#lumma_250124

1. #IOC #OptiData #VR #Lumma #Stealer #AutoIt #RAR #PWD #EXE
2.  
3. https://pastebin.com/pwL5HdeX
4.  
5. previous_contact:
6. n/a
7.  
8. FAQ:
9. https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
10.  
11. attack_vector
12. --------------
13. email attach .rar1 > (.rar2) PWD or (.rar2+rar3+rar4) PWD > .exe > C2
14.  
15. # # # # # # # #
16. email_headers
17. # # # # # # # #
18. Date: Thu, 25 Jan 2024 11:57:14 +0300
19. Subject: Документи за запитом: № 2390499 /2024-01
20. From: Андріїшин Найден Охримович <natsu@mosimon_com>
21. Received: from mosimon_com ([124_146_222_175])
22. Received: from unknown (HELO 119_155_254_78) (natsu@mosimon_com @ 5_42_92_31)
23. ----------------------------------------------------------------
24. 2nd sample
25.  
26. Date: Thu, 25 Jan 2024 14:00:27 +0300
27. Subject: Документи за запитом: № 6849451 /2024-01
28. From: Замора Ілля Антонович <natsu@mosimon_com>
29. Received: from mosimon_com (mosimon_com [124_146_222_175])
30. Received: from unknown (HELO 119_155_254_78) (natsu@mosimon_com @ 5_42_92_31)
31. Return-Path: <natsu@mosimon_com>
32.  
33.  
34. # # # # # # # #
35. files
36. # # # # # # # #
37. SHA-256 de9f2262970884a7412c3b2fba2cb2fb9329ccf29a94b148ee47c255bff041a9
38. File name Документи.rar [RAR archive data, v5]
39. File size 1.02 MB (1067546 bytes)
40.  
41. SHA-256 a66b2bf71ea29ff37099fd38e6d43d2f0846cfdf79678f642968e626903cd48f
42. File name doc.pdf.part1.rar [RAR archive data, v5] !PWD
43. File size 400.00 KB (409600 bytes)
44.  
45. SHA-256 9589f2216bd98875663282e2dd85e49d434c0748c0263cb87e1c5f3c2ff0dc7a
46. File name doc.pdf.part2.rar [RAR archive data, v5] !PWD
47. File size 400.00 KB (409600 bytes)
48.  
49. SHA-256 a327b3852ad1d9a39a084f8390e9cf2659bd310e0c878cd5e53afe3131c3d29f
50. File name doc.pdf.part3.rar [RAR archive data, v5] !PWD
51. File size 241.92 KB (247726 bytes)
52.  
53. SHA-256 fc3085b354e1e35b4a9b15166cbbead6a63fb3f2cd18f00f546868d5392408b7
54. File name doc.pdf.exe [PE32 executable, C++]
55. File size 1.10 MB (1149022 bytes)
56.  
57. SHA-256 7fa7da730c634c4a21832d2d35cbe4a6d1484fcfadbae988e2e97a9ad76f73db
58. File name tour [PE32 executable, C++]
59. File size 188.00 KB (192512 bytes)
60.  
61. SHA-256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
62. File name Ri.pif [PE32 executable, C++]
63. File size 924.59 KB (946784 bytes)
64.  
65. SHA-256 652ca8d800770c0592362d8223d23eb0811491a016670103d73942ee882014c2
66. File name d [JavaScript]
67. File size 1.13 MB (1187204 bytes)
68. ----------------------------------------------------------------
69. 2nd sample
70.  
71. SHA-256 d5b37657d716700bf4fb2f6bac0cf59cd02b38b465c8ef22e51490bfff1a264c
72. File name Документи.rar [RAR archive data, v5]
73. File size 1.01 MB (1064190 bytes)
74.  
75. SHA-256 d287cf56c512cf9e14b509dc6dac5757d364eb10cab031b3a7bd6d200ac9800d
76. File name Документи.pdf.rar [RAR archive data, v5] !PWD
77. File size 1.01 MB (1063838 bytes)
78.  
79. SHA-256 2afe2fed654c4514265a3d1b0f50cef25b9fc34351887a13d770457ba018492d
80. File name Документи.pdf.exe [PE32 executable, C++]
81. File size 1.09 MB (1140206 bytes)
82.  
83. SHA-256 7fa7da730c634c4a21832d2d35cbe4a6d1484fcfadbae988e2e97a9ad76f73db
84. File name tour [PE32 executable, C++]
85. File size 188.00 KB (192512 bytes)
86.  
87. SHA-256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
88. File name Ri.pif [PE32 executable, C++]
89. File size 924.59 KB (946784 bytes)
90.  
91. SHA-256 652ca8d800770c0592362d8223d23eb0811491a016670103d73942ee882014c2
92. File name d [JavaScript]
93. File size 1.13 MB (1187204 bytes)
94.  
95. # # # # # # # #
96. activity
97. # # # # # # # #
98.  
99. PL_SCR email_attach
100.  
101. C2
102. brickabsorptiondullyi _ site
103. retainfactorypunishjkw _ site
104. communicationinchoicer _ site
105. carvewomanflavourwop _ site
106. vesselspeedcrosswakew _ site
107. cooperatecliqueobstac _ site
108. racerecessionrestrai _ site
109. braidfadefriendklypk _ site
110. crisisestimatehealtwh _ site
111.  
112. netwrk
113. --------------
114. n/a
115.  
116. comp
117. --------------
118. n/a
119.  
120. proc
121. --------------
122. C:\Users\operator\Desktop\3_doc.pdf.exe
123. "C:\Windows\System32\cmd.exe" /k cmd < Strings & exit
124. C:\Windows\SysWOW64\cmd.exe
125. C:\Windows\SysWOW64\tasklist.exe
126. C:\Windows\SysWOW64\findstr.exe /I " avastui_ exe avgui_ exe nswscsvc_ exe sophoshealth_ exe "
127. C:\Windows\SysWOW64\tasklist.exe
128. C:\Windows\SysWOW64\findstr.exe findstr /I " wrsa_ exe "
129. C:\Windows\SysWOW64\cmd.exe cmd /c mkdir 24513
130. C:\Windows\SysWOW64\cmd.exe copy /b Tour + Wheel + Magical + Sides + Mf + Header 24513\Ri.pif
131. C:\Windows\SysWOW64\cmd.exe /c copy /b Coupons + Her + Decorative 24513\d
132. C:\TEMP\7ZipSfx.000\24513\Ri.pif 24513\Ri.pif 24513\d
133. C:\Windows\SysWOW64\PING.EXE -n 5 localhost
134. ----------------------------------------------------------------
135. 2nd sample
136.  
137. C:\Users\operator\Desktop\Документи.pdf.exe
138. "C:\Windows\System32\cmd.exe" /k cmd < Strings & exit
139. C:\Windows\SysWOW64\cmd.exe
140. C:\Windows\SysWOW64\tasklist.exe
141. C:\Windows\SysWOW64\findstr.exe /I " avastui_ exe avgui_ exe nswscsvc_ exe sophoshealth_ exe "
142. C:\Windows\SysWOW64\tasklist.exe
143. C:\Windows\SysWOW64\findstr.exe /I " wrsa_ exe "
144. C:\Windows\SysWOW64\cmd.exe /c mkdir 27714
145. C:\Windows\SysWOW64\cmd.exe /c copy /b Tour + Wheel + Magical + Sides + Mf + Header 27714\Ri.pif
146. C:\Windows\SysWOW64\cmd.exe /c copy /b Coupons + Her + Decorative 27714\d
147. C:\TEMP\7ZipSfx.000\27714\Ri.pif 27714\d
148. C:\TEMP\7ZipSfx.000\27714\Ri.pif 27714\d
149.  
150. persist
151. --------------
152. n/a
153.  
154.  
155. drop
156. --------------
157. %temp%\7ZipSfx.000\*\Ri.pif
158. %temp%\7ZipSfx.000\*\d
159. %temp%\7ZipSfx.000\Her
160. %temp%\7ZipSfx.000\Wheel
161. %temp%\7ZipSfx.000\Strings
162. %temp%\7ZipSfx.000\Coupons
163. %temp%\7ZipSfx.000\Decorative
164. %temp%\7ZipSfx.000\Tour
165. %temp%\7ZipSfx.000\Magical
166. %temp%\7ZipSfx.000\Sides
167. %temp%\7ZipSfx.000\Header
168. %temp%\7ZipSfx.000\Mf
169.  
170. # # # # # # # #
171. additional info
172. # # # # # # # #
173. n/a
174.  
175. # # # # # # # #
176. VT & Intezer
177. # # # # # # # #
178. https://www.virustotal.com/gui/file/de9f2262970884a7412c3b2fba2cb2fb9329ccf29a94b148ee47c255bff041a9/details
179. https://www.virustotal.com/gui/file/a66b2bf71ea29ff37099fd38e6d43d2f0846cfdf79678f642968e626903cd48f/details
180. https://www.virustotal.com/gui/file/9589f2216bd98875663282e2dd85e49d434c0748c0263cb87e1c5f3c2ff0dc7a/details
181. https://www.virustotal.com/gui/file/a327b3852ad1d9a39a084f8390e9cf2659bd310e0c878cd5e53afe3131c3d29f/details
182. https://www.virustotal.com/gui/file/fc3085b354e1e35b4a9b15166cbbead6a63fb3f2cd18f00f546868d5392408b7/details
183. https://analyze.intezer.com/analyses/c4c652c4-831b-4ff4-b679-07f8215ae421
184. https://www.virustotal.com/gui/file/7fa7da730c634c4a21832d2d35cbe4a6d1484fcfadbae988e2e97a9ad76f73db/details
185. https://www.virustotal.com/gui/file/f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3/details
186. https://www.virustotal.com/gui/file/652ca8d800770c0592362d8223d23eb0811491a016670103d73942ee882014c2/details
187. ----------------------------------------------------------------
188. 2nd sample
189.  
190. https://www.virustotal.com/gui/file/d5b37657d716700bf4fb2f6bac0cf59cd02b38b465c8ef22e51490bfff1a264c/details
191. https://www.virustotal.com/gui/file/d287cf56c512cf9e14b509dc6dac5757d364eb10cab031b3a7bd6d200ac9800d/details
192. https://www.virustotal.com/gui/file/2afe2fed654c4514265a3d1b0f50cef25b9fc34351887a13d770457ba018492d/details
193. https://analyze.intezer.com/analyses/f023b398-7855-4c84-81d0-6f8ca5d877a7
194. https://www.virustotal.com/gui/file/7fa7da730c634c4a21832d2d35cbe4a6d1484fcfadbae988e2e97a9ad76f73db/details
195. https://www.virustotal.com/gui/file/f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3/details
196. https://www.virustotal.com/gui/file/652ca8d800770c0592362d8223d23eb0811491a016670103d73942ee882014c2/details
197.  
198. VR