TrojanSpy.MSIL.LUMMAC.C

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy adds the following processes:

• "%Windows%\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It injects codes into the following process(es):

• RegAsm.exe

Download Routine

This Trojan Spy connects to the following website(s) to download and execute a malicious file:

• http:/{BLOCKED}techs.com/Amdaygo.exe → Detected as Trojan.Win32.AMADEY.YXDHDZ

Information Theft

This Trojan Spy gathers the following data:

• Computer Name
• OS Information
• CPU Information
• Screen Resolution
• System Language
• Physical Memory Installed

Stolen Information

This Trojan Spy sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}c-node.io/c2sock
• http://{BLOCKED}fe.xyz/c2sock

Other Details

This Trojan Spy connects to the following website to send and receive information:

• http://{BLOCKED|c-node.io/c2conf
• http://{BLOCKED}fe.xyz/c2conf

It does the following:

• It has the following capabilities:
  • Loader function (Execute/Load downloaded executables or DLL files)
  • Execute PowerShell script
  • Manage files (Upload/Download files from server)
  • Manage processes (Create list)
  • Delete itself after execution
• It exfiltrates the following data from Google Chrome.
  • History
  • Login Data
  • Login Data For Account
  • Web Data
  • Network\Cookies
  • Local Storage\leveldb
  • Local Storage\leveldb
• It exfiltrates the following data from Mozilla Firefox.
  • %appdata%\Mozilla\Firefox\Profiles
  • key4.db
  • cert9.db
  • formhistory.sqlite
  • cookies.sqlite
  • logins.json
  • places.sqlite
• It exfiltrates data from the following appilication.
  • AnyDesk
    • .conf
    • %appdata%\AnyDesk
  • FileZilla
    • recentservers.xml
    • sitemanager.xml
  • KeePass
    • .kbdx
  • Steam
    • ssfn*
    • %programfiles%\Steam\config
  • Telegram
    • s*
• It exfiltrates User Data found on the following Browsers.
  • Chrome
  • Chromium
  • Edge
  • Kometa
  • Opera Stable
  • Opera GX Stable
  • Opera Neon
  • Brave Software
  • Comodo
  • CocCoc
• It exfiltrates data on the following crypto wallets.
  • Binance
  • Electrum
  • Ethereum
  • Exodus
  • Ledger Live
  • Atomic
  • Coinomi
  • Authy Desktop
  • Bitcoin core
  • JAXX New Version
• It exfiltrates data found on the following mail client applications.
  • Windows Mail
    • %localappdata%\Microsoft\Windows Mail\Local Folders
    • .eml
  • The Bat!
    • %localappdata%\The Bat!
    • Mail Clients\The Bat\Local
    • .TBB
    • .TBN
    • .MSG
    • .EML
    • .MSB
    • .mbox
    • .ABD
    • .FLX
    • .TBK
    • .HBI
  • Thunderbird
    • %appdata%\Thunderbird\Profiles
  • PMAIL
    • .CNM
    • .PMF
    • .PMN
    • .PML
    • CACHE.PM
    • .WPM
    • .PM
    • .USR
  • Mailbird
    • Mail Clients\Mailbird
    • \MessageIndex
    • .db
  • eM Client
    • .dat
    • .dat-shm
    • .dat-wal
• It exfiltrates crypto currency browser wallet extensions and 2FA applications.