Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #Lumma #Stealer #AutoIt #RAR #PWD #EXE
- https://pastebin.com/iJVw4wC8
- previous_contact:
- 25/01/24 https://pastebin.com/pwL5HdeX
- FAQ:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
- attack_vector
- --------------
- email attach .zip1 > (.rar1) PWD or (.rar1+rar2+rar3) PWD > .exe > C2
- # # # # # # # #
- email_headers
- # # # # # # # #
- Date: Sat, 27 Jan 2024 08:42:49 +0300
- Subject: Документи за запитом: № 7025816 /2024-01
- From: Безушко Княжослав Олегович <nam@infinitesoft_jp>
- Received: from www671.sakura_ne_jp ([59_106_19_101])
- Received: from fsav114.sakura_ne_jp (fsav114_sakura_ne_jp [27_133_134_241])
- Received: from 119_155_254_78 (hosted-by_saltu-cloud_pro [5_42_92_31] (may be forged))
- Message-Id: <202401270542.40R5fQOV089432@www671_sakura_ne_jp>
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 ce3445a8bd61a791913bc2cb02bcb3dea9fc340bf1c984c40cb33ab1a91a2953
- File name doc_scan.zip [Zip archive data, at least v1.0 to extract]
- File size 1022.33 KB (1046871 bytes)
- SHA-256 56e71ade8e141a6f03b7cdd4c9cfe5543362c7ce66cb416f156580a048383011
- File name scan_word.pdf.part1.rar [RAR archive data, v5] !PWD
- File size 434.00 KB (444416 bytes)
- SHA-256 aa44cf74eb3d0a327b89d42df9ca61e0e4c615381dfa049631dc1d7d519547c7
- File name scan_word.pdf.part2.rar [RAR archive data, v5] !PWD
- File size 434.00 KB (444416 bytes)
- SHA-256 eb6ca1d1021b1e49b593551309cbe3b95c3739700e6e8e2ce287faf68087b0b6
- File name scan_word.pdf.part3.rar [RAR archive data, v5] !PWD
- File size 153.33 KB (157006 bytes)
- SHA-256 6a7afd800f236e6bf6cdaa2fc93869daade49c2b5698bbb39c3d8ecc13d0fd9c
- File name scan_word.pdf.exe [PE32 executable, Installer: 7-Zip]
- File size 1.12 MB (1172686 bytes)
- SHA-256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
- File name random.pif (AutoIt3.exe) [PE32 executable, C++] AutoIt
- File size 924.59 KB (946784 bytes)
- SHA-256 ddb4e7bd2fe1117d13547d715edc5578f01741d16c4bcd8a2ecb6d5836f4b94a
- File name a [JavaScript] Lumma
- File size 994.14 KB (1017996 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR email_attach
- C2 crisisestimatehealtwh _ site
- brickabsorptiondullyi _ site
- retainfactorypunishjkw _ site
- communicationinchoicer _ site
- carvewomanflavourwop _ site
- vesselspeedcrosswakew _ site
- cooperatecliqueobstac _ site
- racerecessionrestrai _ site
- braidfadefriendklypk _ site
- netwrk
- --------------
- DNS 53 DNS Standard query A lDAeTUfEhhsIJHuWMJBUiWmC.lDAeTUfEhhsIJHuWMJBUiWmC
- comp
- --------------
- n/a
- proc
- --------------
- C:\Users\operator\Desktop\3_scan_word.pdf.exe
- "C:\Windows\System32\cmd.exe" /k cmd < Impressed & exit
- C:\Windows\SysWOW64\cmd.exe
- C:\Windows\SysWOW64\tasklist.exe
- C:\Windows\SysWOW64\findstr.exe /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
- C:\Windows\SysWOW64\tasklist.exe
- C:\Windows\SysWOW64\findstr.exe /I "wrsa.exe opssvc.exe"
- C:\Windows\SysWOW64\cmd.exe /c mkdir 9644
- C:\Windows\SysWOW64\cmd.exe /c copy /b Swedish + Pointing + Gotta + Tiles + Curves 9644\Appointed.pif
- C:\Windows\SysWOW64\cmd.exe /c copy /b Found + Med + Kinds 9644\a
- C:\TEMP\7ZipSfx.000\9644\Appointed.pif 9644\a
- C:\Windows\SysWOW64\PING.EXE -n 5 localhost
- persist
- --------------
- n/a
- drop
- --------------
- %temp%\7ZipSfx.000\*\Appointed.pif
- %temp%\7ZipSfx.000\*\a
- %temp%\7ZipSfx.000\Curves
- %temp%\7ZipSfx.000\Found
- %temp%\7ZipSfx.000\Gotta
- %temp%\7ZipSfx.000\Impressed
- %temp%\7ZipSfx.000\Kinds
- %temp%\7ZipSfx.000\Med
- %temp%\7ZipSfx.000\Pointing
- %temp%\7ZipSfx.000\Swedish
- %temp%\7ZipSfx.000\Tiles
- # # # # # # # #
- additional info
- # # # # # # # #
- n/a
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/ce3445a8bd61a791913bc2cb02bcb3dea9fc340bf1c984c40cb33ab1a91a2953/details
- https://www.virustotal.com/gui/file/56e71ade8e141a6f03b7cdd4c9cfe5543362c7ce66cb416f156580a048383011/details
- https://www.virustotal.com/gui/file/aa44cf74eb3d0a327b89d42df9ca61e0e4c615381dfa049631dc1d7d519547c7/details
- https://www.virustotal.com/gui/file/eb6ca1d1021b1e49b593551309cbe3b95c3739700e6e8e2ce287faf68087b0b6/details
- https://www.virustotal.com/gui/file/6a7afd800f236e6bf6cdaa2fc93869daade49c2b5698bbb39c3d8ecc13d0fd9c/details
- https://analyze.intezer.com/analyses/aabcb034-7834-4065-a7d1-58ba710dcbbd
- https://www.virustotal.com/gui/file/f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3/details
- https://www.virustotal.com/gui/file/ddb4e7bd2fe1117d13547d715edc5578f01741d16c4bcd8a2ecb6d5836f4b94a/details
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement