SilverFox 1x + LummaStealer 1x

显示全部楼层 · 发表于 2024-12-11 16:06:46

本帖最后由 FD丶纸鸢于 2024-12-11 16:26 编辑

Setup.exe -> Lummastealer
msi -> SilverFox

这个lumma好像改变了加载方式，用到了autoit3
S1 miss
戎码翼龙Miss
卡巴UDS拉黑
银狐
卡巴KES双击触发PDM 衍生物HEUR杀未触发高级清除
S1双击后杀衍生物但衍生物任务管理器中仍然运行
重启后无感染迹象开机提示缺少updat3.vac，判定为拦截成功

https://f.ws28.cn/f/fs5miwtx7mp 复制链接到浏览器打开

显示全部楼层 · 发表于 2024-12-11 16:23:10

Sophos:
Lumma Miss
银狐老样子 DynamicShellCode阻止+杀衍生

BD：
银狐阻止释放exe
Lumma ATD杀

显示全部楼层 · 发表于 2024-12-11 16:40:44

Lumma:

2024/12/11 16:39
Harmful website https://covery-mover.biz blocked

复制代码

SilverFox:
missed. Anti-VM?

显示全部楼层 · 发表于 2024-12-11 16:42:04

本帖最后由 FD丶纸鸢于 2024-12-11 16:43 编辑

swizzer 发表于 2024-12-11 16:40
Lumma:

SilverFox:

No Anti-VM.
Tested by VMware
Edited:银狐据说反英文系统，英文系统无法执行

显示全部楼层 · 发表于 2024-12-11 16:42:36

本帖最后由 Fadouse 于 2024-12-11 16:55 编辑

DI + S1 Kill All

lumma DI杀下载恶意载荷的脚步执行
* S1 默认给的阈值太高了有点. 行为全检出了，动态AI就是不杀()

Behavioral Indicators
Evasion
AddAnyCertificate
A new certificate was added
MITRE: Defense Evasion {T1553.004}
AddCertificate
A new root certificate was added
MITRE: Defense Evasion {T1553.004}
HookRemovalAttemptAfterOverwrite
A function was overwritten
MITRE: Defense Evasion {T1562.001}
InstrumentationCallbackBypassAttempt
Hook bypass attempt via Instrumentation callback
MITRE: Defense Evasion {T1562.001}
MultipleHookRemovals
Multiple functions were unhooked
MITRE: Defense Evasion {T1562.001}
WmiQueryAntiVm
A WMI query was run as part of Anti-VM behavior
MITRE: Defense Evasion {T1622}
MITRE: {T1497}
MITRE: {T1497.001}
MITRE: {T1480.001}
MITRE: Discovery {T1622}
MITRE: {T1497}
MITRE: Execution {T1047}
MITRE: Collection {T1119}
InfoStealer
PossibleChromiumEdgeInfoStealing
Chromium Edge's sensitive information was accessed
MITRE: Credential Access {T1555.003}
MITRE: {T1552.001}
Malware
CoreDllRead
Detected attempt to read a core DLL of the OS
MITRE: Defense Evasion {T1562.001}
DirectSyscallAfterNtdllRead
Detected attempt to evade monitors with a direct syscall execution
MITRE: Defense Evasion {T1562.001}
HookRemovalAttemptAfterNtdllRead
A function was unhooked
MITRE: Defense Evasion {T1562.001}
ParallelNtDllLoad
Detected attempt to re-map a core DLL of the OS
MITRE: Defense Evasion {T1562.001}
N/A
DirectSyscall
Attempt to evade monitoring with a syscall directly
MITRE: Defense Evasion {T1562.001}
WmiQuerySystemInformationDiscovery
A WMI query was run to discover system information
MITRE: Discovery {T1082}
MITRE: Execution {T1047}
MITRE: Collection {T1119}
MITRE: {T1005}
MITRE: Defense Evasion {T1480.001}
WmiQuerySystemPrimaryUserDiscovery
A WMI query was run to discover the system primary user
MITRE: Discovery {T1033}
MITRE: Execution {T1047}
MITRE: Collection {T1119}
MITRE: Defense Evasion {T1480.001}
Reconnaissance
SuspiciousWMIQuery
Suspicious WMI query was identified
MITRE: Execution {T1047}
MITRE: Discovery {T1518.001}
MITRE: Collection {T1119}
MITRE: {T1005}
MITRE: Defense Evasion {T1480.001}

复制代码

silverfox DI杀 MSI.TMP

显示全部楼层 · 发表于 2024-12-11 16:44:47

毛豆老样子，入沙重启，无事发生，update.wnc又改成updat3.vac了

Setup.exe 双击入沙，错误自退

显示全部楼层 · 发表于 2024-12-11 16:50:26

https://wormhole.app/j9x5m#pGmQuQDxFfSaZIRdIdmEEw

Depumped Setup.exe

显示全部楼层 · 发表于 2024-12-11 16:59:41

本帖最后由 King、暮光于 2024-12-11 17:05 编辑

ESET提取新特征后这一轮还挺稳定 Win64/Agent.EXB 特洛伊木马的变量
Setup.exe 右键miss，360沙箱里执行，ESET报BAT/Agent.QPG 特洛伊木马，exe消失
本体已上报

显示全部楼层 · 发表于 2024-12-11 17:09:29

本帖最后由 lsop1349987 于 2024-12-11 17:26 编辑

虚拟机 Avira free 扫描miss双击寄
大蜘蛛扫描misss双击
Lummastealer：防火墙报警
银狐：拦驱动
华为乾坤个人版扫描miss双击miss 卡巴实机拦Lummastealer恶意地址

显示全部楼层 · 发表于 2024-12-11 17:30:08

lumma之前就用过AutoIt当做Loader，很常见的手法

[病毒样本] SilverFox 1x + LummaStealer 1x

本帖子中包含更多资源

评分

本帖子中包含更多资源

评分