File name: | pg1.zip |
Full analysis: | https://app.any.run/tasks/c47c9006-c4c5-4420-a158-dac8c2e37b4f |
Verdict: | Malicious activity |
Threats: | Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. |
Analysis date: | September 28, 2024, 16:14:20 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
MD5: | 5703B0EAA4147BCA1CC42EB520CECD94 |
SHA1: | 81A96BD47FCFCE4B5378221BDAA8308B6F3B9C40 |
SHA256: | D823025626DF8A35A733A3FE144CBC3059E69C0CA09513490F7B894B72E0DF4B |
SSDEEP: | 98304:ryTfawzTXANteAg36KDn897Gik6YkZAdiAMbb2KnyX1eUHauJStL/9QRK+45QUB8:uqc+3AWzixTmER6fqDXATiQgIN+a8rmU |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | carferry.flv |
---|---|
ZipUncompressedSize: | 12108 |
ZipCompressedSize: | 7434 |
ZipCRC: | 0xeff4cd71 |
ZipModifyDate: | 2024:08:02 06:33:10 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
6308 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\pg1.zip | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
1636 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\Setup.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\Setup.exe | WinRAR.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: pdUpdater Exit code: 1 Version: 17.0.0.0 Modules
| |||||||||||||||
4128 | C:\Users\admin\AppData\Roaming\mtls\CCRLJALMZLDQAJOZJVP\StrCmp.exe | C:\Users\admin\AppData\Roaming\mtls\CCRLJALMZLDQAJOZJVP\StrCmp.exe | — | Setup.exe | |||||||||||
User: admin Company: aaa Integrity Level: MEDIUM Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
5908 | C:\WINDOWS\SysWOW64\more.com | C:\Windows\SysWOW64\more.com | — | Setup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: More Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
4108 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | more.com | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
3584 | "C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\pg1.zip" C:\Users\admin\Desktop\ | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
2424 | C:\WINDOWS\SysWOW64\SearchIndexer.exe | C:\Windows\SysWOW64\SearchIndexer.exe | more.com | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Search Indexer Exit code: 0 Version: 7.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
1928 | "C:\Users\admin\Desktop\Setup.exe" | C:\Users\admin\Desktop\Setup.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: pdUpdater Exit code: 1 Version: 17.0.0.0 Modules
| |||||||||||||||
6216 | C:\WINDOWS\SysWOW64\more.com | C:\Windows\SysWOW64\more.com | — | Setup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: More Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
3256 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | more.com | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
|
(PID) Process: | (6308) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip | |||
(PID) Process: | (6308) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\pg1.zip | |||
(PID) Process: | (6308) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (6308) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (6308) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (6308) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (6308) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths |
Operation: | write | Name: | name |
Value: 256 | |||
(PID) Process: | (6308) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (6308) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths |
Operation: | write | Name: | psize |
Value: 80 | |||
(PID) Process: | (6308) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths |
Operation: | write | Name: | type |
Value: 120 |
PID | Process | Filename | Type | |
---|---|---|---|---|
6308 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\Setup.exe | — | |
MD5:— | SHA256:— | |||
6308 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\glioma.asp | abr | |
MD5:99083617F7139EE9AD5D6B719286AC3A | SHA256:7CDDF32DE8B02B3ECF42C50DED8593770C5AB96D76247155F28D1D3CC87A541F | |||
6308 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\x86\Acrobat\Acrobat32OL.dll | executable | |
MD5:18E5A6296E02EFB842FB3D11CA0C7C63 | SHA256:629B4CEF2C394C6A1FAD37E5AC6F497B3BDAC489270D54F4E98C5DFC925EA883 | |||
6308 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\rtl120.bpl | executable | |
MD5:ADF82ED333FB5567F8097C7235B0E17F | SHA256:D6DD7A4F46F2CFDE9C4EB9463B79D5FF90FC690DA14672BA1DA39708EE1B9B50 | |||
6308 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\x86\AIDE.dll | executable | |
MD5:AD388CE4C2CC3AAFF605994DA782D57E | SHA256:D3BA1ADBFEEF8F19E4AA570299C06D39A87DFC5FE3D85946270B722E44DACDA7 | |||
6308 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\x86\AdobeXMP.dll | executable | |
MD5:7C3033588C1A187918CF3FD246069A3F | SHA256:E958F4ED8272A96E599FF9F0A79331E7B5109104A9D20D3F760C7EB162DAF7E0 | |||
6308 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\x86\Acrobat\Adobe.Acrobat.Dependencies.manifest | xml | |
MD5:7BAE8B27F113F2C1BDC4181B99117FE9 | SHA256:DAE02D5688314C66F9001728EEFF6010E8AF413867DFE4982B6B2C66625D9BB1 | |||
6308 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\Register.dll | executable | |
MD5:40B9628354EF4E6EF3C87934575545F4 | SHA256:372B14FCE2EB35B264F6D4AEEF7987DA56D951D3A09EF866CF55ED72763CAA12 | |||
6308 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa6308.39087\libvlccore.dll | executable | |
MD5:E25413BB41C2F239FFDD3569F76E74B0 | SHA256:9126D9ABF91585456000FFFD9336478E91B9EA07ED2A25806A4E2E0437F96D29 | |||
5908 | more.com | C:\Users\admin\AppData\Local\Temp\uqvyfphgyfun | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 13.85.23.206:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | unknown | — | — | — |
— | — | GET | 304 | 4.175.87.197:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
2384 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 188.114.97.3:443 | https://swipedbakkwo.shop/api | unknown | — | — | malicious |
— | — | POST | 200 | 188.114.97.3:443 | https://swipedbakkwo.shop/api | unknown | text | 18 b | malicious |
— | — | POST | 200 | 188.114.96.3:443 | https://swipedbakkwo.shop/api | unknown | text | 16.6 Kb | malicious |
— | — | POST | 200 | 188.114.97.3:443 | https://swipedbakkwo.shop/api | unknown | text | 18 b | malicious |
— | — | POST | 200 | 188.114.97.3:443 | https://swipedbakkwo.shop/api | unknown | — | — | malicious |
— | — | GET | 200 | 4.175.87.197:443 | https://slscr.update.microsoft.com/sls/ping | unknown | — | — | — |
— | — | POST | 200 | 188.114.97.3:443 | https://swipedbakkwo.shop/api | unknown | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
7108 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2424 | SearchIndexer.exe | 188.114.97.3:443 | swipedbakkwo.shop | CLOUDFLARENET | NL | unknown |
4412 | SearchIndexer.exe | 188.114.97.3:443 | swipedbakkwo.shop | CLOUDFLARENET | NL | unknown |
2384 | SIHClient.exe | 4.175.87.197:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
2384 | SIHClient.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
2384 | SIHClient.exe | 23.48.23.164:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
swipedbakkwo.shop |
| malicious |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | A Network Trojan was detected | STEALER [ANY.RUN] Lumma Stealer TLS Connection |
— | — | A Network Trojan was detected | ET MALWARE Lumma Stealer Related Activity |
— | — | A Network Trojan was detected | ET MALWARE Lumma Stealer CnC Host Checkin |
— | — | Malware Command and Control Activity Detected | STEALER [ANY.RUN] Win32/Lumma Stealer Check-In |
— | — | A Network Trojan was detected | ET MALWARE Lumma Stealer Related Activity M2 |
— | — | A Network Trojan was detected | ET MALWARE Lumma Stealer CnC Host Checkin |
— | — | Malware Command and Control Activity Detected | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration |
— | — | Malware Command and Control Activity Detected | STEALER [ANY.RUN] Win32/Lumma Stealer Exfiltration |
— | — | Malware Command and Control Activity Detected | STEALER [ANY.RUN] Win32/Lumma Stealer Check-In |
— | — | A Network Trojan was detected | ET MALWARE Lumma Stealer CnC Host Checkin |