Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #Lumma #Stealer #AutoIt #RAR #PWD #EXE
- https://pastebin.com/pwL5HdeX
- previous_contact:
- n/a
- FAQ:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
- attack_vector
- --------------
- email attach .rar1 > (.rar2) PWD or (.rar2+rar3+rar4) PWD > .exe > C2
- # # # # # # # #
- email_headers
- # # # # # # # #
- Date: Thu, 25 Jan 2024 11:57:14 +0300
- Subject: Документи за запитом: № 2390499 /2024-01
- From: Андріїшин Найден Охримович <natsu@mosimon_com>
- Received: from mosimon_com ([124_146_222_175])
- Received: from unknown (HELO 119_155_254_78) (natsu@mosimon_com @ 5_42_92_31)
- ----------------------------------------------------------------
- 2nd sample
- Date: Thu, 25 Jan 2024 14:00:27 +0300
- Subject: Документи за запитом: № 6849451 /2024-01
- From: Замора Ілля Антонович <natsu@mosimon_com>
- Received: from mosimon_com (mosimon_com [124_146_222_175])
- Received: from unknown (HELO 119_155_254_78) (natsu@mosimon_com @ 5_42_92_31)
- Return-Path: <natsu@mosimon_com>
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 de9f2262970884a7412c3b2fba2cb2fb9329ccf29a94b148ee47c255bff041a9
- File name Документи.rar [RAR archive data, v5]
- File size 1.02 MB (1067546 bytes)
- SHA-256 a66b2bf71ea29ff37099fd38e6d43d2f0846cfdf79678f642968e626903cd48f
- File name doc.pdf.part1.rar [RAR archive data, v5] !PWD
- File size 400.00 KB (409600 bytes)
- SHA-256 9589f2216bd98875663282e2dd85e49d434c0748c0263cb87e1c5f3c2ff0dc7a
- File name doc.pdf.part2.rar [RAR archive data, v5] !PWD
- File size 400.00 KB (409600 bytes)
- SHA-256 a327b3852ad1d9a39a084f8390e9cf2659bd310e0c878cd5e53afe3131c3d29f
- File name doc.pdf.part3.rar [RAR archive data, v5] !PWD
- File size 241.92 KB (247726 bytes)
- SHA-256 fc3085b354e1e35b4a9b15166cbbead6a63fb3f2cd18f00f546868d5392408b7
- File name doc.pdf.exe [PE32 executable, C++]
- File size 1.10 MB (1149022 bytes)
- SHA-256 7fa7da730c634c4a21832d2d35cbe4a6d1484fcfadbae988e2e97a9ad76f73db
- File name tour [PE32 executable, C++]
- File size 188.00 KB (192512 bytes)
- SHA-256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
- File name Ri.pif [PE32 executable, C++]
- File size 924.59 KB (946784 bytes)
- SHA-256 652ca8d800770c0592362d8223d23eb0811491a016670103d73942ee882014c2
- File name d [JavaScript]
- File size 1.13 MB (1187204 bytes)
- ----------------------------------------------------------------
- 2nd sample
- SHA-256 d5b37657d716700bf4fb2f6bac0cf59cd02b38b465c8ef22e51490bfff1a264c
- File name Документи.rar [RAR archive data, v5]
- File size 1.01 MB (1064190 bytes)
- SHA-256 d287cf56c512cf9e14b509dc6dac5757d364eb10cab031b3a7bd6d200ac9800d
- File name Документи.pdf.rar [RAR archive data, v5] !PWD
- File size 1.01 MB (1063838 bytes)
- SHA-256 2afe2fed654c4514265a3d1b0f50cef25b9fc34351887a13d770457ba018492d
- File name Документи.pdf.exe [PE32 executable, C++]
- File size 1.09 MB (1140206 bytes)
- SHA-256 7fa7da730c634c4a21832d2d35cbe4a6d1484fcfadbae988e2e97a9ad76f73db
- File name tour [PE32 executable, C++]
- File size 188.00 KB (192512 bytes)
- SHA-256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
- File name Ri.pif [PE32 executable, C++]
- File size 924.59 KB (946784 bytes)
- SHA-256 652ca8d800770c0592362d8223d23eb0811491a016670103d73942ee882014c2
- File name d [JavaScript]
- File size 1.13 MB (1187204 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR email_attach
- C2
- brickabsorptiondullyi _ site
- retainfactorypunishjkw _ site
- communicationinchoicer _ site
- carvewomanflavourwop _ site
- vesselspeedcrosswakew _ site
- cooperatecliqueobstac _ site
- racerecessionrestrai _ site
- braidfadefriendklypk _ site
- crisisestimatehealtwh _ site
- netwrk
- --------------
- n/a
- comp
- --------------
- n/a
- proc
- --------------
- C:\Users\operator\Desktop\3_doc.pdf.exe
- "C:\Windows\System32\cmd.exe" /k cmd < Strings & exit
- C:\Windows\SysWOW64\cmd.exe
- C:\Windows\SysWOW64\tasklist.exe
- C:\Windows\SysWOW64\findstr.exe /I " avastui_ exe avgui_ exe nswscsvc_ exe sophoshealth_ exe "
- C:\Windows\SysWOW64\tasklist.exe
- C:\Windows\SysWOW64\findstr.exe findstr /I " wrsa_ exe "
- C:\Windows\SysWOW64\cmd.exe cmd /c mkdir 24513
- C:\Windows\SysWOW64\cmd.exe copy /b Tour + Wheel + Magical + Sides + Mf + Header 24513\Ri.pif
- C:\Windows\SysWOW64\cmd.exe /c copy /b Coupons + Her + Decorative 24513\d
- C:\TEMP\7ZipSfx.000\24513\Ri.pif 24513\Ri.pif 24513\d
- C:\Windows\SysWOW64\PING.EXE -n 5 localhost
- ----------------------------------------------------------------
- 2nd sample
- C:\Users\operator\Desktop\Документи.pdf.exe
- "C:\Windows\System32\cmd.exe" /k cmd < Strings & exit
- C:\Windows\SysWOW64\cmd.exe
- C:\Windows\SysWOW64\tasklist.exe
- C:\Windows\SysWOW64\findstr.exe /I " avastui_ exe avgui_ exe nswscsvc_ exe sophoshealth_ exe "
- C:\Windows\SysWOW64\tasklist.exe
- C:\Windows\SysWOW64\findstr.exe /I " wrsa_ exe "
- C:\Windows\SysWOW64\cmd.exe /c mkdir 27714
- C:\Windows\SysWOW64\cmd.exe /c copy /b Tour + Wheel + Magical + Sides + Mf + Header 27714\Ri.pif
- C:\Windows\SysWOW64\cmd.exe /c copy /b Coupons + Her + Decorative 27714\d
- C:\TEMP\7ZipSfx.000\27714\Ri.pif 27714\d
- C:\TEMP\7ZipSfx.000\27714\Ri.pif 27714\d
- persist
- --------------
- n/a
- drop
- --------------
- %temp%\7ZipSfx.000\*\Ri.pif
- %temp%\7ZipSfx.000\*\d
- %temp%\7ZipSfx.000\Her
- %temp%\7ZipSfx.000\Wheel
- %temp%\7ZipSfx.000\Strings
- %temp%\7ZipSfx.000\Coupons
- %temp%\7ZipSfx.000\Decorative
- %temp%\7ZipSfx.000\Tour
- %temp%\7ZipSfx.000\Magical
- %temp%\7ZipSfx.000\Sides
- %temp%\7ZipSfx.000\Header
- %temp%\7ZipSfx.000\Mf
- # # # # # # # #
- additional info
- # # # # # # # #
- n/a
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/de9f2262970884a7412c3b2fba2cb2fb9329ccf29a94b148ee47c255bff041a9/details
- https://www.virustotal.com/gui/file/a66b2bf71ea29ff37099fd38e6d43d2f0846cfdf79678f642968e626903cd48f/details
- https://www.virustotal.com/gui/file/9589f2216bd98875663282e2dd85e49d434c0748c0263cb87e1c5f3c2ff0dc7a/details
- https://www.virustotal.com/gui/file/a327b3852ad1d9a39a084f8390e9cf2659bd310e0c878cd5e53afe3131c3d29f/details
- https://www.virustotal.com/gui/file/fc3085b354e1e35b4a9b15166cbbead6a63fb3f2cd18f00f546868d5392408b7/details
- https://analyze.intezer.com/analyses/c4c652c4-831b-4ff4-b679-07f8215ae421
- https://www.virustotal.com/gui/file/7fa7da730c634c4a21832d2d35cbe4a6d1484fcfadbae988e2e97a9ad76f73db/details
- https://www.virustotal.com/gui/file/f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3/details
- https://www.virustotal.com/gui/file/652ca8d800770c0592362d8223d23eb0811491a016670103d73942ee882014c2/details
- ----------------------------------------------------------------
- 2nd sample
- https://www.virustotal.com/gui/file/d5b37657d716700bf4fb2f6bac0cf59cd02b38b465c8ef22e51490bfff1a264c/details
- https://www.virustotal.com/gui/file/d287cf56c512cf9e14b509dc6dac5757d364eb10cab031b3a7bd6d200ac9800d/details
- https://www.virustotal.com/gui/file/2afe2fed654c4514265a3d1b0f50cef25b9fc34351887a13d770457ba018492d/details
- https://analyze.intezer.com/analyses/f023b398-7855-4c84-81d0-6f8ca5d877a7
- https://www.virustotal.com/gui/file/7fa7da730c634c4a21832d2d35cbe4a6d1484fcfadbae988e2e97a9ad76f73db/details
- https://www.virustotal.com/gui/file/f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3/details
- https://www.virustotal.com/gui/file/652ca8d800770c0592362d8223d23eb0811491a016670103d73942ee882014c2/details
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement