File name:	Adobe Activator.rar
Full analysis:	https://app.any.run/tasks/285892b8-1a87-410c-b884-75092fb04784
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 19, 2024, 12:18:47
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	lumma stealer xmrig loader miner
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	5FA6E28B3B413E33D5E0E43B2EB7592E
SHA1:	C4EAF89326B97587049060F936D40DFF4E945C22
SHA256:	55D0878B26822889880B1518B566255CF79F39550DF86A1C4B450F21EFE5D52E
SSDEEP:	196608:jsFKwnURiKSX0slAzlHbOHCS0Nv4TtZAUiAzDWTC/AgQmxC:2L8cnApHbOHCSAUiAz+COmxC

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)


(PID) Process:	(6628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(6628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(6628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(6628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\Adobe Activator.rar
(PID) Process:	(6628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6628) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(5840) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1

PID	Process	Filename		Type
6628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6628.47994\Adobe Activator\Help\nvcpl\nv3ddan.chm		binary
		MD5:3F5EA602A3C7DF10F04607BB4036AE91	SHA256:D2ECB5ACF630F64891C85D796CDFC251B83604921A6057C8C747E4D0383C0CBF
6628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6628.47994\Adobe Activator\Help\nvcpl\nv3dell.chm		binary
		MD5:3B29CE38A2BF1D68B9E5F47B224FC208	SHA256:D348907C412F241BA167D9B7455AF4579816F43F61BC652FD2F948DFA4400904
6628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6628.47994\Adobe Activator\Help\nvcpl\nv3dchs.chm		binary
		MD5:C5642A52A8A562C0E877A5305C5A5845	SHA256:8C46FAEB2037EB7935D24C880A712E65AB970DA67A856D16FF0E7E9D7CAB1E07
6628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6628.47994\Adobe Activator\Help\nvcpl\nv3dcht.chm		binary
		MD5:CAC8A4ED9640B74857A93FB8B77F62E3	SHA256:1B3AE5A0BD843C09EE6662CD7A5F3D5B6F364EBCE14AFA85B268375DF3C9C235
6628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6628.47994\Adobe Activator\Help\nvcpl\nv3d.chm		binary
		MD5:B5F9ED44F46DC2A2B54BAF908B9B9781	SHA256:53136C96A99EC7F237470DB34E49742AC99427ED6F2A22045EE9C45CE390BC69
6628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6628.47994\Adobe Activator\Help\nvcpl\nv3ddeu.chm		binary
		MD5:47A7C297543CD404C3E70086C4F8FD21	SHA256:770F86DBED72FEC9ED81A0882F0FB7EF77D4880F174A03682D932C9F6215CC24
6628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6628.47994\Adobe Activator\Help\nvcpl\nv3desm.chm		binary
		MD5:B7835B96F85D64987C6F4E3F31D839AD	SHA256:4D50A06D7F04FE32378FA237A9C0EA3B352096A39115D6CD540E73EAD6B3BB37
6628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6628.47994\Adobe Activator\Help\nvcpl\nv3deng.chm		binary
		MD5:3ECD51DE3A504EEC21D70CCF865D43DD	SHA256:1D80C40950A02FE124D5450F0F2A4B177A497607575B4B13EB06DEBF958B6CEA
6628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6628.47994\Adobe Activator\Adobe_Activator.exe		executable
		MD5:34606BBFF1084F0E853F22A47DF80611	SHA256:D659948043D414A885E3F8DE5BD3DCEF4A03A972B300F14ACA8222B33CB33F31
6628	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6628.47994\Adobe Activator\Help\nvcpl\nv3dara.chm		binary
		MD5:C1B0257579B0D16FBE0CD2D02DBFAA75	SHA256:BDE3204CE98AD07F35AF5A5D77CB9BCEC604AE97B90A261C731E33CD86B4EC65

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5952	svchost.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
—	—	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
5140	MoUsoCoreWorker.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
5140	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
5952	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
7052	MSBuild.exe	GET	200	147.45.47.115:80	http://147.45.47.115/conhost.exe	unknown	—	—	unknown
7104	UVTMVRLALSZWI8WJS1UTS8S73HGWXK.exe	GET	200	147.45.47.115:80	http://147.45.47.115/WinRing0x64.sys	unknown	—	—	unknown
7104	UVTMVRLALSZWI8WJS1UTS8S73HGWXK.exe	GET	200	147.45.47.115:80	http://147.45.47.115/xmrig.exe	unknown	—	—	unknown
7104	UVTMVRLALSZWI8WJS1UTS8S73HGWXK.exe	GET	200	147.45.47.115:80	http://147.45.47.115/WatchDog.exe	unknown	—	—	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	239.255.255.250:1900	—	—	—	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5952	svchost.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
—	—	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
5140	MoUsoCoreWorker.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
5952	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	unknown
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	unknown
5140	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted

Domain	IP	Reputation
crl.microsoft.com	23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
settings-win.data.microsoft.com	40.127.240.158	whitelisted
ticketgradiencomfj.shop	188.114.96.9 188.114.97.9	unknown
pastebin.com	104.20.4.235 104.20.3.235 172.67.19.24	shared
self.events.data.microsoft.com	20.50.201.200	whitelisted

PID	Process	Class	Message
—	—	A Network Trojan was detected	STEALER [ANY.RUN] Lumma Stealer TLS Connection
7052	MSBuild.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
—	—	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
—	—	Misc activity	ET INFO Packed Executable Download
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
—	—	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
—	—	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
—	—	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
—	—	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

General Info

Adobe Activator.rar

5FA6E28B3B413E33D5E0E43B2EB7592E

C4EAF89326B97587049060F936D40DFF4E945C22

55D0878B26822889880B1518B566255CF79F39550DF86A1C4B450F21EFE5D52E

196608:jsFKwnURiKSX0slAzlHbOHCS0Nv4TtZAUiAzDWTC/AgQmxC:2L8cnApHbOHCSAUiAz+COmxC

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Generic malware mutex has been detected

XMRig has been detected

Actions looks like stealing of personal data

SUSPICIOUS

Executable content was dropped or overwritten

Process drops legitimate windows executable

Searches for installed software

Starts POWERSHELL.EXE for commands execution

Connects to the server without a host name

Process requests binary or script from the Internet

Starts CMD.EXE for commands execution

Base64-obfuscated command line is found

BASE64 encoded PowerShell command has been detected

Creates file in the systems drive root

The process creates files with name similar to system file names

Drops a system driver (possible attempt to evade defenses)

Uses powercfg.exe to modify the power settings

INFO

Reads the machine GUID from the registry

Checks supported languages

Reads the software policy settings

Executable content was dropped or overwritten

Reads the computer name

Drops the executable file immediately after the start

Create files in a temporary directory

Manual execution by a user

Creates files in the program directory

Checks proxy server information

Reads Environment values

Disables trace logs

Script raised an exception (POWERSHELL)

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests