File name:	VIRUSES.zip
Full analysis:	https://app.any.run/tasks/78d0fce4-7cc4-499a-9e2c-284a239ba2d6
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018. Malware Trends Tracker >>>
Analysis date:	April 29, 2025, 19:58:30
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec telegram vidar stealer auto-sch lumma stealc
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	45A71F5F24F1E1B3B0B717C1DE6D0167
SHA1:	4D9807BE2DD263C075D409C8E6246CCE23558D14
SHA256:	DA3E4EA2FF5C13C721B5B4A0FC20D52E528699146E1548E8765EE785FD22588A
SSDEEP:	98304:nrDNAD1S/zj72Ywgw/I1K2J9B+bQNHbMyCpodCQu2jdjZ2mhRgolBhKxsgA6nTmo:aVYMWIFWX+

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2025:04:29 18:22:56
ZipCRC:	0xe93fea9d
ZipCompressedSize:	1293173
ZipUncompressedSize:	1297920
ZipFileName:	chel.exe


(PID) Process:	(2108) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(2108) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(2108) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(2108) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(2108) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(2108) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\VIRUSES.zip
(PID) Process:	(2108) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2108) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2108) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2108) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100

PID	Process	Filename		Type
5800	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF1111a1.TMP		—
		MD5:—	SHA256:—
5800	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RF1111a1.TMP		—
		MD5:—	SHA256:—
5800	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—
5800	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
5800	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF1111b0.TMP		—
		MD5:—	SHA256:—
5800	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
5800	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old~RF1111b0.TMP		—
		MD5:—	SHA256:—
5800	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RF1111cf.TMP		—
		MD5:—	SHA256:—
5800	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old		—
		MD5:—	SHA256:—
5800	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	149.154.167.99:443	https://t.me/m00f3r	unknown	—	—	—
2104	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	5.75.209.111:443	https://66.44.4t.com/	unknown	—	—	—
—	—	POST	200	188.114.97.3:443	https://lucticiq.run/tqwu	unknown	binary	69 b	—
—	—	POST	200	172.67.190.162:443	https://zenithcorde.top/auid	unknown	binary	69 b	malicious
—	—	POST	200	172.67.190.162:443	https://zenithcorde.top/auid	unknown	binary	69 b	malicious
—	—	POST	200	104.21.51.232:443	https://zenithcorde.top/auid	unknown	binary	69 b	malicious
—	—	POST	200	188.114.96.3:443	https://lucticiq.run/tqwu	unknown	binary	69 b	—
—	—	POST	200	5.75.209.111:443	https://66.44.4t.com/	unknown	text	2 b	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6816	fir.exe	149.154.167.99:443	t.me	Telegram Messenger Inc	GB	whitelisted
6816	fir.exe	5.75.209.111:443	66.44.4t.com	Hetzner Online GmbH	DE	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
google.com	216.58.206.78	whitelisted
crl.microsoft.com	2.16.241.19 2.16.241.12	whitelisted
www.microsoft.com	2.23.246.101	whitelisted
t.me	149.154.167.99	whitelisted
66.44.4t.com	5.75.209.111	malicious
lucticiq.run	188.114.97.3 188.114.96.3	unknown
bearjk.live	—	malicious
zenithcorde.top	104.21.51.232 172.67.190.162	malicious
clientservices.googleapis.com	142.250.186.35	whitelisted

PID	Process	Class	Message
—	—	Misc activity	ET INFO Observed Telegram Domain (t .me in TLS SNI)
—	—	Misc activity	ET INFO Observed Telegram Domain (t .me in TLS SNI)
—	—	A Network Trojan was detected	MALWARE [ANY.RUN] Suspected Domain Associated with Malware Distribution (zenithcorde .top)
—	—	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
—	—	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bearjk .live)
—	—	A Network Trojan was detected	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1
—	—	Potentially Bad Traffic	ET INFO HTTP Request to a *.top domain
—	—	Malware Command and Control Activity Detected	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
—	—	Malware Command and Control Activity Detected	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
—	—	Malware Command and Control Activity Detected	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2

General Info

VIRUSES.zip

45A71F5F24F1E1B3B0B717C1DE6D0167

4D9807BE2DD263C075D409C8E6246CCE23558D14

DA3E4EA2FF5C13C721B5B4A0FC20D52E528699146E1548E8765EE785FD22588A

98304:nrDNAD1S/zj72Ywgw/I1K2J9B+bQNHbMyCpodCQu2jdjZ2mhRgolBhKxsgA6nTmo:aVYMWIFWX+

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

Uses Task Scheduler to run other applications

VIDAR mutex has been found

Connects to the CnC server

LUMMA has been detected (SURICATA)

LUMMA mutex has been found

Steals credentials from Web Browsers

Actions looks like stealing of personal data

SUSPICIOUS

Starts CMD.EXE for commands execution

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Contacting a server suspected of hosting an CnC

Searches for installed software

The process executes via Task Scheduler

Executing commands from a ".bat" file

INFO

Checks supported languages

Creates files or folders in the user directory

Reads the computer name

Manual execution by a user

Process checks computer location settings

Auto-launch of the file from Task Scheduler

Attempting to use instant messaging service

Creates files in the program directory

Checks proxy server information

Reads the software policy settings

Reads the machine GUID from the registry

Application launched itself

Reads product name

Reads Environment values

Reads CPU info

Executable content was dropped or overwritten

Create files in a temporary directory

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity