Introduction<\/strong><\/em><\/p>\n This diary provides indicators from a Lumma Stealer<\/a> infection that was followed by Sectop RAT<\/a> (ArechClient2). I searched for cracked versions of popular copyright-protected software, and I downloaded the initial malware after following the results of one such search. This is a common distribution technique for various families of malware, and I often find Lumma Stealer this way.<\/p>\n In this case, the initial malware for Lumma Stealer was delivered as a password-protected 7-zip archive. The extracted malware is an inflated Windows executable (EXE) file at 806 MB. The EXE is padded with null-bytes (0x00), a technical which increases the EXE size while allowing the compressed archive file to be much smaller. The password-protected archive and inflated EXE file are designed to avoid detection.<\/p>\n Images from the infection<\/strong><\/em><\/p>\n Indicators of Compromise<\/strong><\/em><\/p>\n Example of download link from the site advertising cracked versions of copyright-protected software:<\/p>\n hxxps[:]\/\/incolorand[.]com\/how-visual-patch-enhances-ui-consistency-across-releases\/?utm_source={CID}&utm_term=Adobe%20Premiere%20Pro%20(2026)%20Full%20v26.0.2%20Espa%C3%B1ol%20[Mega]&utm_content={SUBID1}&utm_medium={SUBID2}<\/span><\/p>\n Example of URL for page with the file download instructions:<\/p>\n hxxps[:]\/\/mega-nz.goldeneagletransport[.]com\/Adobe_Premiere_Pro_%282026%29_Full_v26.0.2_Espa%C3%B1ol_%5BMega%5D.zip?c=ABUZ4WkRgQUA_YUCAFVTFwASAAAAAACh&s=360721<\/span><\/p>\n Example of URL for file download from site above site impersonating MEGA:<\/p>\n hxxps[:]\/\/arch.primedatahost3[.]cfd\/auth\/media\/JvWcFd5vUoYTrImvtWQAASTh\/Adobe_Premiere_Pro_(2026)_Full_v26.0.2_Espa%C3%B1ol_%5BMega%5D.zip<\/span><\/p>\n Downloaded file:<\/p>\n Extracted malware:<\/p>\n Deflated malware:<\/p>\n Lumma Stealer command and control (C2) domains from Triage sandbox analysis:<\/p>\n Follow-up malware:<\/p>\n Example of Sectop RAT C2 traffic from an infected Windows host:<\/p>\n — (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n \t![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-04-17-ISC-diary-image-01.jpg?ssl=1\")
<\/a>
\nShown above: Example of a page with instructions to download the initial malware file.<\/em><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-04-17-ISC-diary-image-02.jpg?ssl=1\")
<\/a>
\nShown above: Traffic from the infection filtered in Wireshark.<\/em><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/2026-04-17-ISC-diary-image-03.jpg?ssl=1\")
<\/a>
\nShown above: Sectop RAT persistent on an infected Windows host.<\/em><\/p>\n\n
\n
\n
\n
\n
\n
\nBradley Duncan
\nbrad [at] malware-traffic-analysis.net<\/p>\n
\n
<\/BR><\/p>\n