autorun上看到一个3月15日新捕获的lummerstealer,简要分析一下
该样本有混淆,大致逻辑是将bss段的shellcode解密后,注入到MSBuild.exe中,所以着重分析一下shellcode,shellcode也被混淆了,功能大致分为3块
首先会连接C2,接收数据为加解密因子,内存中解出一份json数据
解析后,按照json中,逐一遍历路径,如果存在目标文件,通过天堂之门(32位程序手动通过WOW64,执行64位系统调用)技术,查询文件信息,读取文件内容,然后经过一系列处理,发回C2。
其中WOW64系统调用时,传入的系统调用号可能是形如0x33(打开文件),0x11(查询文件信息)这种,也可能是0x1a0006(读取文件)、0x3000f(关闭句柄)这种,需要拆开来看,前16位,是给WOW64用的,wow64根据前16位,跳转到对应的系统调用处理函数。而后16位给内核用的,系统调用进入内核后,根据后16位,找到对应的服务描述符表,执行对应函数。
shellcode会创建msedge.exe进程
利用远程调试的方式获取cookie信息
例如硬件信息、杀软信息、用户名等计算机信息会通过WMI的select语句查询,
此外还会获取剪贴板、截屏等信息
C2:
pistolpra.bet
weaponwo.life
armamenti.world
selfdefens.bet
targett.top
caliberc.today
loadoutle.life
sha1: 4130B70A8300FB43C040726E3D02341639E323B7
{"v":4,
"se":true,
"ad":false,
"vm":false,
"ex":[ //浏览器扩展
{"en":"ejbalbakoplchlghecdalmeeeajnimhm","ez":"MetaMask"},
{"en":"aeblfdkhhhdcdjpifhhbdiojplfjncoa","ez":"1Password"},
{"en":"pioclpoplcdbaefihamjohnefbikjilc","ez":"Evernote"},
{"en":"dngmlblcodfobpdpecaadgfbcggfjfnm","ez":"MultiversX Wallet"},
{"en":"kppfdiipphfccemcignhifpjkapfbihd","ez":"ForniterWallet"} ...
],
"mx":[
{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}
],
"c":[ //查找应用与对应路径
{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},
{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":["*"],"z":"Wallets/Guarda","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\WalletWasabi\\Client\\Wallets","m":["*"],"z":"Wallets/Wasabi","d":0,"fs":20971520},{"t":1,"p":"%localappdata%\\Google\\Chrome\\User Data","z":"Chrome","f":"Google Chrome","n":"chrome.exe","l":"chrome.dll"},{"t":1,"p":"%localappdata%\\Google\\Chrome Beta\\User Data","z":"Chrome Beta","f":"Google Chrome Beta","n":"chrome.exe","l":"chrome.dll"},{"t":1,"p":"%localappdata%\\Opera Software\\Opera Neon\\User Data","z":"Opera Neon"},{"t":1,"p":"%appdata%\\Opera Software\\Opera GX Stable","z":"Opera GX Stable","n":"opera.exe"},{"t":1,"p":"%localappdata%\\Microsoft\\Edge\\User Data","z":"Edge","f":"Microsoft Edge","n":"msedge.exe","l":"msedge.dll"}
...
]
}
{"v":4,
"se":true,
"ad":false,
"vm":false,
"ex":[ //浏览器扩展
{"en":"ejbalbakoplchlghecdalmeeeajnimhm","ez":"MetaMask"},
{"en":"aeblfdkhhhdcdjpifhhbdiojplfjncoa","ez":"1Password"},
{"en":"pioclpoplcdbaefihamjohnefbikjilc","ez":"Evernote"},
{"en":"dngmlblcodfobpdpecaadgfbcggfjfnm","ez":"MultiversX Wallet"},
{"en":"kppfdiipphfccemcignhifpjkapfbihd","ez":"ForniterWallet"} ...
],
"mx":[
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2025-3-22 12:30
被mb_jonavsjj编辑
,原因:
