File name:

pg1.zip

Full analysis: https://app.any.run/tasks/c47c9006-c4c5-4420-a158-dac8c2e37b4f
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Analysis date: September 28, 2024, 16:14:20
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
exfiltration
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

5703B0EAA4147BCA1CC42EB520CECD94

SHA1:

81A96BD47FCFCE4B5378221BDAA8308B6F3B9C40

SHA256:

D823025626DF8A35A733A3FE144CBC3059E69C0CA09513490F7B894B72E0DF4B

SSDEEP:

98304:ryTfawzTXANteAg36KDn897Gik6YkZAdiAMbb2KnyX1eUHauJStL/9QRK+45QUB8:uqc+3AWzixTmER6fqDXATiQgIN+a8rmU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Stealers network behavior

      • SearchIndexer.exe (PID: 2424)
      • SearchIndexer.exe (PID: 4412)
    • LUMMA has been detected (YARA)

      • SearchIndexer.exe (PID: 2424)
      • SearchIndexer.exe (PID: 4412)
    • LUMMA has been detected (SURICATA)

      • SearchIndexer.exe (PID: 2424)
      • SearchIndexer.exe (PID: 4412)
  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6308)
    • Starts application with an unusual extension

      • Setup.exe (PID: 1636)
      • Setup.exe (PID: 1928)
    • Executable content was dropped or overwritten

      • Setup.exe (PID: 1636)
  • INFO

    • Creates files or folders in the user directory

      • Setup.exe (PID: 1636)
    • Checks supported languages

      • Setup.exe (PID: 1636)
      • StrCmp.exe (PID: 4128)
      • more.com (PID: 5908)
      • Setup.exe (PID: 1928)
      • more.com (PID: 6216)
      • Setup.exe (PID: 5128)
    • Reads the computer name

      • StrCmp.exe (PID: 4128)
      • Setup.exe (PID: 1636)
      • more.com (PID: 5908)
      • Setup.exe (PID: 1928)
      • more.com (PID: 6216)
      • Setup.exe (PID: 5128)
    • Create files in a temporary directory

      • Setup.exe (PID: 1636)
      • more.com (PID: 5908)
      • Setup.exe (PID: 1928)
      • more.com (PID: 6216)
      • Setup.exe (PID: 5128)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6308)
      • WinRAR.exe (PID: 3584)
      • WinRAR.exe (PID: 5664)
    • The process uses the downloaded file

      • WinRAR.exe (PID: 6308)
      • WinRAR.exe (PID: 3584)
      • WinRAR.exe (PID: 5664)
    • Manual execution by a user

      • WinRAR.exe (PID: 3584)
      • Setup.exe (PID: 1928)
      • WinRAR.exe (PID: 5664)
      • Setup.exe (PID: 5128)
    • Reads the software policy settings

      • SearchIndexer.exe (PID: 2424)
      • SearchIndexer.exe (PID: 4412)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:08:02 06:33:10
ZipCRC: 0xeff4cd71
ZipCompressedSize: 7434
ZipUncompressedSize: 12108
ZipFileName: carferry.flv
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
13
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe setup.exe strcmp.exe no specs more.com no specs conhost.exe no specs winrar.exe #LUMMA searchindexer.exe setup.exe no specs more.com no specs conhost.exe no specs winrar.exe setup.exe no specs #LUMMA searchindexer.exe

Process information

PID
CMD
Path
Indicators
Parent process
6308"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\pg1.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1636"C:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\Setup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\Setup.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
pdUpdater
Exit code:
1
Version:
17.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa6308.39087\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wininet.dll
c:\windows\system32\combase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ucrtbase.dll
4128C:\Users\admin\AppData\Roaming\mtls\CCRLJALMZLDQAJOZJVP\StrCmp.exeC:\Users\admin\AppData\Roaming\mtls\CCRLJALMZLDQAJOZJVP\StrCmp.exeSetup.exe
User:
admin
Company:
aaa
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\appdata\roaming\mtls\ccrljalmzldqajozjvp\strcmp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
5908C:\WINDOWS\SysWOW64\more.comC:\Windows\SysWOW64\more.comSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
More Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\more.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ulib.dll
4108\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exemore.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3584"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\pg1.zip" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2424C:\WINDOWS\SysWOW64\SearchIndexer.exeC:\Windows\SysWOW64\SearchIndexer.exe
more.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Search Indexer
Exit code:
0
Version:
7.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\uqvyfphgyfun
c:\windows\syswow64\searchindexer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
1928"C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\Desktop\Setup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
pdUpdater
Exit code:
1
Version:
17.0.0.0
Modules
Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\advapi32.dll
6216C:\WINDOWS\SysWOW64\more.comC:\Windows\SysWOW64\more.comSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
More Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\more.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3256\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exemore.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
10 497
Read events
10 477
Write events
20
Delete events
0

Modification events

(PID) Process:(6308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\pg1.zip
(PID) Process:(6308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
(PID) Process:(6308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:psize
Value:
80
(PID) Process:(6308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:type
Value:
120
Executable files
43
Suspicious files
11
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
6308WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\Setup.exe
MD5:
SHA256:
6308WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\carferry.flvbinary
MD5:16A30926E4EBC495D3659854C3731F63
SHA256:DC260B93C358E10FC6F74C0B9F487DD0C2FD58E791EC5B0925B0546258923B36
6308WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\Register.dllexecutable
MD5:40B9628354EF4E6EF3C87934575545F4
SHA256:372B14FCE2EB35B264F6D4AEEF7987DA56D951D3A09EF866CF55ED72763CAA12
6308WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\glioma.aspabr
MD5:99083617F7139EE9AD5D6B719286AC3A
SHA256:7CDDF32DE8B02B3ECF42C50DED8593770C5AB96D76247155F28D1D3CC87A541F
6308WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\libvlc.dllexecutable
MD5:96214B94B796BFFC48D63289854AE5A2
SHA256:528C416CFB4813EE5F1DA52743EF4ADB20043171230098B27E25D1DD90E3F288
6308WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\x86\BIB.dllexecutable
MD5:404DE37B800B661EBFAA218B20C8C0C6
SHA256:CA53407B356FCDEA51A6D536447ED6B88AD14C87FACF421080D141CAE837EEDC
6308WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\x86\AdobeXMP.dllexecutable
MD5:7C3033588C1A187918CF3FD246069A3F
SHA256:E958F4ED8272A96E599FF9F0A79331E7B5109104A9D20D3F760C7EB162DAF7E0
6308WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\x86\AGM.dllexecutable
MD5:B39B8D45413692FF856E9BA907256C2F
SHA256:EE32F4CBBA3A601D57064695A8ED5955E1B9AF984110D34504B8D5EBB132C084
6308WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\x86\JP2KLib.dllexecutable
MD5:73C0DA5C825E3A2275DBEF4F8DAE0813
SHA256:979851CAC4A2A0E394F06CA7139D7402911048B094F550DD9B33D1203AE92862
6308WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\x86\ACE.dllexecutable
MD5:D0AE82CDF9911BEC3EDDDA128602AF04
SHA256:F9675304D13EFAEE32E6B4A3317B64231A59B684532A898D12B4E7ED88518AFD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
54
TCP/UDP connections
69
DNS requests
16
Threats
23

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
13.85.23.206:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
2384
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
POST
200
188.114.97.3:443
https://swipedbakkwo.shop/api
unknown
malicious
POST
200
188.114.97.3:443
https://swipedbakkwo.shop/api
unknown
text
18 b
malicious
POST
200
188.114.97.3:443
https://swipedbakkwo.shop/api
unknown
text
18 b
malicious
POST
200
188.114.97.3:443
https://swipedbakkwo.shop/api
unknown
text
18 b
malicious
POST
200
188.114.97.3:443
https://swipedbakkwo.shop/api
unknown
text
48 b
malicious
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
4.175.87.197:443
https://slscr.update.microsoft.com/sls/ping
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
7108
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2424
SearchIndexer.exe
188.114.97.3:443
swipedbakkwo.shop
CLOUDFLARENET
NL
unknown
4412
SearchIndexer.exe
188.114.97.3:443
swipedbakkwo.shop
CLOUDFLARENET
NL
unknown
2384
SIHClient.exe
4.175.87.197:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2384
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2384
SIHClient.exe
23.48.23.164:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 172.217.16.206
whitelisted
swipedbakkwo.shop
  • 188.114.97.3
  • 188.114.96.3
malicious
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
crl.microsoft.com
  • 23.48.23.164
  • 23.48.23.176
  • 23.48.23.180
  • 23.48.23.173
  • 23.48.23.194
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
self.events.data.microsoft.com
  • 20.42.73.26
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
login.live.com
  • 40.126.32.138
  • 40.126.32.72
  • 20.190.160.17
  • 40.126.32.136
  • 20.190.160.20
  • 40.126.32.76
  • 40.126.32.134
  • 20.190.160.22
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
STEALER [ANY.RUN] Lumma Stealer TLS Connection
A Network Trojan was detected
ET MALWARE Lumma Stealer Related Activity
A Network Trojan was detected
ET MALWARE Lumma Stealer CnC Host Checkin
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Check-In
A Network Trojan was detected
ET MALWARE Lumma Stealer Related Activity M2
A Network Trojan was detected
ET MALWARE Lumma Stealer CnC Host Checkin
Malware Command and Control Activity Detected
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Exfiltration
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Check-In
A Network Trojan was detected
ET MALWARE Lumma Stealer CnC Host Checkin
3 ETPRO signatures available at the full report
No debug info