Lumma Stealer infection with Sectop RAT (ArechClient2), (Fri, Apr 17th)

Introduction This diary provides indicators from a Lumma Stealer infection that was followed by Sectop RAT (ArechClient2). I searched for cracked versions of popular copyright-protected software, and I downloaded the initial malware after following the results of one such search. This is a common distribution technique for various families of malware, and I often find Lumma Stealer this way. In this case, the initial malware for Lumma Stealer was delivered as a password-protected 7-zip archive. The extracted malware is an inflated Windows executable (EXE) file at 806 MB. The EXE is padded with null-bytes (0x00), a technical which increases the EXE size while allowing the compressed archive file to be much smaller. The password-protected archive and inflated EXE file are designed to avoid detection. Images from the infection Shown above: Example of a page with instructions to download the initial malware file. Shown above: Traffic from the infection filtered in Wireshark. Shown above: Sectop RAT persistent on an infected Windows host. Indicators of Compromise Example of download link from the site advertising cracked versions of copyright-protected software: hxxps[:]//incolorand[.]com/how-visual-patch-enhances-ui-consistency-across-releases/?utm_source={CID} utm_term=Adobe%20Premiere%20Pro%20(2026)%20Full%20v26.0.2%20Espa%C3%B1ol%20[Mega] utm_content={SUBID1} utm_medium={SUBID2} Example of URL for page with the file download instructions: hxxps[:]//mega-nz.goldeneagletransport[.]com/Adobe_Premiere_Pro_%282026%29_Full_v26.0.2_Espa%C3%B1ol_%5BMega%5D.zip?c=ABUZ4WkRgQUA_YUCAFVTFwASAAAAAACh s=360721 Example of URL for file download from site above site impersonating MEGA: hxxps[:]//arch.primedatahost3[.]cfd/auth/media/JvWcFd5vUoYTrImvtWQAASTh/Adobe_Premiere_Pro_(2026)_Full_v26.0.2_Espa%C3%B1ol_%5BMega%5D.zip Downloaded file: SHA256 hash: c7489e3bf546c5f2d958ac833cc7dbca4368dfba03a792849bc99c48a6b2a14f File size: 3,888,051 bytes File name: adobe_premiere_pro_(2026)_full_v26.0.2_espan?ol_[mega].7z File type: 7-zip archive data, version 0.4 File description: Password-protected 7-zip archive Password: 6919 Extracted malware: SHA256 hash: 4849f76dafbef516df91fecfc23a72afffaf77ade51f805eae5ad552bed88923 File size: 806,127,604 bytes File name: appFile.exe File type: PE32 executable (GUI) Intel 80386, for MS Windows File description: Inflated Windows EXE file for Lumma Stealer, padded with null-bytes Deflated malware: SHA256 hash: 353ddce78d58aef2083ca0ac271af93659cf0039b0b29d0d169fc015bd3610bc File size: 7,114,156 bytes File type: PE32 executable (GUI) Intel 80386, for MS Windows File description: Above appFile.exe with most of null-byte padding removed Any.Run sandbox analysis Triage sandbox analysis Lumma Stealer command and control (C2) domains from Triage sandbox analysis: cankgmr[.]cyou carytui[.]vu decrnoj[.]club genugsq[.]best longmbx[.]click mushxhb[.]best pomflgf[.]vu strikql[.]shop ulmudhw[.]shop Follow-up malware: SHA256 hash: d9b576eb6827f38e33ed