#lumma_140224

1. #IOC #OptiData #VR #Lumma #Stealer #AutoIT #PWD
2.  
3. https://pastebin.com/5P3sDqtv
4.  
5. previous_contact:
6. 12/02/24 https://pastebin.com/uRwsPe70
7. 31/01/24 https://pastebin.com/0sqGs6aV
8. 30/01/24 https://pastebin.com/pgjwR07Z
9. 27/01/24 https://pastebin.com/4B3hwvpx
10. 25/01/24 https://pastebin.com/pwL5HdeX
11.  
12. FAQ:
13. https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
14.  
15. attack_vector
16. --------------
17. email URL > bitbucket > GET .7z > .rar (PWD) > .exe > .pif > C2
18.  
19. # # # # # # # #
20. email_headers
21. # # # # # # # #
22. Date: Wed, 14 Feb 2024 14:32:30 +0300
23. Subject: Запит № 8128430 від: 14.02.2024
24. From: Носковська Ія Жданівна <obaidulkarim@ salvochemical_com>
25. Reply-To: Іллєнко Яртур Іванович <info@ svenscholten_com>
26. Received: from server2422_quanticdynamics_cloud ([103_209_40_166])
27. Received: from [5_42_92_31] (port=53970 helo= DESKTOP - TCRDU4C)
28.  
29. # # # # # # # #
30. files
31. # # # # # # # #
32. SHA-256 9ab215973dfae21dcf34a17846953985db5340305470b4d0e39077d31de2510b
33. File name Doc.7z
34.  
35. SHA-256 2bfab0128280dc8e548f0bfb7e8ea35e28b20939b649df8c673a1cab2c9c8c45
36. File name Рахунок на оплату – досудова претензія Medoc.rar
37.  
38. SHA-256 baeced1519471f5b87271beb193b279983078f0bba9ba4daef9af842b3c361b8
39. File name Рахунок на оплату – досудова претензія Medoc.xls.exe
40.  
41. SHA-256 a12adcef2a153e0926843befaad18c7378d8d1b698400c51a69b229f99979d54
42. File name MedicationRoy.exe
43.  
44. SHA-256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
45. File name Biography.pif , Supporting.pif , Be.pif
46.  
47. SHA-256 412ea561f1fddaab3c4a0543031a61b63e762461e32554e2927e6fc0212ac6cb
48. File name vns.exe
49.  
50. # # # # # # # #
51. activity
52. # # # # # # # #
53.  
54. PL_SCR bitbucket_org /obmens/file/downloads/ Doc.7z
55.  
56. C2 .site , .fun , .store
57.  
58. netwrk
59. --------------
60. n/a
61.  
62. comp
63. --------------
64. n/a
65.  
66. proc
67. --------------
68. C:\Users\USER_NAME\Desktop\files1402\Рахунок на оплату – досудова претензія Medoc.xls.exe
69. "C:\Windows\System32\cmd.exe" /k move Nfl Nfl.bat & Nfl.bat & exit
70. C:\Windows\SysWOW64\tasklist.exe
71. C:\Windows\SysWOW64\findstr.exe /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
72. C:\Windows\SysWOW64\tasklist.exe
73. C:\Windows\SysWOW64\findstr /I "wrsa.exe opssvc.exe"
74. C:\Windows\SysWOW64\cmd.exe /c md 30936
75. C:\Windows\SysWOW64\cmd.exe /c copy /b Membership + Unsubscribe + Toilet + Counties + September 30936\Biography.pif
76. C:\Windows\SysWOW64\cmd.exe /c copy /b Howard + Modem + Hostel 30936\A
77. C:\TEMP\7ZipSfx.000\30936\Biography.pif 30936\A
78. C:\Windows\SysWOW64\PING.EXE -n 5 localhost
79.  
80. persist
81. --------------
82. n/a
83.  
84. drop
85. --------------
86. %temp%\7ZipSfx.000\30936\Biography.pif
87. %temp%\7ZipSfx.000\30936\A
88.  
89. # # # # # # # #
90. additional info
91. # # # # # # # #
92. n/a
93.  
94. # # # # # # # #
95. VT & Intezer
96. # # # # # # # #
97. https://www.virustotal.com/gui/file/9ab215973dfae21dcf34a17846953985db5340305470b4d0e39077d31de2510b/details
98. https://www.virustotal.com/gui/file/2bfab0128280dc8e548f0bfb7e8ea35e28b20939b649df8c673a1cab2c9c8c45/details
99. https://www.virustotal.com/gui/file/baeced1519471f5b87271beb193b279983078f0bba9ba4daef9af842b3c361b8/details
100. https://www.virustotal.com/gui/file/a12adcef2a153e0926843befaad18c7378d8d1b698400c51a69b229f99979d54/details
101. https://www.virustotal.com/gui/file/f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3/details
102. https://www.virustotal.com/gui/file/412ea561f1fddaab3c4a0543031a61b63e762461e32554e2927e6fc0212ac6cb/details
103.  
104.  
105. VR
106.