File name:	SynapseX-main.zip
Full analysis:	https://app.any.run/tasks/6bc3aeb8-175b-4884-ab7e-6d3a2f7c743b
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 17, 2025, 21:43:53
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto lumma stealer arch-exec arch-doc pastebin susp-powershell github telegram
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	DB76BED0BCB58EC7F089CC6414B39683
SHA1:	262B4F1C5EA161E9535A0B46E4CD7C6846EB5884
SHA256:	B2D0E3F171A30769D7F5C84749FDA37B3FCCFFAE53CB39EA8378573FCE43161A
SSDEEP:	12288:OWpyaTGNnt5TkCMykHoVO7U/u1x0In3dSaytKU:OWwmGNnt5TkQaql/u1x1NSaytKU

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2025:05:09 23:32:24
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	SynapseX-main/


(PID) Process:	(7420) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(7420) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(7420) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(7420) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\SynapseX-main.zip
(PID) Process:	(7420) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(7420) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(7420) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(7420) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(7420) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:	write	Name:	ArcSort
Value: 32
(PID) Process:	(7420) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan
Operation:	write	Name:	DefScanner
Value: Windows Defender

PID	Process	Filename		Type
7536	Loader.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ooitbjeo.5iw.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7536	Loader.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ixkgwbla.ugd.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7420	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR7420.8115\SynapseX-main.zip\SynapseX-main\Makefile		text
		MD5:F540DEC20889A7DCB32E6AECA5885109	SHA256:AEF2D0EEF89302D1117707BADC975D6C63EE40DF2D27AE4F198BB25138201F46
7820	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:EC005B31E31CD6D085CBDA52E729891C	SHA256:72D3E03647E7E767EFACAA650353D3D88DFEA14CB424AE6F706CFC6ABFE7A531
7420	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR7420.8115\SynapseX-main.zip\SynapseX-main\Loader.exe		executable
		MD5:65D53D68126B91CDCABBFFB58ED3C66C	SHA256:479B3C923BE6125530E99F24E611547AA5D8861D1E88B75A03CE5527A2052213
7420	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR7420.8115\SynapseX-main.zip\SynapseX-main\README.md		text
		MD5:E6133D19006BB1CC7AADB52F97F1FAF5	SHA256:6DEEBC0AD3EA0B8C9C7376F9EC965F3A69E8E15C57478B036A94E44160465734
7420	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR7420.8115\SynapseX-main.zip\SynapseX-main\libcurl.dll		executable
		MD5:8DA7E810E0F12B16FE6087AADDA7A69C	SHA256:79F567797066F6206EA870FFDA11CF92612AEA0EE3A26582BE38DDD0FD51FA53
7420	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR7420.8115\SynapseX-main.zip\SynapseX-main\requirements.txt		text
		MD5:84E1021A2F9073DBACAD1349B6C9E4D3	SHA256:1EAE2E450EEAC1C395F714F2639F09AE83CB959AC09A596151E4CABB9225939E
7420	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR7420.8115\SynapseX-main.zip\SynapseX-main\config.toml		text
		MD5:D2FD712EB5EB2CBA945D93680208E954	SHA256:8DC716F57504B1A81D926C4793CCFA143A2D83337AE4C4BCB8DA106BA90188B0
8084	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ky0ytkvp.4ny.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
7820	powershell.exe	104.22.69.199:443	pastebin.com	CLOUDFLARENET	—	whitelisted
7820	powershell.exe	140.82.121.3:443	github.com	GITHUB	US	whitelisted
7820	powershell.exe	185.199.108.133:443	raw.githubusercontent.com	FASTLY	US	whitelisted
672	MSBuild.exe	149.154.167.99:443	t.me	Telegram Messenger Inc	GB	whitelisted
672	MSBuild.exe	40.91.108.115:443	flowerexju.bet	MICROSOFT-CORP-MSN-AS-BLOCK	US	malicious
672	MSBuild.exe	172.67.150.184:443	overcovtcg.top	CLOUDFLARENET	US	malicious
7200	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	142.250.74.206	whitelisted
pastebin.com	104.22.69.199 172.67.25.94 104.22.68.199	whitelisted
github.com	140.82.121.3	whitelisted
raw.githubusercontent.com	185.199.108.133 185.199.110.133 185.199.111.133 185.199.109.133	whitelisted
t.me	149.154.167.99	whitelisted
searchilyo.run	—	unknown
flowerexju.bet	40.91.108.115	malicious
testcawepr.run	—	unknown
easterxeen.run	40.91.108.115	malicious

PID	Process	Class	Message
2196	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Online Pastebin Text Storage
2196	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
—	—	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
—	—	Misc activity	ET INFO Packed Executable Download
—	—	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
—	—	Misc activity	ET HUNTING EXE Downloaded from Github
672	MSBuild.exe	Misc activity	ET INFO Observed Telegram Domain (t .me in TLS SNI)
2196	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (flowerexju .bet)
672	MSBuild.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (flowerexju .bet) in TLS SNI
2196	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (testcawepr .run)

General Info

SynapseX-main.zip

DB76BED0BCB58EC7F089CC6414B39683

262B4F1C5EA161E9535A0B46E4CD7C6846EB5884

B2D0E3F171A30769D7F5C84749FDA37B3FCCFFAE53CB39EA8378573FCE43161A

12288:OWpyaTGNnt5TkCMykHoVO7U/u1x0In3dSaytKU:OWwmGNnt5TkQaql/u1x1NSaytKU

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

Downloads the requested resource (POWERSHELL)

STEALER has been found (auto)

Connects to the CnC server

LUMMA has been detected (SURICATA)

Script downloads file (POWERSHELL)

Steals credentials from Web Browsers

LUMMA mutex has been found

Actions looks like stealing of personal data

SUSPICIOUS

Reads security settings of Internet Explorer

Base64-obfuscated command line is found

BASE64 encoded PowerShell command has been detected

Starts POWERSHELL.EXE for commands execution

Application launched itself

Executable content was dropped or overwritten

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Contacting a server suspected of hosting an CnC

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Searches for installed software

INFO

Create files in a temporary directory

Reads the computer name

Manual execution by a user

Reads the machine GUID from the registry

Reads security settings of Internet Explorer

Reads Environment values

Checks supported languages

Reads Microsoft Office registry keys

Reads the software policy settings

Checks if a key exists in the options dictionary (POWERSHELL)

Found Base64 encoded access to Windows Defender via PowerShell (YARA)

Script raised an exception (POWERSHELL)

Found Base64 encoded reflection usage via PowerShell (YARA)

Found Base64 encoded file access via PowerShell (YARA)

Disables trace logs

Checks proxy server information

Gets data length (POWERSHELL)

Executable content was dropped or overwritten

The sample compiled with english language support

The executable file from the user directory is run by the Powershell process

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules