#lumma_150224

1. #IOC #OptiData #VR #Lumma #Stealer #AutoIT #PWD
2.  
3. https://pastebin.com/vpDE6XWD
4.  
5. previous_contact:
6. 14/02/24 https://pastebin.com/5P3sDqtv
7. 12/02/24 https://pastebin.com/uRwsPe70
8. 31/01/24 https://pastebin.com/0sqGs6aV
9. 30/01/24 https://pastebin.com/pgjwR07Z
10. 27/01/24 https://pastebin.com/4B3hwvpx
11. 25/01/24 https://pastebin.com/pwL5HdeX
12.  
13. FAQ:
14. https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
15.  
16. attack_vector
17. --------------
18. email URL > GDrive or bitbucket > GET .7z > .rar1 > .rar2 (PWD) > .exe > .pif > C2
19.  
20. # # # # # # # #
21. email_headers
22. # # # # # # # #
23. Date: Thu, 15 Feb 2024 01:51:18 -0800
24. Subject: Запит № 228994895 від: 15.02.2024
25. From: Ерстенюк Чеслава Юхимівна <design@ ph_clearpack_com>
26. Received: from outbound - ip22b_ess_barracuda_com ([209_222_82_219])
27. Received: from mail_clearpack_com (mail_clearpack_com [103_25_131_178])
28. Message-Id: <20240215095010_20BD32B8A80F@ mail_clearpack_com>
29.  
30. Date: Thu, 15 Feb 2024 02:20:52 -0800
31. Subject: СБУ- 6002872 \2024-02
32. From: 'Доманицький Хорив Іванович' via Office <office@ victim_gov_ua>
33. Reply-To: Даньковський Юлій Жданович <evgeniy_kuzmishen@ idmedia_com.ua>
34. Received: from mail - sor - f69_google_com (mail - sor - f69_google_com [209_85_220_69]) by mx_google_com
35. Received: from mail_els24_com (mail01_els24_com [141_101_239_212]) by mx_google_com
36. Message-Id: <20240215102052_0668913B3516@ mail_els24_com>
37.  
38. # # # # # # # #
39. files
40. # # # # # # # #
41. SHA-256 a9c372b5a7caeea4a89a502deff9752b2d3437238f241dba324b3b54d78331e4
42. File name Doc.7z
43.  
44. SHA-256 c4d3d4f7fd181264f85bd14edf16d39e26f1d2cdeab267d057b4efe81f4ec923
45. File name Запит.rar
46.  
47. SHA-256 c506a8b6fc98b95040ad63d3c6a08bb2d315e7098d13f96b48f8c90faf752e6c
48. File name Запит.rar
49.  
50. SHA-256 7a3506f60a337bd104291e6f01bf18cbf3dad4058e9e79d7861fc2a1c11258c2
51. File name Запит_doc.docx.exe
52.  
53. 2nd_sample
54.  
55. SHA-256 f67ecc6585e3634f3bc05e1a3f7d6698882a78424fd963e2851d1edf5c8dfcb0
56. File name Запит_doc.7z
57.  
58. SHA-256 760e3a7a0dd4bd282b22688d62e3f13bea26040c2fbf437f81b3c5fc7f113c20
59. File name Запит.rar
60.  
61. SHA-256 338565a2b04dc3a7fe4776cdfc6c2772f2daf1ab173d17063534230b7ff9d374
62. File name Запит.rar
63.  
64. SHA-256 43c59cd33371691282d4f781b6f5d0b280da41d71fceeecc7b7052a1db11ac79
65. File name Запит.docx.exe
66.  
67. # # # # # # # #
68. activity
69. # # # # # # # #
70.  
71. PL_SCR bitbucket_org/ files-gov-ua/files/downloads/ Doc.7z
72. drive_google_com /file/d/1m3FYRaFyPeaPmE3HWWwlpkWGfVQ-LrDL /view?usp=drive_link
73.  
74. 2nd_sample
75. drive_google_com /file/d/1EhsI012f2GsnhE39VQzg0uMLVwwXKwgu /view?usp=sharing
76.  
77. C2 .site , .fun , .store , .pw
78.  
79. netwrk
80. --------------
81. 53 DNS Standard query 0x1183 A iRyTtqAraRuJNRwVVJRjf_iRyTtqAraRuJNRwVVJRjf
82.  
