Malware analysis punk33.zip Malicious activity | ANY.RUN

Add for printing

File name:	punk33.zip
Full analysis:	https://app.any.run/tasks/b6818956-7bdb-450b-854d-2932fb02f456
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	October 01, 2024, 17:06:00
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	lumma stealer stealc autoit-loader
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	E112BE4A8E3FEAE5D5937E1F9314C35D
SHA1:	0102DB1C98A4CC550E5A1F094E8019C1298A5BE5
SHA256:	EDFFDA27CAB787A462783AF40BAD3B3BE859930100F9BB637E7AEA3FA6102ED9
SSDEEP:	196608:gzs/sjwS0sMGwXUrecLcYEipCQ4mZiB597NWv:gz7jwVXm/YQ4mZiB5VNWv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- LUMMA has been detected (YARA)
  - WinFIG-2024.exe (PID: 5092)
  - BitLockerToGo.exe (PID: 696)
- Connects to the CnC server
  - svchost.exe (PID: 2256)
- LUMMA has been detected (SURICATA)
  - svchost.exe (PID: 2256)
- Actions looks like stealing of personal data
  - BitLockerToGo.exe (PID: 696)
- STEALC has been detected (YARA)
  - BitLockerToGo.exe (PID: 3988)
  - 9YBKCEUD30A550WLYUYS40Q9HB.exe (PID: 4684)
- AutoIt loader has been detected (YARA)
  - Voyuer.pif (PID: 6456)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 5724)
- Contacting a server suspected of hosting an CnC
  - svchost.exe (PID: 2256)
- Executable content was dropped or overwritten
  - BitLockerToGo.exe (PID: 696)
  - cmd.exe (PID: 6828)
  - Voyuer.pif (PID: 6456)
- Starts CMD.EXE for commands execution
  - IHTJ16X567IR4KA7ZWD9MGCMHYIEXF.exe (PID: 6028)
  - cmd.exe (PID: 6828)
- Executing commands from a ".bat" file
  - IHTJ16X567IR4KA7ZWD9MGCMHYIEXF.exe (PID: 6028)
- Get information on the list of running processes
  - cmd.exe (PID: 6828)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 6828)
- Application launched itself
  - cmd.exe (PID: 6828)
  - Voyuer.pif (PID: 6456)
- Starts application with an unusual extension
  - cmd.exe (PID: 6828)
  - Voyuer.pif (PID: 6456)
- The executable file from the user directory is run by the CMD process
  - Voyuer.pif (PID: 6456)
- There is functionality for communication over UDP network (YARA)
  - 9YBKCEUD30A550WLYUYS40Q9HB.exe (PID: 4684)
INFO
- The process uses the downloaded file
  - WinRAR.exe (PID: 5724)
- Checks supported languages
  - BitLockerToGo.exe (PID: 696)
  - WinFIG-2024.exe (PID: 5092)
- Checks proxy server information
  - WinFIG-2024.exe (PID: 5092)
- Reads the computer name
  - BitLockerToGo.exe (PID: 696)
  - WinFIG-2024.exe (PID: 5092)
- Reads the software policy settings
  - BitLockerToGo.exe (PID: 696)
- Manual execution by a user
  - cmd.exe (PID: 7144)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2024:10:01 01:41:26
ZipCRC:	0x1b066484
ZipCompressedSize:	14506686
ZipUncompressedSize:	838085124
ZipFileName:	WinFIG-2024.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

148

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

696

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

WinFIG-2024.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

BitLocker To Go Reader

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

880

cmd /c md 10518

C:\Windows\SysWOW64\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

1020

tasklist

C:\Windows\SysWOW64\tasklist.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Lists the current running tasks

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

1936

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1948

tasklist

C:\Windows\SysWOW64\tasklist.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Lists the current running tasks

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

2256

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2608

findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\findstr.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Find String (QGREP) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll

2824

C:\Users\admin\AppData\Local\Temp\10518\Voyuer.pif

—

Voyuer.pif

User:

admin

Company:

AutoIt Team

Integrity Level:

MEDIUM

Description:

AutoIt v3 Script

Exit code:

Version:

3, 3, 14, 3

Modules

Images
c:\users\admin\appdata\local\temp\10518\voyuer.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

3988

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

9YBKCEUD30A550WLYUYS40Q9HB.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

BitLocker To Go Reader

Exit code:

3221225477

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll

4232

findstr /V "BATHROOMSOFTENPAYCOMMERCIAL" Socket

C:\Windows\SysWOW64\findstr.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Find String (QGREP) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll

Add for printing

Total events

5 809

Read events

5 800

Write events

Delete events

Modification events


(PID) Process:	(5724) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(5724) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\punk33.zip
(PID) Process:	(5724) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(5724) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(5724) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(5724) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3988) BitLockerToGo.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(3988) BitLockerToGo.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(3988) BitLockerToGo.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5724	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa5724.19065\WinFIG-2024.exe		—
		MD5:—	SHA256:—
6028	IHTJ16X567IR4KA7ZWD9MGCMHYIEXF.exe	C:\Users\admin\AppData\Local\Temp\Uniprotkb		binary
		MD5:69D07759583AFA982405CEDF0B879B8E	SHA256:2B3F63621C8AE1EB1BC3DFC4683EC983277AC17AEA03ACECEBC54969A723AB72
6028	IHTJ16X567IR4KA7ZWD9MGCMHYIEXF.exe	C:\Users\admin\AppData\Local\Temp\Socket		binary
		MD5:AB55FC08EAEF2F50565980B99511F625	SHA256:5B4799EA6F20B4B5CF53A328E52A7ED1982E0C1A797CEED9F8A05D89985BA3BC
6028	IHTJ16X567IR4KA7ZWD9MGCMHYIEXF.exe	C:\Users\admin\AppData\Local\Temp\Delegation		binary
		MD5:E82A72CAE193B8525A968245FE8934CC	SHA256:3D701EA1DDC78F91919E733B8E8992C708A43B40DD58CE46E0500A6684456B06
6028	IHTJ16X567IR4KA7ZWD9MGCMHYIEXF.exe	C:\Users\admin\AppData\Local\Temp\Cherry		binary
		MD5:4950C42897E4B4BE654BF6A0D6AD1874	SHA256:83D0683945DCF8275E79D63424F3CF793820B9437A41E239D2BC758E25473110
696	BitLockerToGo.exe	C:\Users\admin\AppData\Local\Temp\9YBKCEUD30A550WLYUYS40Q9HB.exe		executable
		MD5:ACCCB5D6308487DA88B2F05B2F4F6234	SHA256:F188AAF2E67A048F1CFA0AB7758AC80B0E4A1167042F55176E4AC0D273B26744
6028	IHTJ16X567IR4KA7ZWD9MGCMHYIEXF.exe	C:\Users\admin\AppData\Local\Temp\Explains		binary
		MD5:D32CBD96F1A1A04DDCC9A1A208FB81E5	SHA256:603230F8180F5D1D68621254976467ACEF4EAED5DD4193AA6C03F7384AD27DD1
6028	IHTJ16X567IR4KA7ZWD9MGCMHYIEXF.exe	C:\Users\admin\AppData\Local\Temp\Victor		binary
		MD5:C823E5A74879DA9CBFF89361425B11B3	SHA256:7B39896A8D5A68E5F3DA8EC64F9CEAB3F533D05FDB18754DB5B0A48ED308341B
6028	IHTJ16X567IR4KA7ZWD9MGCMHYIEXF.exe	C:\Users\admin\AppData\Local\Temp\Killing		text
		MD5:632076E43FF6F1C2EC3FC59D2AC115C5	SHA256:432A473F21A57610DF93773A79AE94365D6C2B6AA1555123BFDD658A6F28CF2F
6028	IHTJ16X567IR4KA7ZWD9MGCMHYIEXF.exe	C:\Users\admin\AppData\Local\Temp\Www		binary
		MD5:D7DB0C4F504D819DE277753119685589	SHA256:AAF0659F2BFF006009684C04963CE6B4FD996FC341C96E1DB85CE9EA5332DAB4

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
512	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2120	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1008	SIHClient.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1008	SIHClient.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
2868	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
2356	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6928	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4324	svchost.exe	20.72.205.209:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2356	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3260	svchost.exe	40.113.110.67:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 20.72.205.209 51.104.136.2	whitelisted
www.microsoft.com	88.221.169.152 23.52.120.96	whitelisted
google.com	172.217.16.206	whitelisted
client.wns.windows.com	40.113.110.67	whitelisted
login.live.com	20.190.159.23 20.190.159.64 20.190.159.0 20.190.159.73 40.126.31.71 20.190.159.68 40.126.31.69 40.126.31.67	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
go.microsoft.com	184.28.89.167	whitelisted
slscr.update.microsoft.com	20.114.59.183	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted
pianoswimen.shop	—	malicious

Threats

PID	Process	Class	Message
2256	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)
2256	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)
2256	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)
2256	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)
2256	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)
2256	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)
2256	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)
2256	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)
2256	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)

Add for printing

No debug info

General Info

punk33.zip

E112BE4A8E3FEAE5D5937E1F9314C35D

0102DB1C98A4CC550E5A1F094E8019C1298A5BE5

EDFFDA27CAB787A462783AF40BAD3B3BE859930100F9BB637E7AEA3FA6102ED9

196608:gzs/sjwS0sMGwXUrecLcYEipCQ4mZiB597NWv:gz7jwVXm/YQ4mZiB5VNWv

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LUMMA has been detected (YARA)

Connects to the CnC server

LUMMA has been detected (SURICATA)

Actions looks like stealing of personal data

STEALC has been detected (YARA)

AutoIt loader has been detected (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

Contacting a server suspected of hosting an CnC

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Get information on the list of running processes

Using 'findstr.exe' to search for text patterns in files and output

Application launched itself

Starts application with an unusual extension

The executable file from the user directory is run by the CMD process

There is functionality for communication over UDP network (YARA)

INFO

The process uses the downloaded file

Checks supported languages

Checks proxy server information

Reads the computer name

Reads the software policy settings

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings