MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2db7aa7291c73bde092cd4cc8af0aff7eac7245ae5b034d8bb8810c76d85cd91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LuminosityLink


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2db7aa7291c73bde092cd4cc8af0aff7eac7245ae5b034d8bb8810c76d85cd91
SHA3-384 hash: d6cf050311f0b244cfb0eaed0fee9cd93c8ef5e405c204b4bd61f554ded2cf5176b03637ebbe291cbf020a15e94974f1
SHA1 hash: 8bb578ad423522f6f7c54275ed8269601ee68bd7
MD5 hash: 7c1768b63f9baa0720999f746e56a3ec
humanhash: washington-carbon-vegan-friend
File name:New PO 8003987747484873672020.exe
Download: download sample
Signature LuminosityLink
Create hunting rule
File size:300'544 bytes
First seen:2020-07-17 16:36:30 UTC
Last seen:2020-07-17 18:10:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:l0ogfpEmAN6F2pWoOFX9Dhz/A+hIzZlyzkwwA:lzgfCCYAFNDhPkmzkhA
Threatray 57 similar samples on MalwareBazaar
TLSH 1D54F10496BE233BC56EB3FD4AA255891B617233DCB3DA890EC761CE45937821584FE3
Reporter abuse_ch
Tags:exe LuminosityLink nVpn RAT


Avatar
abuse_ch
Malspam distributing LuminosityLink:

HELO: mail.mytractice.com
Sending IP: 18.216.151.67
From: Sales 02 <hbpark@motusp.com>
Reply-To: hbpark@motusp.com
Subject: Urgent Order
Attachment: New PO 8003987747484873672020.pdf.z (contains "New PO 8003987747484873672020.exe")

LuminosityLink C2:
nobawi.dvrdns.org:3021 (79.134.225.125)

Pointing to nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Detection:
LuminosityLink
Create hunting rule
Link:
https://www.capesandbox.com/analysis/27492/
Detection(s):
SecuriteInfo.com.Generic.HEUR.QVM03.0.9ED7.Malware.Gen.12351.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
LuminosityLink
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/389174
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected LuminosityLink RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 246781 Sample: New PO 8003987747484873672020.exe Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 Sigma detected: Scheduled temp file as task from temp location 2->66 68 6 other signatures 2->68 9 New PO 8003987747484873672020.exe 5 2->9         started        12 New PO 8003987747484873672020.exe 2 2->12         started        14 New PO 8003987747484873672020.exe 2->14         started        process3 file4 52 C:\Users\user\AppData\Roaming\QFUlQILxU.exe, PE32 9->52 dropped 54 C:\Users\user\AppData\Local\...\tmpE442.tmp, XML 9->54 dropped 56 C:\...56ew PO 8003987747484873672020.exe.log, ASCII 9->56 dropped 16 New PO 8003987747484873672020.exe 5 12 9->16         started        21 schtasks.exe 1 9->21         started        23 schtasks.exe 12->23         started        25 New PO 8003987747484873672020.exe 12->25         started        27 New PO 8003987747484873672020.exe 12->27         started        29 schtasks.exe 14->29         started        31 New PO 8003987747484873672020.exe 14->31         started        process5 dnsIp6 58 nobawi.dvrdns.org 185.165.153.249, 3021, 49715, 49716 DAVID_CRAIGGG Netherlands 16->58 48 C:\Windows\SysWOW64\clientsvr.exe, PE32 16->48 dropped 50 C:\ProgramData\208065\anibtcent.exe.exe, PE32 16->50 dropped 70 Creates an undocumented autostart registry key 16->70 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->72 33 anibtcent.exe.exe 3 16->33         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 29->40         started        file7 signatures8 process9 signatures10 60 Multi AV Scanner detection for dropped file 33->60 42 schtasks.exe 1 33->42         started        44 anibtcent.exe.exe 33->44         started        process11 process12 46 conhost.exe 42->46         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2db7aa7291c73bde092cd4cc8af0aff7eac7245ae5b034d8bb8810c76d85cd91/
Threat name:
Win32.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2020-07-17 03:51:38 UTC
AV detection:
30 of 48 (62.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fw32u4ury4554cjm2tgiv4fp67vmojc24wydjwf3raimo3mfzwiq._file
Verdict:
suspicious
Similar samples:
137b5dc137f3f0c5bc3d4e1cd1f2396b33bd5b87291f72013a98b319c130b451
LuminosityLink
36e5646b2622d4c47947fa54a8f35c1c9d91db60ce3116e352f9f93b8a9f3ada
LuminosityLink
4249d6f93c374bf9199c33bbc49f57c1d1dd983e8c6356b5ed8739d326683c77
LuminosityLink
5f829ed079ce3010fb99eca5ee356e2ffc5ab62cedfb2683ac5ac76a66fb3ed1
LuminosityLink
7e5b0829c6ff31260033e79d4172ef09efa4c6667a99c97b8ec82d614a68a241
LuminosityLink
908959fae28ad03836fb12b94a9a2f80981ec15f6481c230b9108f097edeb176
LuminosityLink
9dc8d8533e87fe22f98fb67f8705e14e93a8eeb5da355dc15251e03837334162
LuminosityLink
c9ce595dbe32bfc8a1e4efab61e6e465400b68ad701dbc7f4eaa0dc3f80bf036
LuminosityLink
d8c07fc0cc1addc3f25623ac872703d2c10ae5e8fadc7370e13b4162e063a376
LuminosityLink
f428cda5f99c3961bb5532cd38f6c512cffb2a6dfc30865897e52d838c7cfef2
LuminosityLink
+ 47 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200717-qfv69ew21a/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon for persistence
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2db7aa7291c73bde092cd4cc8af0aff7eac7245ae5b034d8bb8810c76d85cd91

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RAT_LuminosityLink
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects LuminosityLink RAT
Reference:http://malwareconfig.com/stats/LuminosityLink

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

LuminosityLink

zip ad6745f26abfb80e1f8557dbbb9427d1c7553bdb1758b6bc0c286472bf29c3da

LuminosityLink

Executable exe 2db7aa7291c73bde092cd4cc8af0aff7eac7245ae5b034d8bb8810c76d85cd91

(this sample)

  
Dropped by
MD5 5c8b5fa968dd56fe508141c917605957
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/27492/
  
Dropped by
SHA256 ad6745f26abfb80e1f8557dbbb9427d1c7553bdb1758b6bc0c286472bf29c3da

Comments