Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #Lumma #Stealer #AutoIT #PWD
- https://pastebin.com/vpDE6XWD
- previous_contact:
- 14/02/24 https://pastebin.com/5P3sDqtv
- 12/02/24 https://pastebin.com/uRwsPe70
- 31/01/24 https://pastebin.com/0sqGs6aV
- 30/01/24 https://pastebin.com/pgjwR07Z
- 27/01/24 https://pastebin.com/4B3hwvpx
- 25/01/24 https://pastebin.com/pwL5HdeX
- FAQ:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
- attack_vector
- --------------
- email URL > GDrive or bitbucket > GET .7z > .rar1 > .rar2 (PWD) > .exe > .pif > C2
- # # # # # # # #
- email_headers
- # # # # # # # #
- Date: Thu, 15 Feb 2024 01:51:18 -0800
- Subject: Запит № 228994895 від: 15.02.2024
- From: Ерстенюк Чеслава Юхимівна <design@ ph_clearpack_com>
- Received: from outbound - ip22b_ess_barracuda_com ([209_222_82_219])
- Received: from mail_clearpack_com (mail_clearpack_com [103_25_131_178])
- Message-Id: <20240215095010_20BD32B8A80F@ mail_clearpack_com>
- Date: Thu, 15 Feb 2024 02:20:52 -0800
- Subject: СБУ- 6002872 \2024-02
- From: 'Доманицький Хорив Іванович' via Office <office@ victim_gov_ua>
- Reply-To: Даньковський Юлій Жданович <evgeniy_kuzmishen@ idmedia_com.ua>
- Received: from mail - sor - f69_google_com (mail - sor - f69_google_com [209_85_220_69]) by mx_google_com
- Received: from mail_els24_com (mail01_els24_com [141_101_239_212]) by mx_google_com
- Message-Id: <20240215102052_0668913B3516@ mail_els24_com>
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 a9c372b5a7caeea4a89a502deff9752b2d3437238f241dba324b3b54d78331e4
- File name Doc.7z
- SHA-256 c4d3d4f7fd181264f85bd14edf16d39e26f1d2cdeab267d057b4efe81f4ec923
- File name Запит.rar
- SHA-256 c506a8b6fc98b95040ad63d3c6a08bb2d315e7098d13f96b48f8c90faf752e6c
- File name Запит.rar
- SHA-256 7a3506f60a337bd104291e6f01bf18cbf3dad4058e9e79d7861fc2a1c11258c2
- File name Запит_doc.docx.exe
- 2nd_sample
- SHA-256 f67ecc6585e3634f3bc05e1a3f7d6698882a78424fd963e2851d1edf5c8dfcb0
- File name Запит_doc.7z
- SHA-256 760e3a7a0dd4bd282b22688d62e3f13bea26040c2fbf437f81b3c5fc7f113c20
- File name Запит.rar
- SHA-256 338565a2b04dc3a7fe4776cdfc6c2772f2daf1ab173d17063534230b7ff9d374
- File name Запит.rar
- SHA-256 43c59cd33371691282d4f781b6f5d0b280da41d71fceeecc7b7052a1db11ac79
- File name Запит.docx.exe
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR bitbucket_org/ files-gov-ua/files/downloads/ Doc.7z
- drive_google_com /file/d/1m3FYRaFyPeaPmE3HWWwlpkWGfVQ-LrDL /view?usp=drive_link
- 2nd_sample
- drive_google_com /file/d/1EhsI012f2GsnhE39VQzg0uMLVwwXKwgu /view?usp=sharing
- C2 .site , .fun , .store , .pw
- netwrk
- --------------
- 53 DNS Standard query 0x1183 A iRyTtqAraRuJNRwVVJRjf_iRyTtqAraRuJNRwVVJRjf
- 2nd_sample
- 53 DNS Standard query 0xe180 A zYtuPGicYdEjhDbueLDSb_zYtuPGicYdEjhDbueLDSb
- comp
- --------------
- n/a
- proc
- --------------
- C:\Users\operator\Desktop\Запит_doc.docx.exe
- C:\Windows\SysWOW64\cmd.exe /k move Quantity Quantity.bat & Quantity.bat & e
- C:\Windows\SysWOW64\tasklist.exe
- C:\Windows\SysWOW64\findstr.exe /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
- C:\Windows\SysWOW64\tasklist.exe
- C:\Windows\SysWOW64\findstr.exe /I "wrsa.exe opssvc.exe"
- C:\Windows\SysWOW64\cmd.exe /c md 3154
- C:\Windows\SysWOW64\cmd.exe /c copy /b Decline + Differ + Monroe + Cave + Genome + Walter 3154\Yields.pif
- C:\Windows\SysWOW64\cmd.exe /c copy /b Chapters + Regulatory + Prague 3154\j
- C:\TEMP\7ZipSfx.000\3154\Yields.pif 3154\j
- C:\Windows\SysWOW64\PING.EXE -n 5 localhost
- 2nd_sample
- C:\Users\operator\Desktop\Запит.docx.exe
- C:\Windows\SysWOW64\cmd.exe /k move Ranked Ranked.bat & Ranked.bat & exit
- C:\Windows\SysWOW64\tasklist.exe
- C:\Windows\SysWOW64\findstr.exe /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
- C:\Windows\SysWOW64\tasklist.exe
- C:\Windows\SysWOW64\findstr.exe /I "wrsa.exe opssvc.exe"
- C:\Windows\SysWOW64\cmd.exe /c md 2910
- C:\Windows\SysWOW64\cmd.exe /c copy /b Miracle + Incomplete + Handbags + Pound + Remind + Previously 2910\Mrna.pif
- C:\Windows\SysWOW64\cmd.exe /c copy /b Holocaust + Tonight + Narrative 2910\u
- C:\TEMP\7ZipSfx.000\2910\Mrna.pif 2910\u
- C:\Windows\SysWOW64\PING.EXE -n 5 localhost
- persist
- --------------
- n/a
- drop
- --------------
- %temp%\7ZipSfx.000\3154\Yields.pif
- %temp%\7ZipSfx.000\3154\j
- 2nd_sample
- %temp%\7ZipSfx.000\2910\Mrna.pif
- %temp%\7ZipSfx.000\2910\u
- # # # # # # # #
- additional info
- # # # # # # # #
- n/a
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/a9c372b5a7caeea4a89a502deff9752b2d3437238f241dba324b3b54d78331e4/details
- https://www.virustotal.com/gui/file/c4d3d4f7fd181264f85bd14edf16d39e26f1d2cdeab267d057b4efe81f4ec923/details
- https://www.virustotal.com/gui/file/c506a8b6fc98b95040ad63d3c6a08bb2d315e7098d13f96b48f8c90faf752e6c/details
- https://www.virustotal.com/gui/file/7a3506f60a337bd104291e6f01bf18cbf3dad4058e9e79d7861fc2a1c11258c2/details
- 2nd_sample
- https://www.virustotal.com/gui/file/f67ecc6585e3634f3bc05e1a3f7d6698882a78424fd963e2851d1edf5c8dfcb0/details
- https://www.virustotal.com/gui/file/760e3a7a0dd4bd282b22688d62e3f13bea26040c2fbf437f81b3c5fc7f113c20/details
- https://www.virustotal.com/gui/file/338565a2b04dc3a7fe4776cdfc6c2772f2daf1ab173d17063534230b7ff9d374/details
- https://www.virustotal.com/gui/file/43c59cd33371691282d4f781b6f5d0b280da41d71fceeecc7b7052a1db11ac79/details
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement