File name:

pg1.zip

Full analysis: https://app.any.run/tasks/c47c9006-c4c5-4420-a158-dac8c2e37b4f
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Analysis date: September 28, 2024, 16:14:20
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
exfiltration
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

5703B0EAA4147BCA1CC42EB520CECD94

SHA1:

81A96BD47FCFCE4B5378221BDAA8308B6F3B9C40

SHA256:

D823025626DF8A35A733A3FE144CBC3059E69C0CA09513490F7B894B72E0DF4B

SSDEEP:

98304:ryTfawzTXANteAg36KDn897Gik6YkZAdiAMbb2KnyX1eUHauJStL/9QRK+45QUB8:uqc+3AWzixTmER6fqDXATiQgIN+a8rmU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • LUMMA has been detected (YARA)

      • SearchIndexer.exe (PID: 2424)
      • SearchIndexer.exe (PID: 4412)
    • LUMMA has been detected (SURICATA)

      • SearchIndexer.exe (PID: 2424)
      • SearchIndexer.exe (PID: 4412)
    • Stealers network behavior

      • SearchIndexer.exe (PID: 2424)
      • SearchIndexer.exe (PID: 4412)
  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6308)
    • Executable content was dropped or overwritten

      • Setup.exe (PID: 1636)
    • Starts application with an unusual extension

      • Setup.exe (PID: 1636)
      • Setup.exe (PID: 1928)
  • INFO

    • The process uses the downloaded file

      • WinRAR.exe (PID: 6308)
      • WinRAR.exe (PID: 3584)
      • WinRAR.exe (PID: 5664)
    • Creates files or folders in the user directory

      • Setup.exe (PID: 1636)
    • Create files in a temporary directory

      • Setup.exe (PID: 1636)
      • more.com (PID: 5908)
      • Setup.exe (PID: 1928)
      • Setup.exe (PID: 5128)
      • more.com (PID: 6216)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6308)
      • WinRAR.exe (PID: 3584)
      • WinRAR.exe (PID: 5664)
    • Checks supported languages

      • Setup.exe (PID: 1636)
      • StrCmp.exe (PID: 4128)
      • more.com (PID: 5908)
      • Setup.exe (PID: 1928)
      • more.com (PID: 6216)
      • Setup.exe (PID: 5128)
    • Reads the computer name

      • Setup.exe (PID: 1636)
      • StrCmp.exe (PID: 4128)
      • more.com (PID: 5908)
      • Setup.exe (PID: 1928)
      • more.com (PID: 6216)
      • Setup.exe (PID: 5128)
    • Manual execution by a user

      • WinRAR.exe (PID: 3584)
      • Setup.exe (PID: 1928)
      • WinRAR.exe (PID: 5664)
      • Setup.exe (PID: 5128)
    • Reads the software policy settings

      • SearchIndexer.exe (PID: 2424)
      • SearchIndexer.exe (PID: 4412)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: carferry.flv
ZipUncompressedSize: 12108
ZipCompressedSize: 7434
ZipCRC: 0xeff4cd71
ZipModifyDate: 2024:08:02 06:33:10
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
13
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe setup.exe strcmp.exe no specs more.com no specs conhost.exe no specs winrar.exe #LUMMA searchindexer.exe setup.exe no specs more.com no specs conhost.exe no specs winrar.exe setup.exe no specs #LUMMA searchindexer.exe

Process information

PID
CMD
Path
Indicators
Parent process
6308"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\pg1.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1636"C:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\Setup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\Setup.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
pdUpdater
Exit code:
1
Version:
17.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa6308.39087\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wininet.dll
c:\windows\system32\combase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ucrtbase.dll
4128C:\Users\admin\AppData\Roaming\mtls\CCRLJALMZLDQAJOZJVP\StrCmp.exeC:\Users\admin\AppData\Roaming\mtls\CCRLJALMZLDQAJOZJVP\StrCmp.exeSetup.exe
User:
admin
Company:
aaa
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\appdata\roaming\mtls\ccrljalmzldqajozjvp\strcmp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
5908C:\WINDOWS\SysWOW64\more.comC:\Windows\SysWOW64\more.comSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
More Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\more.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ulib.dll
4108\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exemore.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3584"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\pg1.zip" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2424C:\WINDOWS\SysWOW64\SearchIndexer.exeC:\Windows\SysWOW64\SearchIndexer.exe
more.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Search Indexer
Exit code:
0
Version:
7.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\uqvyfphgyfun
c:\windows\syswow64\searchindexer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
1928"C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\Desktop\Setup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
pdUpdater
Exit code:
1
Version:
17.0.0.0
Modules
Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\advapi32.dll
6216C:\WINDOWS\SysWOW64\more.comC:\Windows\SysWOW64\more.comSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
More Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\more.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3256\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exemore.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
10 497
Read events
10 477
Write events
20
Delete events
0