83. 2nd_sample
84.  
85. 53 DNS Standard query 0xe180 A zYtuPGicYdEjhDbueLDSb_zYtuPGicYdEjhDbueLDSb
86.  
87. comp
88. --------------
89. n/a
90.  
91. proc
92. --------------
93. C:\Users\operator\Desktop\Запит_doc.docx.exe
94. C:\Windows\SysWOW64\cmd.exe /k move Quantity Quantity.bat & Quantity.bat & e
95. C:\Windows\SysWOW64\tasklist.exe
96. C:\Windows\SysWOW64\findstr.exe /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
97. C:\Windows\SysWOW64\tasklist.exe
98. C:\Windows\SysWOW64\findstr.exe /I "wrsa.exe opssvc.exe"
99. C:\Windows\SysWOW64\cmd.exe /c md 3154
100. C:\Windows\SysWOW64\cmd.exe /c copy /b Decline + Differ + Monroe + Cave + Genome + Walter 3154\Yields.pif
101. C:\Windows\SysWOW64\cmd.exe /c copy /b Chapters + Regulatory + Prague 3154\j
102. C:\TEMP\7ZipSfx.000\3154\Yields.pif 3154\j
103. C:\Windows\SysWOW64\PING.EXE -n 5 localhost
104.  
105. 2nd_sample
106.  
107. C:\Users\operator\Desktop\Запит.docx.exe
108. C:\Windows\SysWOW64\cmd.exe /k move Ranked Ranked.bat & Ranked.bat & exit
109. C:\Windows\SysWOW64\tasklist.exe
110. C:\Windows\SysWOW64\findstr.exe /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
111. C:\Windows\SysWOW64\tasklist.exe
112. C:\Windows\SysWOW64\findstr.exe /I "wrsa.exe opssvc.exe"
113. C:\Windows\SysWOW64\cmd.exe /c md 2910
114. C:\Windows\SysWOW64\cmd.exe /c copy /b Miracle + Incomplete + Handbags + Pound + Remind + Previously 2910\Mrna.pif
115. C:\Windows\SysWOW64\cmd.exe /c copy /b Holocaust + Tonight + Narrative 2910\u
116. C:\TEMP\7ZipSfx.000\2910\Mrna.pif 2910\u
117. C:\Windows\SysWOW64\PING.EXE -n 5 localhost
118.  
119. persist
120. --------------
121. n/a
122.  
123. drop
124. --------------
125. %temp%\7ZipSfx.000\3154\Yields.pif
126. %temp%\7ZipSfx.000\3154\j
127.  
128. 2nd_sample
129.  
130. %temp%\7ZipSfx.000\2910\Mrna.pif
131. %temp%\7ZipSfx.000\2910\u
132.  
133. # # # # # # # #
134. additional info
135. # # # # # # # #
136. n/a
137.  
138. # # # # # # # #
139. VT & Intezer
140. # # # # # # # #
141. https://www.virustotal.com/gui/file/a9c372b5a7caeea4a89a502deff9752b2d3437238f241dba324b3b54d78331e4/details
142. https://www.virustotal.com/gui/file/c4d3d4f7fd181264f85bd14edf16d39e26f1d2cdeab267d057b4efe81f4ec923/details
143. https://www.virustotal.com/gui/file/c506a8b6fc98b95040ad63d3c6a08bb2d315e7098d13f96b48f8c90faf752e6c/details
144. https://www.virustotal.com/gui/file/7a3506f60a337bd104291e6f01bf18cbf3dad4058e9e79d7861fc2a1c11258c2/details
145.  
146. 2nd_sample
147.  
148. https://www.virustotal.com/gui/file/f67ecc6585e3634f3bc05e1a3f7d6698882a78424fd963e2851d1edf5c8dfcb0/details
149. https://www.virustotal.com/gui/file/760e3a7a0dd4bd282b22688d62e3f13bea26040c2fbf437f81b3c5fc7f113c20/details
150. https://www.virustotal.com/gui/file/338565a2b04dc3a7fe4776cdfc6c2772f2daf1ab173d17063534230b7ff9d374/details
151. https://www.virustotal.com/gui/file/43c59cd33371691282d4f781b6f5d0b280da41d71fceeecc7b7052a1db11ac79/details
152.  
153.  
154. VR