File name:	Adobe Activator.rar
Full analysis:	https://app.any.run/tasks/285892b8-1a87-410c-b884-75092fb04784
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 19, 2024, 12:18:47
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	lumma stealer xmrig loader miner
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	5FA6E28B3B413E33D5E0E43B2EB7592E
SHA1:	C4EAF89326B97587049060F936D40DFF4E945C22
SHA256:	55D0878B26822889880B1518B566255CF79F39550DF86A1C4B450F21EFE5D52E
SSDEEP:	196608:jsFKwnURiKSX0slAzlHbOHCS0Nv4TtZAUiAzDWTC/AgQmxC:2L8cnApHbOHCSAUiAz+COmxC

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)


(PID) Process:	(6628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(6628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(6628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(6628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\Adobe Activator.rar
(PID) Process:	(6628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(5840) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1

PID	Process	Filename		Type
6628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6628.47994\Adobe Activator\Help\nvcpl\nv3dara.chm		binary
		MD5:C1B0257579B0D16FBE0CD2D02DBFAA75	SHA256:BDE3204CE98AD07F35AF5A5D77CB9BCEC604AE97B90A261C731E33CD86B4EC65
6628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6628.47994\Adobe Activator\Help\nvcpl\nv3dchs.chm		binary
		MD5:C5642A52A8A562C0E877A5305C5A5845	SHA256:8C46FAEB2037EB7935D24C880A712E65AB970DA67A856D16FF0E7E9D7CAB1E07
6628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6628.47994\Adobe Activator\Help\en-US\credits.rtf		text
		MD5:05B931430FD173BD22900DBAA8BBFF10	SHA256:3CE703C36DFC6282C22991519309B921AE8F5B2653561FF3F9C1617DC2D6674E
6628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6628.47994\Adobe Activator\Help\nvcpl\nv3d.chm		binary
		MD5:B5F9ED44F46DC2A2B54BAF908B9B9781	SHA256:53136C96A99EC7F237470DB34E49742AC99427ED6F2A22045EE9C45CE390BC69
6628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6628.47994\Adobe Activator\Help\nvcpl\nv3dcsy.chm		binary
		MD5:B8D7042DDC7225D8292A0C615A3FB23B	SHA256:3003EB4F3D284477CE8EED97E07B123AE06023D441A36FB78E4B69C72D90B0C1
6628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6628.47994\Adobe Activator\Help\nvcpl\nv3ddan.chm		binary
		MD5:3F5EA602A3C7DF10F04607BB4036AE91	SHA256:D2ECB5ACF630F64891C85D796CDFC251B83604921A6057C8C747E4D0383C0CBF
6628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6628.47994\Adobe Activator\Help\nvcpl\nv3dell.chm		binary
		MD5:3B29CE38A2BF1D68B9E5F47B224FC208	SHA256:D348907C412F241BA167D9B7455AF4579816F43F61BC652FD2F948DFA4400904
6628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6628.47994\Adobe Activator\Help\nvcpl\nv3dfra.chm		chm
		MD5:B7AF0F0DE555F26450BEBDD9F971C838	SHA256:36DA94C497DE59E1154391F00DC08F058DBD2B4541C182F2C0ABD84021D6F72C
6628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6628.47994\Adobe Activator\Help\nvcpl\nv3dfin.chm		binary
		MD5:0EFE776961D3B5D75E2F2F2054A01EC0	SHA256:CABC965762D678F14E2187BBCB109F2CC796D9A84B9F168CF49DAE270136AD99
6628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6628.47994\Adobe Activator\Help\nvcpl\nv3desn.chm		binary
		MD5:73BFE0ABBE2128C47EAD3C96521A9D70	SHA256:78EA2FEDD3EF6B2847B59A8D98B371CF82AD728BAC19C740A654D1E5B733CC43

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5952	svchost.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
—	—	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
5140	MoUsoCoreWorker.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
5952	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
5140	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
7052	MSBuild.exe	GET	200	147.45.47.115:80	http://147.45.47.115/conhost.exe	unknown	—	—	unknown
7104	UVTMVRLALSZWI8WJS1UTS8S73HGWXK.exe	GET	200	147.45.47.115:80	http://147.45.47.115/xmrig.exe	unknown	—	—	unknown
7104	UVTMVRLALSZWI8WJS1UTS8S73HGWXK.exe	GET	200	147.45.47.115:80	http://147.45.47.115/WinRing0x64.sys	unknown	—	—	unknown
7104	UVTMVRLALSZWI8WJS1UTS8S73HGWXK.exe	GET	200	147.45.47.115:80	http://147.45.47.115/WatchDog.exe	unknown	—	—	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	239.255.255.250:1900	—	—	—	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5952	svchost.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
—	—	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
5140	MoUsoCoreWorker.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
5952	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	unknown
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	unknown
5140	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted

Domain	IP	Reputation
crl.microsoft.com	23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
settings-win.data.microsoft.com	40.127.240.158	whitelisted
ticketgradiencomfj.shop	188.114.96.9 188.114.97.9	unknown
pastebin.com	104.20.4.235 104.20.3.235 172.67.19.24	shared
self.events.data.microsoft.com	20.50.201.200	whitelisted

PID	Process	Class	Message
—	—	A Network Trojan was detected	STEALER [ANY.RUN] Lumma Stealer TLS Connection
7052	MSBuild.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
—	—	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
—	—	Misc activity	ET INFO Packed Executable Download
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
—	—	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
—	—	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
—	—	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
—	—	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

General Info

Adobe Activator.rar

5FA6E28B3B413E33D5E0E43B2EB7592E

C4EAF89326B97587049060F936D40DFF4E945C22

55D0878B26822889880B1518B566255CF79F39550DF86A1C4B450F21EFE5D52E

196608:jsFKwnURiKSX0slAzlHbOHCS0Nv4TtZAUiAzDWTC/AgQmxC:2L8cnApHbOHCSAUiAz+COmxC

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic malware mutex has been detected

Drops the executable file immediately after the start

XMRig has been detected

Actions looks like stealing of personal data

SUSPICIOUS

Process drops legitimate windows executable

Executable content was dropped or overwritten

Searches for installed software

Process requests binary or script from the Internet

BASE64 encoded PowerShell command has been detected

Connects to the server without a host name

Starts CMD.EXE for commands execution

Base64-obfuscated command line is found

Starts POWERSHELL.EXE for commands execution

Creates file in the systems drive root

The process creates files with name similar to system file names

Drops a system driver (possible attempt to evade defenses)

Uses powercfg.exe to modify the power settings

INFO

Executable content was dropped or overwritten

Reads the computer name

Checks supported languages

Create files in a temporary directory

Reads the machine GUID from the registry

Manual execution by a user

Drops the executable file immediately after the start

Reads the software policy settings

Creates files in the program directory

Reads Environment values

Disables trace logs

Checks proxy server information

Script raised an exception (POWERSHELL)

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests