API tools faq
paste
Advertisement
VRad

#lumma_270124

VRad
Feb 2nd, 2024 (edited)
47
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.95 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #Lumma #Stealer #AutoIt #RAR #PWD #EXE
  2.  
  3. https://pastebin.com/4B3hwvpx
  4.  
  5. previous_contact:
  6. 25/01/24 https://pastebin.com/pwL5HdeX
  7.  
  8. FAQ:
  9. https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
  10.  
  11. attack_vector
  12. --------------
  13. email attach .zip1 > (.rar1) PWD or (.rar1+rar2+rar3) PWD > .exe > C2
  14.  
  15. # # # # # # # #
  16. email_headers
  17. # # # # # # # #
  18. Date: Sat, 27 Jan 2024 08:42:49 +0300
  19. Subject: Документи за запитом: № 7025816 /2024-01
  20. From: Безушко Княжослав Олегович <nam@ infinitesoft_jp>
  21. Received: from www671_sakura_ne_jp ([59_106_19_101])
  22. Received: from fsav114_sakura_ne_jp (fsav114_sakura_ne_jp [27_133_134_241])
  23. Received: from 119_155_254_78 (hosted-by_saltu-cloud_pro [5_42_92_31] (may be forged))
  24. Message-Id: <202401270542_40R5fQOV089432@ www671_sakura_ne_jp>
  25.  
  26. # # # # # # # #
  27. files
  28. # # # # # # # #
  29. SHA-256 ce3445a8bd61a791913bc2cb02bcb3dea9fc340bf1c984c40cb33ab1a91a2953
  30. File name doc_scan.zip [Zip archive data, at least v1.0 to extract]
  31. File size 1022.33 KB (1046871 bytes)
  32.  
  33. SHA-256 56e71ade8e141a6f03b7cdd4c9cfe5543362c7ce66cb416f156580a048383011
  34. File name scan_word.pdf.part1.rar [RAR archive data, v5] !PWD
  35. File size 434.00 KB (444416 bytes)
  36.  
  37. SHA-256 aa44cf74eb3d0a327b89d42df9ca61e0e4c615381dfa049631dc1d7d519547c7
  38. File name scan_word.pdf.part2.rar [RAR archive data, v5] !PWD
  39. File size 434.00 KB (444416 bytes)
  40.  
  41. SHA-256 eb6ca1d1021b1e49b593551309cbe3b95c3739700e6e8e2ce287faf68087b0b6
  42. File name scan_word.pdf.part3.rar [RAR archive data, v5] !PWD
  43. File size 153.33 KB (157006 bytes)
  44.  
  45. SHA-256 6a7afd800f236e6bf6cdaa2fc93869daade49c2b5698bbb39c3d8ecc13d0fd9c
  46. File name scan_word.pdf.exe [PE32 executable, Installer: 7-Zip]
  47. File size 1.12 MB (1172686 bytes)
  48.  
  49. SHA-256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
  50. File name random.pif (AutoIt3.exe) [PE32 executable, C++] AutoIt
  51. File size 924.59 KB (946784 bytes)
  52.  
  53. SHA-256 ddb4e7bd2fe1117d13547d715edc5578f01741d16c4bcd8a2ecb6d5836f4b94a
  54. File name a [JavaScript] Lumma
  55. File size 994.14 KB (1017996 bytes)
  56.  
  57. # # # # # # # #
  58. activity
  59. # # # # # # # #
  60.  
  61. PL_SCR email_attach
  62.  
  63. C2 crisisestimatehealtwh _ site
  64. brickabsorptiondullyi _ site
  65. retainfactorypunishjkw _ site
  66. communicationinchoicer _ site
  67. carvewomanflavourwop _ site
  68. vesselspeedcrosswakew _ site
  69. cooperatecliqueobstac _ site
  70. racerecessionrestrai _ site
  71. braidfadefriendklypk _ site
  72.  
  73. netwrk
  74. --------------
  75. DNS 53 DNS Standard query A lDAeTUfEhhsIJHuWMJBUiWmC.lDAeTUfEhhsIJHuWMJBUiWmC
  76.  
  77. comp
  78. --------------
  79. n/a
  80.  
  81. proc
  82. --------------
  83. C:\Users\operator\Desktop\3_scan_word.pdf.exe
  84. "C:\Windows\System32\cmd.exe" /k cmd < Impressed & exit
  85. C:\Windows\SysWOW64\cmd.exe
  86. C:\Windows\SysWOW64\tasklist.exe
  87. C:\Windows\SysWOW64\findstr.exe /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
  88. C:\Windows\SysWOW64\tasklist.exe
  89. C:\Windows\SysWOW64\findstr.exe /I "wrsa.exe opssvc.exe"
  90. C:\Windows\SysWOW64\cmd.exe /c mkdir 9644
  91. C:\Windows\SysWOW64\cmd.exe /c copy /b Swedish + Pointing + Gotta + Tiles + Curves 9644\Appointed.pif
  92. C:\Windows\SysWOW64\cmd.exe /c copy /b Found + Med + Kinds 9644\a
  93. C:\TEMP\7ZipSfx.000\9644\Appointed.pif 9644\a
  94. C:\Windows\SysWOW64\PING.EXE -n 5 localhost
  95.  
  96. persist
  97. --------------
  98. n/a
  99.  
  100. drop
  101. --------------
  102. %temp%\7ZipSfx.000\*\Appointed.pif
  103. %temp%\7ZipSfx.000\*\a
  104. %temp%\7ZipSfx.000\Curves
  105. %temp%\7ZipSfx.000\Found
  106. %temp%\7ZipSfx.000\Gotta
  107. %temp%\7ZipSfx.000\Impressed
  108. %temp%\7ZipSfx.000\Kinds
  109. %temp%\7ZipSfx.000\Med
  110. %temp%\7ZipSfx.000\Pointing
  111. %temp%\7ZipSfx.000\Swedish
  112. %temp%\7ZipSfx.000\Tiles
  113.  
  114. # # # # # # # #
  115. additional info
  116. # # # # # # # #
  117. n/a
  118.  
  119. # # # # # # # #
  120. VT & Intezer
  121. # # # # # # # #
  122. https://www.virustotal.com/gui/file/ce3445a8bd61a791913bc2cb02bcb3dea9fc340bf1c984c40cb33ab1a91a2953/details
  123. https://www.virustotal.com/gui/file/56e71ade8e141a6f03b7cdd4c9cfe5543362c7ce66cb416f156580a048383011/details
  124. https://www.virustotal.com/gui/file/aa44cf74eb3d0a327b89d42df9ca61e0e4c615381dfa049631dc1d7d519547c7/details
  125. https://www.virustotal.com/gui/file/eb6ca1d1021b1e49b593551309cbe3b95c3739700e6e8e2ce287faf68087b0b6/details
  126. https://www.virustotal.com/gui/file/6a7afd800f236e6bf6cdaa2fc93869daade49c2b5698bbb39c3d8ecc13d0fd9c/details
  127. https://analyze.intezer.com/analyses/aabcb034-7834-4065-a7d1-58ba710dcbbd
  128. https://www.virustotal.com/gui/file/f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3/details
  129. https://www.virustotal.com/gui/file/ddb4e7bd2fe1117d13547d715edc5578f01741d16c4bcd8a2ecb6d5836f4b94a/details
  130.  
  131. VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!