Modification events

(PID) Process:(6308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\pg1.zip
(PID) Process:(6308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
(PID) Process:(6308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:psize
Value:
80
(PID) Process:(6308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:type
Value:
120
Executable files
43
Suspicious files
11
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
6308WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\Setup.exe
MD5:
SHA256:
6308WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\glioma.aspabr
MD5:99083617F7139EE9AD5D6B719286AC3A
SHA256:7CDDF32DE8B02B3ECF42C50DED8593770C5AB96D76247155F28D1D3CC87A541F
6308WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\x86\Acrobat\Acrobat32OL.dllexecutable
MD5:18E5A6296E02EFB842FB3D11CA0C7C63
SHA256:629B4CEF2C394C6A1FAD37E5AC6F497B3BDAC489270D54F4E98C5DFC925EA883
6308WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\rtl120.bplexecutable
MD5:ADF82ED333FB5567F8097C7235B0E17F
SHA256:D6DD7A4F46F2CFDE9C4EB9463B79D5FF90FC690DA14672BA1DA39708EE1B9B50
6308WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\x86\AIDE.dllexecutable
MD5:AD388CE4C2CC3AAFF605994DA782D57E
SHA256:D3BA1ADBFEEF8F19E4AA570299C06D39A87DFC5FE3D85946270B722E44DACDA7
6308WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\x86\AdobeXMP.dllexecutable
MD5:7C3033588C1A187918CF3FD246069A3F
SHA256:E958F4ED8272A96E599FF9F0A79331E7B5109104A9D20D3F760C7EB162DAF7E0
6308WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\x86\Acrobat\Adobe.Acrobat.Dependencies.manifestxml
MD5:7BAE8B27F113F2C1BDC4181B99117FE9
SHA256:DAE02D5688314C66F9001728EEFF6010E8AF413867DFE4982B6B2C66625D9BB1
6308WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\Register.dllexecutable
MD5:40B9628354EF4E6EF3C87934575545F4
SHA256:372B14FCE2EB35B264F6D4AEEF7987DA56D951D3A09EF866CF55ED72763CAA12
6308WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\libvlccore.dllexecutable
MD5:E25413BB41C2F239FFDD3569F76E74B0
SHA256:9126D9ABF91585456000FFFD9336478E91B9EA07ED2A25806A4E2E0437F96D29
5908more.comC:\Users\admin\AppData\Local\Temp\uqvyfphgyfun
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
54
TCP/UDP connections
69
DNS requests
16
Threats
23

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
13.85.23.206:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
2384
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
POST
200
188.114.97.3:443
https://swipedbakkwo.shop/api
unknown
malicious
POST
200
188.114.97.3:443
https://swipedbakkwo.shop/api
unknown
text
18 b
malicious
POST
200
188.114.96.3:443
https://swipedbakkwo.shop/api
unknown
text
16.6 Kb
malicious
POST
200
188.114.97.3:443
https://swipedbakkwo.shop/api
unknown
text
18 b
malicious
POST
200
188.114.97.3:443
https://swipedbakkwo.shop/api
unknown
malicious
GET
200
4.175.87.197:443
https://slscr.update.microsoft.com/sls/ping
unknown
POST
200
188.114.97.3:443
https://swipedbakkwo.shop/api
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
7108
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2424
SearchIndexer.exe
188.114.97.3:443
swipedbakkwo.shop
CLOUDFLARENET
NL
unknown
4412
SearchIndexer.exe
188.114.97.3:443
swipedbakkwo.shop
CLOUDFLARENET
NL
unknown
2384
SIHClient.exe
4.175.87.197:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2384
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2384
SIHClient.exe
23.48.23.164:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 172.217.16.206
whitelisted
swipedbakkwo.shop
  • 188.114.97.3
  • 188.114.96.3
malicious
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
crl.microsoft.com
  • 23.48.23.164
  • 23.48.23.176
  • 23.48.23.180
  • 23.48.23.173
  • 23.48.23.194
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
self.events.data.microsoft.com
  • 20.42.73.26
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
login.live.com
  • 40.126.32.138
  • 40.126.32.72
  • 20.190.160.17
  • 40.126.32.136
  • 20.190.160.20
  • 40.126.32.76
  • 40.126.32.134
  • 20.190.160.22
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
STEALER [ANY.RUN] Lumma Stealer TLS Connection
A Network Trojan was detected
ET MALWARE Lumma Stealer Related Activity
A Network Trojan was detected
ET MALWARE Lumma Stealer CnC Host Checkin
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Check-In
A Network Trojan was detected
ET MALWARE Lumma Stealer Related Activity M2
A Network Trojan was detected
ET MALWARE Lumma Stealer CnC Host Checkin
Malware Command and Control Activity Detected
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Exfiltration
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Win32/Lumma Stealer Check-In
A Network Trojan was detected
ET MALWARE Lumma Stealer CnC Host Checkin
3 ETPRO signatures available at the full report
No debug info