:	Win32
ArchivedFileName:	Paypal Checker New 2024 version.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

135

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

300

"C:\Users\admin\Desktop\Paypal Checker New 2024 version.exe"

C:\Users\admin\Desktop\Paypal Checker New 2024 version.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221225477

Modules

Images
c:\users\admin\desktop\paypal checker new 2024 version.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\sechost.dll

616

C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7144 -s 336

C:\Windows\SysWOW64\WerFault.exe

rtKNzonlBa.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

1576

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Paypal Checker New 2024 version.rar"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

2172

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2380

C:\WINDOWS\SysWOW64\WerFault.exe -u -p 300 -s 280

C:\Windows\SysWOW64\WerFault.exe

Paypal Checker New 2024 version.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

3832

"C:\Users\admin\AppData\Roaming\rtKNzonlBa.exe"

C:\Users\admin\AppData\Roaming\rtKNzonlBa.exe

rtKNzonlBa.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\roaming\rtknzonlba.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll

5748

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

Paypal Checker New 2024 version.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5948

"C:\Users\admin\Desktop\Paypal Checker New 2024 version.exe"

C:\Users\admin\Desktop\Paypal Checker New 2024 version.exe

Paypal Checker New 2024 version.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\paypal checker new 2024 version.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll

5976

"C:\Users\admin\AppData\Roaming\bUULV4cfU7.exe"

C:\Users\admin\AppData\Roaming\bUULV4cfU7.exe

Paypal Checker New 2024 version.exe

User:

admin

Company:

Microsoft Windows

Integrity Level:

MEDIUM

Description:

system32

Version:

15.6.13.6

Modules

Images
c:\users\admin\appdata\roaming\buulv4cfu7.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

6192

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

rtKNzonlBa.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

8 628

Read events

8 622

Write events

Delete events

Modification events


(PID) Process:	(1576) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(1576) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Paypal Checker New 2024 version.rar
(PID) Process:	(1576) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(1576) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(1576) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(1576) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2380	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Paypal Checker N_9deed480613c815ec9c25a84c6828c3e34825a_edebd1dd_effef0ea-c9e4-4c6a-8eb8-18eca942ef2d\Report.wer		—
		MD5:—	SHA256:—
1576	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa1576.22112\NlsData0027.dll		executable
		MD5:DD7B568F7B0DDCB39862485DF11B7758	SHA256:DED1FBD837BE8BF6DC429035D13792C902CEA5A5AF6BAE847E4BE3BFF7258FFD
1576	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa1576.22112\Paypal Checker New 2024 version.exe		executable
		MD5:2ABFF13CFDBB439B7BD63D3BE7727689	SHA256:61AEEB5A4A82B1083D1378EEFDB77AB7D30FC0B89566E6400387DEBAEDD64C37
616	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rtKNzonlBa.exe_17bbd65e7bf9821afc6da046fb50e3c4143daaba_063a1f78_949c896b-17e9-486a-80ba-0132b5a35719\Report.wer		—
		MD5:—	SHA256:—
1576	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa1576.22112\NlsLexicons0049.dll		executable
		MD5:E502D97A5B970F25C49E9ACE1836FC80	SHA256:2B931B863FB178271A17AE1F0567C1CF53F359753A7D7E716EE34CF0C8B18925
1576	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa1576.22112\NlsData001a.dll		executable
		MD5:2270A07CB2DA2660E7A50F8A697B2626	SHA256:2BC32C88B35E61E614FD9ACF9F57C0C521941A9053254216AF84767075FC17CD
2380	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER1959.tmp.WERInternalMetadata.xml		xml
		MD5:402743E0147A323A245C9A45D8C7D0D2	SHA256:C4178E432788C04F82FFE94F77B6111AE8C0D0883490FB46338A6C24F43BF44F
2380	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER18DB.tmp.dmp		binary
		MD5:1302798BED575B30DD14C1EA0C30252A	SHA256:62D38EF01067005A771E5FFAA2B5E0923EDE8061D8C2E7DB722452E548BEFECA
616	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER2213.tmp.WERInternalMetadata.xml		xml
		MD5:77101770063A8C5DCF5ACCF9D11B52B9	SHA256:D8C5CAC058503BA99B11CDFF46BB754BFF30A53276B1EFF885BECD83FFB4EDAC
2380	WerFault.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE		binary
		MD5:8800716E0FCE81542EBA9097EE7C7181	SHA256:02C8BD3FC85704C3A57F101B63278D33F86EE73907DAFC3519B263BA58C42DFD

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.32.185.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4360	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1552	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2380	WerFault.exe	GET	200	23.48.23.164:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7080	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
2380	WerFault.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1168	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1168	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6944	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4292	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	23.32.185.131:80	www.microsoft.com	AKAMAI-AS	BR	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4020	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4360	SearchApp.exe	104.126.37.184:443	www.bing.com	Akamai International B.V.	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158 51.104.136.2	whitelisted
crl.microsoft.com	2.16.164.49 2.16.164.9 23.48.23.164 23.48.23.147 23.48.23.143 23.48.23.173 23.48.23.166	whitelisted
www.microsoft.com	23.32.185.131 184.30.21.171	whitelisted
google.com	216.58.212.174	whitelisted
www.bing.com	104.126.37.184 104.126.37.179 104.126.37.160 104.126.37.163 104.126.37.153 104.126.37.139 104.126.37.161 104.126.37.186 104.126.37.155	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.159.23 20.190.159.4 20.190.159.68 40.126.31.71 20.190.159.71 40.126.31.69 20.190.159.0 40.126.31.73	whitelisted
th.bing.com	104.126.37.170 104.126.37.136 104.126.37.162 104.126.37.130 104.126.37.186 104.126.37.128 104.126.37.179 104.126.37.131 104.126.37.171	whitelisted
go.microsoft.com	23.213.166.81	whitelisted
client.wns.windows.com	40.113.103.199	whitelisted

Threats

PID	Process	Class	Message
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (servicedny .site)
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (seallysl .site)
3832	rtKNzonlBa.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (goalyfeastz .site in TLS SNI)
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (opposezmny .site)
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (goalyfeastz .site)
3832	rtKNzonlBa.exe	A Network Trojan was detected	STEALER [ANY.RUN] Lumma Stealer TLS Connection
3832	rtKNzonlBa.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (goalyfeastz .site in TLS SNI)
3832	rtKNzonlBa.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (goalyfeastz .site in TLS SNI)
3832	rtKNzonlBa.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (goalyfeastz .site in TLS SNI)
3832	rtKNzonlBa.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (goalyfeastz .site in TLS SNI)

Add for printing

No debug info

General Info

Paypal Checker New 2024 version.rar

CE89266D589FC52E395F1A596571AED2

1DDB8372130B4CB8EF38BB90DD9478F69A216790

45EF548F451F98FA4B6C3BEA6D5C74A80292B0A8239E2D2210DA503726374835

98304:bIWrNlSVOBOGCEEuHdZMYW4DrzFehjVNfggalm56rMjWSv5hVA1LEuFYIqWUzs+q:DHIZla

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Connects to the CnC server

LUMMA has been detected (SURICATA)

Stealers network behavior

SUSPICIOUS

Process drops legitimate windows executable

Executes application which crashes

Executable content was dropped or overwritten

Application launched itself

Contacting a server suspected of hosting an CnC

INFO

Manual execution by a user

Executable content was dropped or overwritten

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings