File name:	adv.ps1
Full analysis:	https://app.any.run/tasks/28aed9e8-862a-42e2-92c7-32a61a72c587
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	December 13, 2024, 15:46:13
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	loader opendir lumma stealer
Indicators:
MIME:	text/plain
File info:	ASCII text, with very long lines (309), with CRLF line terminators
MD5:	10891F0A4C19021664493C6209F6F32D
SHA1:	358FBED42A7A12B1DA18284CB487128A92D66B8D
SHA256:	C92A041C50A79B729DED5541F303FDB01CDCE37BCF38927F6CDCDC6A35284676
SSDEEP:	48:AmUrBJ+kYtTXg0lsLnFroz6dTRTD6MOx+3ZLRQ0cKiMf:rUrDCM7R9sx+JLRQba

PID	Process	Filename		Type
6428	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_udmz2bvp.ego.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6428	powershell.exe	C:\Users\admin\AppData\Local\Temp\putty.exe		executable
		MD5:FCE954E0B8ABEC15C129A54BA33ED2CD	SHA256:DC9B46B3B0F75B8C054656BFACBB770C67EABDD8D9DCB9EEE54664FCE74407DA
6428	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms		binary
		MD5:20D427F7DEDF1721BEF151F55D520668	SHA256:D4A5BEEAC231B0E9CA6FE5381049071075BA253CB2A993D6B65A360B9384F36B
6428	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XUTAUUJ1PA7S0EOC0IW3.temp		binary
		MD5:20D427F7DEDF1721BEF151F55D520668	SHA256:D4A5BEEAC231B0E9CA6FE5381049071075BA253CB2A993D6B65A360B9384F36B
6428	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:5CB526F8C92BE4333C82A336E3A552B6	SHA256:B34E005085C5ADD4E45E84CECBD23440E90573E192DAC4CD7325B133673BCDF3
6428	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF135e7f.TMP		binary
		MD5:D040F64E9E7A2BB91ABCA5613424598E	SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
6428	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bhq4nnb2.fwe.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
736	svchost.exe	GET	200	23.48.23.147:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6428	powershell.exe	GET	301	185.147.125.51:80	http://todmeng.com/webdav/infrarecorder.exe	unknown	—	—	unknown
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.147:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
736	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	185.147.125.51:443	https://todmeng.com/webdav/infrarecorder.exe	unknown	executable	2.66 Mb	—
—	—	POST	200	172.67.207.38:443	https://immureprech.biz/api	unknown	text	2 b	malicious
—	—	POST	200	104.21.22.222:443	https://immureprech.biz/api	unknown	text	17 b	malicious
—	—	POST	200	104.21.22.222:443	https://immureprech.biz/api	unknown	text	18.2 Kb	malicious
—	—	POST	200	172.67.207.38:443	https://immureprech.biz/api	unknown	text	17 b	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
736	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6428	powershell.exe	185.147.125.51:80	todmeng.com	LLC Baxet	PL	unknown
736	svchost.exe	23.48.23.147:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.147:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
736	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6428	powershell.exe	185.147.125.51:443	todmeng.com	LLC Baxet	PL	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2	whitelisted
google.com	142.250.186.142	whitelisted
todmeng.com	185.147.125.51	unknown
crl.microsoft.com	23.48.23.147 23.48.23.173 23.48.23.156 23.48.23.176 23.48.23.166	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
debonairnukk.xyz	—	malicious
immureprech.biz	172.67.207.38 104.21.22.222	malicious
self.events.data.microsoft.com	13.89.179.8	whitelisted

PID	Process	Class	Message
6428	powershell.exe	Misc activity	ET INFO Request for EXE via Powershell
6428	powershell.exe	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
2192	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz)
6940	putty.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (immureprech .biz in TLS SNI)
2192	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz)
6940	putty.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (immureprech .biz in TLS SNI)
6940	putty.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (immureprech .biz in TLS SNI)
6940	putty.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (immureprech .biz in TLS SNI)
6940	putty.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (immureprech .biz in TLS SNI)
6940	putty.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (immureprech .biz in TLS SNI)

General Info

adv.ps1

10891F0A4C19021664493C6209F6F32D

358FBED42A7A12B1DA18284CB487128A92D66B8D

C92A041C50A79B729DED5541F303FDB01CDCE37BCF38927F6CDCDC6A35284676

48:AmUrBJ+kYtTXg0lsLnFroz6dTRTD6MOx+3ZLRQ0cKiMf:rUrDCM7R9sx+JLRQba

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Bypass execution policy to execute commands

Actions looks like stealing of personal data

LUMMA mutex has been found

Executing a file with an untrusted certificate

LUMMA has been detected (SURICATA)

Connects to the CnC server

Steals credentials from Web Browsers

SUSPICIOUS

Process requests binary or script from the Internet

Executable content was dropped or overwritten

Starts NET.EXE to map network drives

Contacting a server suspected of hosting an CnC

INFO

Disables trace logs

Checks proxy server information

Reads the machine GUID from the registry

The sample compiled with english language support

The executable file from the user directory is run by the Powershell process

Script raised an exception (POWERSHELL)

Reads the software policy settings

Checks supported languages

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings