Malware analysis /Pinga47/fatality-cs2/releases/download/Release/Release.rar Malicious activity

Add for printing

download:	/Pinga47/fatality-cs2/releases/download/Release/Release.rar
Full analysis:	https://app.any.run/tasks/6df3e366-dbfe-4704-84b8-33fd1b7b6a18
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 23, 2024, 15:47:18
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-doc lumma stealer
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	BC3158F149F55405909D1FA8BD94C006
SHA1:	25A016E4D45C5F402EB18A329B8DF45D09D81104
SHA256:	C28E177F4A96A97F256B5919631A3AA1C2BD64E1EE193F9A47A8FA70DBB5FD8D
SSDEEP:	49152:jlXiISg4XNIs4nM5MW4ik2Mk4/nkV8NKt74KSMrRr1QbWLSCzS4XKvEhKu6EAg9V:RXiN6dM5w8Mk4/na7u9yQKmCzqvEhKIp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: on
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- LUMMA has been detected (SURICATA)
  - svchost.exe (PID: 2192)
  - Launcher.exe (PID: 5892)
- Connects to the CnC server
  - svchost.exe (PID: 2192)
SUSPICIOUS
- Generic archive extractor
  - WinRAR.exe (PID: 2448)
- Application launched itself
  - Launcher.exe (PID: 372)
- Executes application which crashes
  - Launcher.exe (PID: 372)
- Contacting a server suspected of hosting an CnC
  - svchost.exe (PID: 2192)
  - Launcher.exe (PID: 5892)
INFO
- Manual execution by a user
  - notepad.exe (PID: 5340)
  - WinRAR.exe (PID: 3988)
  - WinRAR.exe (PID: 5472)
  - Launcher.exe (PID: 372)
  - Taskmgr.exe (PID: 3840)
  - Taskmgr.exe (PID: 4500)
- The process uses the downloaded file
  - WinRAR.exe (PID: 2448)
  - WinRAR.exe (PID: 5472)
  - WinRAR.exe (PID: 3988)
- Reads security settings of Internet Explorer
  - notepad.exe (PID: 5340)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 5472)
- Checks supported languages
  - Launcher.exe (PID: 5892)
  - Launcher.exe (PID: 372)
- Reads the computer name
  - Launcher.exe (PID: 5892)
- Reads the software policy settings
  - Launcher.exe (PID: 5892)
- Reads the machine GUID from the registry
  - Launcher.exe (PID: 5892)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion:	RAR v5
CompressedSize:	986200
UncompressedSize:	986200
OperatingSystem:	Win32
ArchivedFileName:	Release/Executor.rar

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

133

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

372

"C:\Users\admin\Downloads\Release\Release\Executor\Executor\Executor\Launcher.exe"

C:\Users\admin\Downloads\Release\Release\Executor\Executor\Executor\Launcher.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221225477

Modules

Images
c:\users\admin\downloads\release\release\executor\executor\executor\launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

1140

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

Launcher.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2192

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2448

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Downloads\Release.rar

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

3640

"C:\Users\admin\Downloads\Release\Release\Executor\Executor\Executor\Launcher.exe"

C:\Users\admin\Downloads\Release\Release\Executor\Executor\Executor\Launcher.exe

—

Launcher.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\downloads\release\release\executor\executor\executor\launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

3836

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

3840

"C:\WINDOWS\system32\taskmgr.exe" /4

C:\Windows\System32\Taskmgr.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Task Manager

Exit code:

3221226540

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll

3988

"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Downloads\Release\Release\Executor.rar" C:\Users\admin\Downloads\Release\Release\

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

4076

C:\WINDOWS\SysWOW64\WerFault.exe -u -p 372 -s 612

C:\Windows\SysWOW64\WerFault.exe

Launcher.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

4500

"C:\WINDOWS\system32\taskmgr.exe" /4

C:\Windows\System32\Taskmgr.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Task Manager

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll

Add for printing

Total events

14 910

Read events

14 833

Write events

Delete events

Modification events


(PID) Process:	(2448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(2448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(2448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(2448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Downloads\Release.rar
(PID) Process:	(2448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(2448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	15
Value:
(PID) Process:	(2448) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:	delete value	Name:	14
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2448	WinRAR.exe	C:\Users\admin\Downloads\Release\Release\Executor.rar		compressed
		MD5:6AB0ABD018BF5687F0637537820CBCF6	SHA256:DD9DBD0484C88E111103FA990789CA3ED01AD40D569D3D5C35BAF34C2532E7F7
5472	WinRAR.exe	C:\Users\admin\Downloads\Release\Release\Executor\Executor\Executor\configs\map_refinement\mr_tartanair.yaml		text
		MD5:00DC7F3A01A9C30F2A3543F393D096A9	SHA256:142FE74EE78FF06B0536CB1ADD4C35136341210D978DE5448D0F6943C77C49CD
5472	WinRAR.exe	C:\Users\admin\Downloads\Release\Release\Executor\Executor\Executor\configs\camera\realsense_848_480.yaml		text
		MD5:0A3A9C6D6B8EDBE68C9E23B03443A7E2	SHA256:B294EA0ECA78C1F5516BEF1F3F81EF58FE26C5D3D1506CEEAFB8CA63C84D5735
5472	WinRAR.exe	C:\Users\admin\Downloads\Release\Release\Executor\Executor\Executor\configs\map_refinement\mr_euroc.yaml		text
		MD5:3A1B1A707DD09EFFBC11012DD353E8BB	SHA256:59B6786FB4A5450A268FB3C0B9B935EF4C93344C7065631ED2D4FF07744B60E7
5472	WinRAR.exe	C:\Users\admin\Downloads\Release\Release\Executor\Executor\Executor\configs\relocalization\reloc_tartanair.yaml		text
		MD5:5AEC82CC058C2FA0676A4663C8C0624C	SHA256:7B7A240C55BD466DF423CAC182F17DFD240E678A1F87137AC7B96E83A153F2F7
5472	WinRAR.exe	C:\Users\admin\Downloads\Release\Release\Executor\Executor\Executor\configs\camera\uma_bumblebee.yaml		text
		MD5:3DA07A92A0542217DAB0FBADCEF14F7A	SHA256:8405E9AB2ABBFDD817812CD972747CA13990E89277CA45ED00DE17674A5F70C2
5472	WinRAR.exe	C:\Users\admin\Downloads\Release\Release\Executor\Executor\Executor\configs\camera\tartanair.yaml		text
		MD5:2E04EB504DBE739471278363665D4B19	SHA256:3FE6C7CF262718E6DEAFBB8BD30E5C39E36B8975016D1CA83F82BF67CCA62880
5472	WinRAR.exe	C:\Users\admin\Downloads\Release\Release\Executor\Executor\Executor\configs\relocalization\reloc_euroc.yaml		text
		MD5:136160B61B688BF3F137E20EE0C003A3	SHA256:C5B7EE352225A75BE90B2D63AA78CC87CF458D94936D900415315086B4471E60
5472	WinRAR.exe	C:\Users\admin\Downloads\Release\Release\Executor\Executor\Executor\configs\visual_odometry\vo_euroc.yaml		text
		MD5:4AACBE6B96A9D82191B27788AEEFE565	SHA256:CD3903A45ED897987292A137DBE64D993D671E0AB04FD6802DA519B300BFDB80
5472	WinRAR.exe	C:\Users\admin\Downloads\Release\Release\Executor\Executor\Executor\configs\visual_odometry\vo_oivio.yaml		text
		MD5:C45C6FDA25CEB5FCDF5D9261346BD23C	SHA256:0F7B9D2956A42B35E219EA091107498EA707BB83FDF82EFF10A8A45AC72B76A6

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6076	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3976	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6076	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5892	Launcher.exe	188.114.97.3:443	cook-rain.sbs	CLOUDFLARENET	NL	unknown
5892	Launcher.exe	49.13.77.253:443	processhol.sbs	Hetzner Online GmbH	DE	malicious
5892	Launcher.exe	23.207.106.113:443	steamcommunity.com	AKAMAI-AS	JP	whitelisted
4076	WerFault.exe	20.42.65.92:443	watson.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.124.78.146	whitelisted
google.com	142.250.185.238	whitelisted
cook-rain.sbs	188.114.97.3 188.114.96.3	unknown
processhol.sbs	49.13.77.253	malicious
librari-night.sbs	49.13.77.253	unknown
befall-sm0ker.sbs	49.13.77.253	unknown
p10tgrace.sbs	49.13.77.253	malicious
peepburry828.sbs	49.13.77.253	malicious
owner-vacat10n.sbs	49.13.77.253	unknown
3xp3cts1aim.sbs	49.13.77.253	malicious

Threats

PID	Process	Class	Message
5892	Launcher.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cook-rain .sbs in TLS SNI)
2192	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cook-rain .sbs)
2192	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (befall-sm0ker .sbs)
2192	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (librari-night .sbs)
2192	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (processhol .sbs)
5892	Launcher.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (processhol .sbs in TLS SNI)
5892	Launcher.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI)
2192	svchost.exe	A Network Trojan was detected	ET MALWARE Observed DNS Query to Lumma Stealer Domain (processhol .sbs)
5892	Launcher.exe	A Network Trojan was detected	ET MALWARE Observed Lumma Stealer Domain (processhol .sbs in TLS SNI)
5892	Launcher.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (3xp3cts1aim .sbs in TLS SNI)

Add for printing

No debug info

General Info

/Pinga47/fatality-cs2/releases/download/Release/Release.rar

BC3158F149F55405909D1FA8BD94C006

25A016E4D45C5F402EB18A329B8DF45D09D81104

C28E177F4A96A97F256B5919631A3AA1C2BD64E1EE193F9A47A8FA70DBB5FD8D

49152:jlXiISg4XNIs4nM5MW4ik2Mk4/nkV8NKt74KSMrRr1QbWLSCzS4XKvEhKu6EAg9V:RXiN6dM5w8Mk4/na7u9yQKmCzqvEhKIp

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LUMMA has been detected (SURICATA)

Connects to the CnC server

SUSPICIOUS

Generic archive extractor

Application launched itself

Executes application which crashes

Contacting a server suspected of hosting an CnC

INFO

Manual execution by a user

The process uses the downloaded file

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Checks supported languages

Reads the computer name

Reads the software policy settings

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings