Lumma Stealer, a sophisticated information-stealing malware, is spreading through Telegram channels, exploiting the platform’s popularity to bypass traditional security measures and target unsuspecting users, potentially compromising sensitive data.
The Telegram channel “hitbase,” with a significant subscriber count of 42,000, is actively distributing malicious software disguised as cracked software, as their last post, on November 3rd, likely contained a link to download this malware.
While the Telegram channel “sharmamod,” with 8.66k subscribers, last active on November 3rd, is distributing malware to unsuspecting users under the guise of legitimate content.
Telegram channels forward messages between each other and distribute fake crack software disguised as Trojan:Win/Lummastealer.SD, primarily targeting users in India, the USA, and Europe.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
The file “CCleaner 2024.rar” contains malicious code disguised as legitimate Microsoft DLL files, which likely aims to compromise systems by exploiting vulnerabilities and potentially installing malware.
An analysis reveals that CCleaner 2024.exe employs a decryption mechanism to process two encrypted data blobs, AIOsncoiuuA and UserBuffer, using the keys Alco and key, which are likely crucial for the application’s functionality.Â
The system uses two distinct encryption keys (Alco and Key) to secure sensitive data (AIOsncoiuuA and UserBuffer), where the decryption function is likely designed to decode this encrypted data using the appropriate key, revealing the original, unencrypted information.
When a breakpoint analysis is performed, the data that has been decrypted and stored in the variable uiOAshyuxgYUA reveals the presence of process injection API calls within the memory that has been decrypted.
A multi-stage attack involving process injection into RegAsm.exe, where a breakpoint was set to capture the decrypted second-stage payload, which was identified as a Visual C++ compiled executable.
According to McAfee, the payloads, “XTb9DOBjB3.exe” and “bTkEBBlC4H.exe,” are .NET files decrypted using the same method as the main “ccleaner” file, which are then written to the AppData Roaming folder, indicating potential post-infection activities.
The .NET file contains a 32-bit GUI PE that dynamically loads winhttp.dll. Base64-encoded strings within the PE are decoded and decrypted to retrieve plaintext data.
Malware disguises C2 server addresses as seemingly legitimate domains (“hxxps://snarlypagowo.site/api”) through obfuscation and retrieves the true address from a user’s Steam profile (“marshal-zhukov.com”) to exfiltrate data after establishing a connection.
Runtime64.exe, a malicious .NET program, steals browser, FTP, email credentials, and system information by monitoring the clipboard for cryptocurrency wallet addresses using regex and replacing them for hijacking.
Indicators of Compromise
| BLTools v4.5.5 New.rar | 000756bedf4e95de6781a4193301123032e987aba33dcd55c5e2a9de20a77418 |
| Blum Auto Bot Token.rar | 06715881cd4694a0de28f8d2e3a8cc17939e83a4ca4dee2ebb3078fc25664180 |
| Netflix Online Video 2024.rar | 072aa67c14d047621e0065e8529fadd0aac1c1324e10e5d027c10073fffcd023 |
| YouTube Downloader Version 2.1.6.rar | 1724f486563c5715ce1fe989e8f4ca01890970816c5ffc2e5d0221e38cf9fdb9 |
| Full Adobe Photoshop 2024 + CDkey.rar | 174690d86d36c648a2d5a595bc8cfae70c157f00c750c36fd1a29f52011af5e2 |
| Youtube Downloader Video 2024 Version.rar | 18aca8b28750c9673f1c467f5eab1bbae4ad6c79f3fe598318c203c8e664d44f |
| ChatGPT-5 Version 2024 .rar | 24a32d763e458e5440cb18f87685cc5626bf62cd9c3ca7bab10f0ced629708ee |
| Valorant Checker by Xinax 2024.rar | 31a818c75d35bafc58c62c7522503f90be7b684803883e5f07c4cc16f517d1d0 |
| Activation Windows 8,10,11 FULL + CDkey.rar | 338ec6016db4eb95b15bc0822fc1d745f107ae0739a57b41ef10c9f64b6c8077 |
| Ccleaner 2024.rar | 3df7a19969e54bd60944372e925ad2fb69503df7159127335f792ad82db7da0b |
| CC Checker AcTeam 2024 New.rar | 535650b613161c011086eab9d87189aa637f8575e52442db6e81602e67a2e4f4 |
| Netflix mail access Checker 2024 New.rar | 61a17a91ce2a98b455a50ff37b33368fe3b2f3a516cf94c5d7b18e386274557b |
| Paypal Checker New 2024 version.rar | 840a255a184d3e819a07e3749b5e32da84f607ac7025366967d12dac0c5fa859 |
| Free YouTube Downloader 2024.rar | 9be6ea9ab019c7bd59fab7097ceb9cd465a6ae0c6b9a50d55432a0bfb5e1f184 |
| Microsoft Office 2024 + CDkey.rar | a541b66785534bca646a7691c7a2a5630947ecbd4ee2544b19a5f8347f70f923 |
| Crypto Seed Checker 2024 version.rar | ac5c6793354b2be799ce755828d72f65a0c2ea63ccc942208c22e893a251b52c |
| Phemex CryptoBot.rar | b53e0759fa11d6d31b837adf5c5ceda40dd01aa331aa42256282f9ca46531f25 |
| SQLi Dumper v10.5.rar | ce8e7b2a6222aa8678f0c73bd29a9e3a358f464310002684d7c46b2b9e8dcf23 |
| Cyber Ghost VPN + Key master.rar | d31520c4a77f01f0491ef5ecf03c487975182de7264d7dce0fb7988e0cea7248 |
| AIO checker New Version 9.10.rar | d67cc175e2bb94e2006f2700c1b052123961f5f64a18a00c8787c4aa6071146f |
| Spotify Desktop Version 2024.rar | e71e23ad0e5e8b289f1959579fb185c34961a644d0e24a7466265bef07eab8ec |
| Nord VPN 2024 + Key.rar | fa34c20e1de65bfff3c0e60d25748927aa83d3ea9f4029e59aaedb4801220a54 |
| Paysafecard Checker 2024 version.rar | fb60510e8595b773abde86f6f1792890978cd6efc924c187cb664d49ef05a250 |
| TradingView 2024 New Version (Desktop).rar | fdc6ebf3968cd2dfcc8ad05202a847d7f8b2a70746800fd240e6c5136fcd34f6 |
| Telegram channel | · https[:]//t[.]me/hitbase |
| Telegram channel | · https[:]//t[.]me/sharmamod |
| C2 | marshal-zhukov.com |
Are you from SOC/DFIR Teams? –Â Analyse Malware & Phishing with ANY.RUN -> Try for Free
