Overview

overview

7

Static

static

3

luminati-p...up.exe

windows7-x64

4

luminati-p...up.exe

windows10-2004-x64

6

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

LICENSES.c...m.html

windows7-x64

3

LICENSES.c...m.html

windows10-2004-x64

4

Proxy Manager.exe

windows10-2004-x64

6

d3dcompiler_47.dll

windows10-2004-x64

3

ffmpeg.dll

windows10-2004-x64

3

libEGL.dll

windows10-2004-x64

3

libGLESv2.dll

windows10-2004-x64

3

resources/...-CN.js

windows7-x64

3

resources/...-CN.js

windows10-2004-x64

3

resources/...gen.sh

ubuntu-18.04-amd64

3

resources/...gen.sh

debian-9-armhf

3

resources/...gen.sh

debian-9-mips

resources/...gen.sh

debian-9-mipsel

3

resources/...dex.js

ubuntu-18.04-amd64

6

resources/...dex.js

debian-9-armhf

6

resources/...dex.js

debian-9-mips

3

resources/...dex.js

debian-9-mipsel

3

resources/...ade.sh

ubuntu-18.04-amd64

4

resources/...ade.sh

debian-9-armhf

4

resources/...ade.sh

debian-9-mips

1

resources/...ade.sh

debian-9-mipsel

3

resources/...all.sh

ubuntu-18.04-amd64

7

resources/...all.sh

debian-9-armhf

7

resources/...all.sh

debian-9-mips

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    luminati-proxy-manager-v1.519.10-setup.exe

  • Size

    93.8MB

  • Sample

    250328-psp6sawscz

  • MD5

    0257255ee9d204331426b40d7ca32c65

  • SHA1

    a6f4798b041bb2d1b802993eb3379f4fae85e88e

  • SHA256

    963b06d98c115aa44fff216ee477e49d66072df33838be1bb1f141dedf6c4d02

  • SHA512

    82ac6cb386c842132d55e0fdc2be7d81de8efad96612ecd0886f14ec59ad6757662e1ac8f12c770bf45f19e7eaa5b3084638d01cf6c710c9881e7583ea322085

  • SSDEEP

    1572864:Tt7jIJBRCQy2xJl9GO/wcawvz+bI3blYG3MWC203z91QsV498iUtHmGEe0Th:TaJCExJlJvayzS2f3PCz3Z1Q84qmu4h

Score
7/10
antivmdefense_evasiondiscoveryexecutionlinuxpersistenceprivilege_escalation

Malware Config

Targets

    • Target

      luminati-proxy-manager-v1.519.10-setup.exe

    • Size

      93.8MB

    • MD5

      0257255ee9d204331426b40d7ca32c65

    • SHA1

      a6f4798b041bb2d1b802993eb3379f4fae85e88e

    • SHA256

      963b06d98c115aa44fff216ee477e49d66072df33838be1bb1f141dedf6c4d02

    • SHA512

      82ac6cb386c842132d55e0fdc2be7d81de8efad96612ecd0886f14ec59ad6757662e1ac8f12c770bf45f19e7eaa5b3084638d01cf6c710c9881e7583ea322085

    • SSDEEP

      1572864:Tt7jIJBRCQy2xJl9GO/wcawvz+bI3blYG3MWC203z91QsV498iUtHmGEe0Th:TaJCExJlJvayzS2f3PCz3Z1Q84qmu4h

    Score
    6/10
    discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates processes with tasklist

      discovery
    behavioral1behavioral2

    • Target

      $PLUGINSDIR/SpiderBanner.dll

    • Size

      9KB

    • MD5

      17309e33b596ba3a5693b4d3e85cf8d7

    • SHA1

      7d361836cf53df42021c7f2b148aec9458818c01

    • SHA256

      996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

    • SHA512

      1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

    • SSDEEP

      192:5lkE3uqRI1y7/xcfK4PRef6gQzJyY1rpKlVrw:5lkMBI1y7UKcef6XzJrpKY

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      17ed1c86bd67e78ade4712be48a7d2bd

    • SHA1

      1cc9fe86d6d6030b4dae45ecddce5907991c01a0

    • SHA256

      bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

    • SHA512

      0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

    • SSDEEP

      192:eY24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol+Sl:E8QIl975eXqlWBrz7YLOl+

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      $PLUGINSDIR/WinShell.dll

    • Size

      3KB

    • MD5

      1cc7c37b7e0c8cd8bf04b6cc283e1e56

    • SHA1

      0b9519763be6625bd5abce175dcc59c96d100d4c

    • SHA256

      9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

    • SHA512

      7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      LICENSES.chromium.html

    • Size

      8.7MB

    • MD5

      6ff57c0aeccdf44c39c95dee9ecea805

    • SHA1

      c76669a1354067a1c3ddbc032e66c323286a8d43

    • SHA256

      0ba4c7b781e9f149195a23d3be0f704945f858a581871a9fedd353f12ce839ca

    • SHA512

      d6108e1d1d52aa3199ff051c7b951025dbf51c5cb18e8920304116dcef567367ed682245900fda3ad354c5d50aa5a3c4e6872570a839a3a55d3a9b7579bdfa24

    • SSDEEP

      24576:2o9dQ06p6j6j1WOwRiXjYmfy6k6mjK64jK6gjK6e6cjK6feGjl8PpE:BFOeGT

    Score
    4/10
    discovery
    behavioral10behavioral9

    • Target

      Proxy Manager.exe

    • Size

      152.4MB

    • MD5

      79c381e5c588aaecc5a27376d2d793c5

    • SHA1

      35a507343bbf844b396040b582e2043a32c940f3

    • SHA256

      e27c19cf29a0137d87a197816f911b860d9bf4b619d5a3d94933f748a0a215b8

    • SHA512

      b3bd0aa138c030dc0a23a5f7bac96801564ce39feb95b0902270c58bb0ef255d098f61524481b033e2a08ecc8d568d4bf14fdf79a1ac76eecce51daf44bd3384

    • SSDEEP

      3145728:5AlI0l58YCVP1sItzMSliLdO2tIY4fHKDxJUA0IzYNBl3:cslNliLdO2tIY4fHKDxJUV+YNBR

    Score
    6/10
    discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates processes with tasklist

      discovery
    behavioral11

    • Target

      d3dcompiler_47.dll

    • Size

      3.9MB

    • MD5

      08ac37f455e0640c0250936090fe91b6

    • SHA1

      7a91992d739448bc89e9f37a6b7efeb736efc43d

    • SHA256

      2438b520ac961e38c5852779103734be373ee2b6d1e5a7a5d49248b52acc7c4d

    • SHA512

      35a118f62b21160b0e7a92c7b9305da708c5cbd3491a724da330e3fc147dde2ca494387866c4e835f8e729b89ee0903fd1b479fcc75b9e516df8b86a2f1364c8

    • SSDEEP

      49152:pS7/Q+besnXqRtHKzhwSsz6Ku1FVVOsLQuouM0MeAD36FqxLfeIgSNwLTzHiU2Ij:p4/hqqFVUsLQl6FqVCLTzHxJI9k

    Score
    3/10
    discovery
    behavioral12

    • Target

      ffmpeg.dll

    • Size

      2.5MB

    • MD5

      949243cd1fb2da472eb5cf711487cb11

    • SHA1

      2e0d1d0e88b6c59efa0850d550f4ab88fdf952cf

    • SHA256

      0262c87f3a66c289b365fc595beae445a21bf3ffacb318110ebd5da8bce86d82

    • SHA512

      22e8b7830b39759bab29010aa4552abef5aba37daaa5099558f9b89765d0bf05b133471ccfa89d7660acf07baf22541f15fd19c6836be791af2153bc97c250f9

    • SSDEEP

      49152:+Fb4XPaJcOtqvfLqCx8UeBNM3VFr22rnc1m:+FbyPaJcOtqvfRx0WDrncg

    Score
    3/10
    discovery
    behavioral13

    • Target

      libEGL.dll

    • Size

      379KB

    • MD5

      d47474ce8de5cb5a1a3b9b53eba84979

    • SHA1

      0723b72dc654ffab40233ef9eae51e49c35ba2c9

    • SHA256

      c5e820af031f7dae7479fa6a05dbe3c75bdea06cfc2b285ae4e6abf4304836dd

    • SHA512

      862153e8fb3543a983253772a9560b1586776bf95f4e1ad22398a0755d6dbf4a7f5d1e3ed0f81387597e6a364a800cca74d7089a62b5b29a784b025bfb13e320

    • SSDEEP

      6144:Ju1TZyMb8BFgXKmMeIiIA2bjiz863GW6C5r3BJu5T4R3eFadszh/624FwmS:g04KmMeICKGGW6C5r3BJAWDrDS

    Score
    3/10
    discovery
    behavioral14

    • Target

      libGLESv2.dll

    • Size

      7.1MB

    • MD5

      bd172a6091445db8ad66599d3741556b

    • SHA1

      2ae0a2b5de45b514f7ef2048275ad433896bfd77

    • SHA256

      0cd040c6a4bc87e1728d2a585514b16be98ba31dc602f924356d77ecc5b17958

    • SHA512

      bf324f96a444ed51b81ca75ff6b9954885177fdf9f5f28555b45638d018bcce7eced0e6749bfbc72a745c513947191c2e56690a1cf70ee68099130edfdf8a66a

    • SSDEEP

      196608:ivM6oaD05Ty2RU3rpnm3vg93yTnLe57Aa9DhAARoVXFYAG0Rd:KMmcU3rpuvg93yTnLe5smDhAAOVFYMd

    Score
    3/10
    discovery
    behavioral15

    • Target

      resources/app/README-zh-CN.md

    • Size

      18KB

    • MD5

      8e820e3fae85e090db6119244a3983ed

    • SHA1

      3e8336a9999dbcfad310349aab2ebee6939fb4f4

    • SHA256

      5cc373c29d69c049b552ff29166e29b49c6664228b8bf30a3dd1794d596d1b02

    • SHA512

      cdff232bade5e6851e40931edd671c7804f9a89defc239fad69f2e048a0eac5b380f85553f63efaf04779b75b752877e076d7f33020fe318b1e47f2f52e72b9d

    • SSDEEP

      192:ZGTUJMTNUt21d0rJejYxEIaRwmiSNJFZrj/H8uH10rTlIFhR:++t21mSY2Ial5LEZI5

    Score
    3/10
    execution
    behavioral16behavioral17

    • Target

      resources/app/bin/cert_gen.sh

    • Size

      353B

    • MD5

      8188617ed5b3f59657e70f6613408aaa

    • SHA1

      e938afcda147a317b92f04a247a8d3e3ad403f6c

    • SHA256

      23fdce67425735c2f447ebbabaa4e708189ad4a28ef005898807cab6b047a4a5

    • SHA512

      c1d54f563097c4350f7c56f30d67284e46f5de49151c8f7e12dde8622a68f234d9f9f86652ef53c557f85690e47e7813dc4301f5c5e6b0e9652c7d5e63719850

    Score
    3/10
    behavioral18behavioral19behavioral20behavioral21

    • Target

      resources/app/bin/index.js

    • Size

      514B

    • MD5

      2ffac93c1e0896cf98f1514f70fe8637

    • SHA1

      22fa46c684b079fae1a9921a87b3e6c63cc6e373

    • SHA256

      15cb73537b76df1b820056767dae3e8730cd91e1798bbd56e04075e8e677382b

    • SHA512

      cdc66c2d890c8edc558ffac76b46a3e63bb0b8d95e254860f18bca8c03c72fec51133fbcd7e8983219ef0a707614c9f4aed02f640d8d9afa25ff7e1fea00a4f4

    Score
    6/10
    antivmdefense_evasiondiscoveryexecutionpersistenceprivilege_escalation

    • Creates/modifies environment variables

      Creating/modifying environment variables is a common persistence mechanism.

      persistenceprivilege_escalationdefense_evasion

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies Bash startup script

      persistence
    behavioral22behavioral23behavioral24behavioral25

    • Target

      resources/app/bin/lpm_downgrade.sh

    • Size

      486B

    • MD5

      c2913650e886be90c3dc3464cf257124

    • SHA1

      5f3a2794a1c3be209f5074d73a6485b48a4e98ba

    • SHA256

      c00ee8c9bf0002b7b3a5cbc7c25f3dd7d2846950826f70a79ed66ad8d180d202

    • SHA512

      e7528a5266b8a1c8fb895656bb6dfea67eb7e094a442e93ab51d3a01f4bf3c48048a729a84a8a0a12223fd021bcf773055115533fe6590850fb4ab0b5aec717d

    Score
    4/10
    discoveryantivm
    behavioral26behavioral27behavioral28behavioral29

    • Target

      resources/app/bin/lpm_install.sh

    • Size

      17KB

    • MD5

      268a75c87d71b06cf53eed811aed5734

    • SHA1

      4d508c3294ce3036c295a326c0ada14f202dae0b

    • SHA256

      414ef99b1dcc687d3f2ad9139fb7c9e6ca3c52f55b31026c9759108fc1545729

    • SHA512

      eda3866fd978f6b93582d212458f79bad6e8664c63ebae2db53128f333d49b6615cdf6a67596138b84271ac5c32a7c70000f529f1b8fc7415f9df22143f3abc7

    • SSDEEP

      384:ZKuygbT00MJ8SR+azqfs+3VXfTaiA9DEWMZNAR2J0+GttpBWUepPsdti7:ZKCbW8mfiBfTaPIWMZNAR2J0+GjpBWvl

    Score
    7/10
    antivmdefense_evasiondiscoveryexecution

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    behavioral30behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

JavaScript

2
T1059.007

Unix Shell

1
T1059.004

Software Deployment Tools

1
T1072

Persistence

Boot or Logon Autostart Execution

1
T1547

Event Triggered Execution

1
T1546

Unix Shell Configuration Modification

1
T1546.004

Hijack Execution Flow

1
T1574

Path Interception by PATH Environment Variable

1
T1574.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Event Triggered Execution

1
T1546

Unix Shell Configuration Modification

1
T1546.004

Hijack Execution Flow

1
T1574

Path Interception by PATH Environment Variable

1
T1574.007

Defense Evasion

File and Directory Permissions Modification

1
T1222

Linux and Mac File and Directory Permissions Modification

1
T1222.002

Hijack Execution Flow

1
T1574

Path Interception by PATH Environment Variable

1
T1574.007

Modify Registry

1
T1112

Virtualization/Sandbox Evasion

1
T1497

System Checks

1
T1497.001

Credential Access

Discovery

Browser Information Discovery

1
T1217

Process Discovery

1
T1057

Query Registry

4
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Virtualization/Sandbox Evasion

1
T1497

System Checks

1
T1497.001

Lateral Movement

Software Deployment Tools

1
T1072

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

discovery
Score
4/10

behavioral2

discovery
Score
6/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
4/10

behavioral11

discovery
Score
6/10

behavioral12

discovery
Score
3/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

discovery
Score
3/10

behavioral16

execution
Score
3/10

behavioral17

execution
Score
3/10

behavioral18

Score
3/10

behavioral19

Score
3/10

behavioral20

Score
1/10

behavioral21

Score
3/10

behavioral22

antivmdefense_evasiondiscoveryexecutionpersistenceprivilege_escalation
Score
6/10

behavioral23

antivmdefense_evasiondiscoveryexecutionpersistenceprivilege_escalation
Score
6/10

behavioral24

execution
Score
3/10

behavioral25

execution
Score
3/10

behavioral26

discovery
Score
4/10

behavioral27

antivmdiscovery
Score
4/10

behavioral28

Score
1/10

behavioral29

discovery
Score
3/10

behavioral30

antivmdefense_evasiondiscoveryexecution
Score
7/10

behavioral31

antivmdefense_evasiondiscoveryexecution
Score
7/10

behavioral32

defense_evasiondiscovery
Score
7/10