lumma | 680cb9fea15a1f1c5004abd791b1b27383640b985d0f95578871aeacd7d83d0a

Sharing

Copy URL

Twitter E-mail

General

Target

SonicSAGE.exe
Size

198.2MB
Sample

250321-cgqa7avr19
MD5

170ac0f07fd31adb71cc556c7aa50c35
SHA1

ab1a834ffd57b4e18af5475d299bd04ba14ce472
SHA256

680cb9fea15a1f1c5004abd791b1b27383640b985d0f95578871aeacd7d83d0a
SHA512

563f5fecaf462efc84aac94510816a9ebd265fbc27fc7a5eefe88b8ab390e6b680d722af9b13e1738b7146924d9aff6ae06f932e8d1f8fee3e92284a06b7dc13
SSDEEP

3145728:pFyh9NvfiE4dQw4zhQSGYBuzqVNF1OFZhckc8fHK2duv5B0oi9s4hQWzwwM+rzTB:y4yPQSGY8zqVn4FZvS2MxMs4+MbRSAP

Malware Config

Extracted

Path

C:\Users\Public\Documents\RGNR_3A219DDE.txt

Ransom Note

Hello VGCARGO ! ***************************************************************************************************************** If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED by RAGNAR_LOCKER ! ***************************************************************************************************************** *********What happens with your system ?************ Your network was penetrated, all your files and backups was locked! So from now there is NO ONE CAN HELP YOU to get your files back, EXCEPT US. You can google it, there is no CHANCES to decrypt data without our SECRET KEY. But don't worry ! Your files are NOT DAMAGED or LOST, they are just MODIFIED. You can get it BACK as soon as you PAY. We are looking only for MONEY, so there is no interest for us to steel or delete your information, it's just a BUSINESS $-) HOWEVER you can damage your DATA by yourself if you try to DECRYPT by any other software, without OUR SPECIFIC ENCRYPTION KEY !!! Also, all of your sensitive and private information were gathered and if you decide NOT to pay, we will upload it for public view ! **** ***********How to get back your files ?****** To decrypt all your files and data you have to pay for the encryption KEY : BTC wallet for payment: 1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4 Amount to pay (in Bitcoin): 25 **** ***********How much time you have to pay?********** * You should get in contact with us within 2 days after you noticed the encryption to get a better price. * The price would be increased by 100% (double price) after 14 Days if there is no contact made. * The key would be completely erased in 21 day if there is no contact made or no deal made. Some sensetive information stolen from the file servers would be uploaded in public or to re-seller. **** ***********What if files can't be restored ?****** To prove that we really can decrypt your data, we will decrypt one of your locked files ! Just send it to us and you will get it back FOR FREE. The price for the decryptor is based on the network size, number of employees, annual revenue. Please feel free to contact us for amount of BTC that should be paid. **** ! IF you don't know how to get bitcoins, we will give you advise how to exchange the money. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTCAT WITH US ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1) Go to the official website of TOX messenger ( https://tox.chat/download.html ) 2) Download and install qTOX on your PC, choose the platform ( Windows, OS X, Linux, etc. ) 3) Open messenger, click "New Profile" and create profile. 4) Click "Add friends" button and search our contact 7D509C5BB14B1B8CB0A3338EEA9707AD31075868CB9515B17C4C0EC6A0CCCA750CA81606900D 5) For identification, send to our support data from ---RAGNAR SECRET--- IMPORTANT ! IF for some reasons you CAN'T CONTACT us in qTOX, here is our reserve mailbox ( [email protected] ) send a message with a data from ---RAGNAR SECRET--- WARNING! -Do not try to decrypt files with any third-party software (it will be damaged permanently) -Do not reinstall your OS, this can lead to complete data loss and files cannot be decrypted. NEVER! -Your SECRET KEY for decryption is on our server, but it will not be stored forever. DO NOT WASTE TIME ! *********************************************************************************** ---RAGNAR SECRET--- QWZjY0QxRTk2MWU4RTIwYkVCRUNhRWMzRjhCQTdlZDJkNUJCN2JkNDdDMzREMTYyNjNGNTdiZGFDYmI3ZEVhNw== ---RAGNAR SECRET--- ***********************************************************************************

Emails

[email protected]

Wallets

1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4

URLs

https://tox.chat/download.html

Extracted

Family

lumma

https://phygcsforum.life/api

https://0explorebieology.run/api

https://gadgethgfub.icu/api

https://84moderzysics.top/api

https://techmindzs.live/api

https://ucodxefusion.top/api

https://techspherxe.top/api

https://-earthsymphzony.today/api

Extracted

Family

xworm

Version

5.0

outside-sand.gl.at.ply.gg:31300

Mutex

uGoUQjcjqoZsiRJZ

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Extracted

Family

remcos

Botnet

RemoteHost

else-directors.gl.at.ply.gg:56448

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
$77-Bitdefender.exe
copy_folder
Bitdefender
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-Z3DS2J
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
VisualStudioServer
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

lumma

https://caffegclasiqwp.shop/api

https://stamppreewntnq.shop/api

https://stagedchheiqwo.shop/api

https://millyscroqwp.shop/api

https://evoliutwoqm.shop/api

https://condedqpwqm.shop/api

https://traineiwnqo.shop/api

https://locatedblsoqp.shop/api

Extracted

Family

lumma

https://moderzysics.top/api

Targets

- Target
  
  SonicSAGE.exe
- Size
  
  198.2MB
- MD5
  
  170ac0f07fd31adb71cc556c7aa50c35
- SHA1
  
  ab1a834ffd57b4e18af5475d299bd04ba14ce472
- SHA256
  
  680cb9fea15a1f1c5004abd791b1b27383640b985d0f95578871aeacd7d83d0a
- SHA512
  
  563f5fecaf462efc84aac94510816a9ebd265fbc27fc7a5eefe88b8ab390e6b680d722af9b13e1738b7146924d9aff6ae06f932e8d1f8fee3e92284a06b7dc13
- SSDEEP
  
  3145728:pFyh9NvfiE4dQw4zhQSGYBuzqVNF1OFZhckc8fHK2duv5B0oi9s4hQWzwwM+rzTB:y4yPQSGY8zqVn4FZvS2MxMs4+MbRSAP
Score

10^/10

discovery lumma ragnarlocker remcos squirrelwaffle xmrig xworm remotehost bootkit defense_evasion downloader execution impact miner persistence pyinstaller ransomware rat spyware stealer trojan
- Detect Xworm Payload
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- RagnarLocker
  Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
  ransomware ragnarlocker
- Ragnarlocker family
  ragnarlocker
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- SquirrelWaffle is a simple downloader written in C++.
  SquirrelWaffle.
  downloader squirrelwaffle
- Squirrelwaffle family
  squirrelwaffle
- UAC bypass
  defense_evasion trojan
- XMRig Miner payload
  miner
- Xmrig family
  xmrig
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (3325) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Squirrelwaffle payload
- Adds policy Run key to start application
  persistence
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2