DOWNLOADED ZIP –> MSI –> FILE DOWNLOADER THROUGH DLL SIDE-LOADING –> LUMMA STEALER

    Friday, September 20, 2024 In: Threat Research Print

    Date: 09/20/2024

    Severity: Medium

    Summary

    The phrase describes a sequence of actions typically associated with malware distribution. It involves downloading a ZIP file, which likely contains an MSI (Microsoft Installer) file. The process continues with a file downloader that operates through DLL side-loading, a technique that exploits trusted applications to load malicious code. The end goal is often to deploy a specific type of malware known as "Lumma Stealer," which is designed to steal sensitive information from the victim's system. This chain highlights a method of delivering and executing malicious software through deceptive means.

    Indicators of Compromise (IOC) List

    URL/Domain

    relaxatinownio.shop

    tesecuuweqo.shop

    eemmbryequo.shop

    keennylrwmqlw.shop

    tryyudjasudqo.shop

    licenseodqwmqn.shop

    tendencctywop.shop

    genedjestytw.shop

    reggwardssdqw.shop

    https://access-htaccess.com/2708.bs64

    https://chick-chick666.com/s**k/my/d**k/you/little/b****h/239.exe

    https://exp.btcme.com/api/address/bc1q4fkjqusxsgqzylcagra800cxljal82k6y3ejay?limit=2

    Hash

    dd6f96d0d6f6ed2b83df7552f77523688f2a2272fce63564bc9ffdcb3157b70e

4561722739d54e28db961095f302b7beb77804c15da10b85ac1f0218b85429cd

c2a5cf50e34cb713fe7c2e14b163352d361ce6a461feb74fabd4579b8b15c437

c97b417648af57728ee9b2b6cee70cfeb6482bb6d8778908ab01cdb1e17e2480

e359742abac0c577e6cee555084f407f887d2443e4c9013802190b30faaa3081

801f0a8bf3c692688c80487875f5990ba08a9d3bb8f596396408e1e9a15a98c2

4918b38ca22ae08bf19406d0dd9c4fbff62423b2a43555262c506826478f2bfb

17da8c48ad17d5802a5658558e0a71a5cf468e2de346ac31e5e70ff87cfb5f9d

517a7a708e3227e565602875aa8e6ec28009a2d74f9ab5fd1431f91ee696e9e2

3bfc3e3cc9432f5766cedbc78bcbf80ffb52992c7685536c31396e60cd4b7205

75622b92e3b4d0169a40dd8a5a9fea9ff6a6da8ca5f469d6bd1cd9c9d6d478e4

a7b775935f941a9ee9c2d5fb7ed024db095595f6e3df12eac5d54c6d78be0520

afe1e265c3a59e33785cc87c706febb6a82d1fe794fc011619f372fc4c709c66

082a0596b474806cc0ea58c4f7067a4f1166dbb4aa1800bc58af6f99f1209a4a

121221a1966a20b257e2365387840578ea04376eea406b21671ce9da3b7fd42a

a4ff53f432c41f996a07243c54e22e9556a1ebcb78f5e56c177ebc8f1f577b88

2de30f3d500adcd4335c27dcc96006ac36c860e7591914e13fac061bd5841881

c114d5c1b43adbe83c9b067c2635d00c5f3e6b57324cb3acb8d13ffa7cd26097

0905db293dbc6be00cbdcfad4888d9702f2563a11b339d99656f6b8898a8ac10

d8f2f667708a14734a20d7731ab659fa1ab23ddd25ee96ba4ca33fedf4b7c613

e6f86e7df02ea6a76e55d0fd97e6c98d5456e9d6566cd529fd817277212bd444

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    URL/Domain

    userdomainname like "relaxatinownio.shop" or url like "relaxatinownio.shop" or userdomainname like "tesecuuweqo.shop" or url like "tesecuuweqo.shop" or userdomainname like "eemmbryequo.shop" or url like "eemmbryequo.shop" or userdomainname like "https://access-htaccess.com/2708.bs64" or url like "https://access-htaccess.com/2708.bs64" or userdomainname like "keennylrwmqlw.shop" or url like "keennylrwmqlw.shop" or userdomainname like "tryyudjasudqo.shop" or url like "tryyudjasudqo.shop" or userdomainname like "licenseodqwmqn.shop" or url like "licenseodqwmqn.shop" or userdomainname like "tendencctywop.shop" or url like "tendencctywop.shop" or userdomainname like "https://chick-chick666.com/s**k/my/d**k/you/little/b****h/239.exe" or url like "https://chick-chick666.com/s**k/my/d**k/you/little/b****h/239.exe" or userdomainname like "https://exp.btcme.com/api/address/bc1q4fkjqusxsgqzylcagra800cxljal82k6y3ejay?limit=2" or url like "https://exp.btcme.com/api/address/bc1q4fkjqusxsgqzylcagra800cxljal82k6y3ejay?limit=2"

    Hash

    sha256hash IN ("dd6f96d0d6f6ed2b83df7552f77523688f2a2272fce63564bc9ffdcb3157b70e","4561722739d54e28db961095f302b7beb77804c15da10b85ac1f0218b85429cd","c2a5cf50e34cb713fe7c2e14b163352d361ce6a461feb74fabd4579b8b15c437","c97b417648af57728ee9b2b6cee70cfeb6482bb6d8778908ab01cdb1e17e2480","e359742abac0c577e6cee555084f407f887d2443e4c9013802190b30faaa3081","801f0a8bf3c692688c80487875f5990ba08a9d3bb8f596396408e1e9a15a98c2","4918b38ca22ae08bf19406d0dd9c4fbff62423b2a43555262c506826478f2bfb","17da8c48ad17d5802a5658558e0a71a5cf468e2de346ac31e5e70ff87cfb5f9d","517a7a708e3227e565602875aa8e6ec28009a2d74f9ab5fd1431f91ee696e9e2","3bfc3e3cc9432f5766cedbc78bcbf80ffb52992c7685536c31396e60cd4b7205","75622b92e3b4d0169a40dd8a5a9fea9ff6a6da8ca5f469d6bd1cd9c9d6d478e4","a7b775935f941a9ee9c2d5fb7ed024db095595f6e3df12eac5d54c6d78be0520","afe1e265c3a59e33785cc87c706febb6a82d1fe794fc011619f372fc4c709c66","082a0596b474806cc0ea58c4f7067a4f1166dbb4aa1800bc58af6f99f1209a4a","121221a1966a20b257e2365387840578ea04376eea406b21671ce9da3b7fd42a","a4ff53f432c41f996a07243c54e22e9556a1ebcb78f5e56c177ebc8f1f577b88","2de30f3d500adcd4335c27dcc96006ac36c860e7591914e13fac061bd5841881","c114d5c1b43adbe83c9b067c2635d00c5f3e6b57324cb3acb8d13ffa7cd26097","0905db293dbc6be00cbdcfad4888d9702f2563a11b339d99656f6b8898a8ac10","d8f2f667708a14734a20d7731ab659fa1ab23ddd25ee96ba4ca33fedf4b7c613","e6f86e7df02ea6a76e55d0fd97e6c98d5456e9d6566cd529fd817277212bd444")

    Reference: 

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-09-19-IOCs-for-file-downloader-to-Lumma-Stealer.txt 


    Tags

    MalwareLumma

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.