From 1a20c393862d5a41662a702fe9c89b01d1a096b1 Mon Sep 17 00:00:00 2001 From: Scott Petty Date: Mon, 27 Jan 2025 16:56:18 -0500 Subject: [PATCH 1/5] add 87.120.115.240 to IP blocklists - lummastealer --- IP-addr.cidr.in-addr.arpa | 1 + IP-addr.cidr.list | 1 + IP-addr.in-addr.arpa | 1 + IP-addr.list | 1 + 4 files changed, 4 insertions(+) diff --git a/IP-addr.cidr.in-addr.arpa b/IP-addr.cidr.in-addr.arpa index 8c0b0c1..922d61d 100644 --- a/IP-addr.cidr.in-addr.arpa +++ b/IP-addr.cidr.in-addr.arpa @@ -76,6 +76,7 @@ 32.236.194.253.47 32.24.72.51.49 32.24.93.153.43 +32.240.115.120.87 32.243.242.51.49 32.246.146.159.43 32.248.156.141.45 diff --git a/IP-addr.cidr.list b/IP-addr.cidr.list index 0875f81..df87f0f 100644 --- a/IP-addr.cidr.list +++ b/IP-addr.cidr.list @@ -117,6 +117,7 @@ 8.221.127.62/32 81.83.84.22/32 83.222.191.91/32 +87.120.115.240/32 87.120.125.47/32 91.188.254.21/32 91.215.85.223/32 diff --git a/IP-addr.in-addr.arpa b/IP-addr.in-addr.arpa index bdf9280..1d664f4 100644 --- a/IP-addr.in-addr.arpa +++ b/IP-addr.in-addr.arpa @@ -75,6 +75,7 @@ 236.194.253.47 24.72.51.49 24.93.153.43 +240.115.120.87 243.242.51.49 248.156.141.45 249.228.253.47 diff --git a/IP-addr.list b/IP-addr.list index b44b34b..6dbf277 100644 --- a/IP-addr.list +++ b/IP-addr.list @@ -116,6 +116,7 @@ 8.221.127.62 81.83.84.22 83.222.191.91 +87.120.115.240 87.120.125.47 91.188.254.21 91.215.85.223 From 8f98aafba51d57b2ecc2017ac9988d2ce69af4ce Mon Sep 17 00:00:00 2001 From: Scott Petty Date: Mon, 27 Jan 2025 17:00:40 -0500 Subject: [PATCH 2/5] add URI to .lnk file hosted at 87.120.115.240 - lummastealer --- add-link | 1 + 1 file changed, 1 insertion(+) diff --git a/add-link b/add-link index 742b19f..25a803f 100644 --- a/add-link +++ b/add-link @@ -35,6 +35,7 @@ http://83.222.191.91:8080/oops/loki.upx http://83.222.191.91:8080/oops/loki.x86 http://83.222.191.91:8080/oops/loki.x86_64 http://83.222.191.91:8080/oops/tftp.sh +http://87.120.115.240/Downloads/tg.-frumos-hcl-nr.-75-1.pdf.lnk http://94.156.167.30/Agent381.msi http://94.156.167.30/Agent381.zip http://94.156.167.30/Desktop.img From 27803e0bfefb1dd4d06eaf89cd48ddb7b156fe07 Mon Sep 17 00:00:00 2001 From: Scott Petty Date: Mon, 27 Jan 2025 17:03:38 -0500 Subject: [PATCH 3/5] add 80.76.51.231 to IP blocklists - second stage and payload - lummastealer --- IP-addr.cidr.in-addr.arpa | 1 + IP-addr.cidr.list | 1 + IP-addr.in-addr.arpa | 1 + IP-addr.list | 1 + 4 files changed, 4 insertions(+) diff --git a/IP-addr.cidr.in-addr.arpa b/IP-addr.cidr.in-addr.arpa index 922d61d..b2e191f 100644 --- a/IP-addr.cidr.in-addr.arpa +++ b/IP-addr.cidr.in-addr.arpa @@ -72,6 +72,7 @@ 32.223.85.215.91 32.224.120.251.47 32.231.139.205.154 +32.231.51.76.80 32.236.187.106.170 32.236.194.253.47 32.24.72.51.49 diff --git a/IP-addr.cidr.list b/IP-addr.cidr.list index df87f0f..2a7316b 100644 --- a/IP-addr.cidr.list +++ b/IP-addr.cidr.list @@ -115,6 +115,7 @@ 8.221.101.91 8.221.106.55/32 8.221.127.62/32 +80.76.51.231/32 81.83.84.22/32 83.222.191.91/32 87.120.115.240/32 diff --git a/IP-addr.in-addr.arpa b/IP-addr.in-addr.arpa index 1d664f4..0a1c382 100644 --- a/IP-addr.in-addr.arpa +++ b/IP-addr.in-addr.arpa @@ -70,6 +70,7 @@ 220.199.106.170 224.120.251.47 231.139.205.154 +231.51.76.80 235.139.34.188 236.187.106.170 236.194.253.47 diff --git a/IP-addr.list b/IP-addr.list index 6dbf277..e961a83 100644 --- a/IP-addr.list +++ b/IP-addr.list @@ -114,6 +114,7 @@ 8.221.101.91 8.221.106.55 8.221.127.62 +80.76.51.231 81.83.84.22 83.222.191.91 87.120.115.240 From ee9f3ea741259f3ede0f4e9dfd53b4a6660c67d4 Mon Sep 17 00:00:00 2001 From: Scott Petty Date: Mon, 27 Jan 2025 17:05:27 -0500 Subject: [PATCH 4/5] add URIs to second stage and final payload files hosted at 80.76.51.231 - lummastealer --- add-link | 2 ++ 1 file changed, 2 insertions(+) diff --git a/add-link b/add-link index 25a803f..64b418e 100644 --- a/add-link +++ b/add-link @@ -1782,6 +1782,8 @@ https://2m.ma/ar/ https://30-09-vjer09tg-ej5rg-9jker-gk0e-trgjk-r90jg-0rejg-9rr.obs.ap-southeast-3.myhuaweicloud.com/uy046uy-hgh5ejt-ghew-rhvgb-ewbnhrgv-0er5g-0bnhewr-g0r.html?AWSAccessKeyId=Y33AQWKH1XTGWG0XAF5T&Expires=1664482499&Signature=tyelPWJ3cU86NCoVhF38c12fIlo%3D https://61f0r.r.ah.d.sendibm4.com/mk/cl/f/P4c6noeIW31hDASG9uhJPK1qjzYrNXTcbnOstxUYKsIbiLznkLiPZBx9NrkbmmHSlK-yL25tLbHqPxu5gjciHqr10x8IJ_ciLkEO2CEwa_p4haEWnnFmQvzDDFqtk-EL-Qlb49d7koD9-1yLWv9WAx-DbdT6T4t7f0Az8SuK4nkJd-MdRg https://7i.se/debitreview +https://80.76.51.231/Kompass-4.1.2.exe +https://80.76.51.231/Samarik https://_helps_ledgercom_us_en.teachable.com/ https://_helps_ledgercom_us_en.teachable.com/p/home https://aarif.co/g/nedbank/up/ab/ban/Login/ From 12560438acd64aee4daeb8bdd6a2df074ae4e381 Mon Sep 17 00:00:00 2001 From: Scott Petty Date: Mon, 27 Jan 2025 17:06:41 -0500 Subject: [PATCH 5/5] add C2 domains for lummastealer to wildcard list - malware --- add-wildcard-domain | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/add-wildcard-domain b/add-wildcard-domain index 867555b..3fa95e5 100644 --- a/add-wildcard-domain +++ b/add-wildcard-domain @@ -1,4 +1,5 @@ 123pan.cn +3xp3cts1aim.sbs 404024.xyz abbotsleigh.nsw.edu.au abcmueblesbogota.com @@ -27,6 +28,7 @@ badhabits.ug balneariodelugo.com beastlucyspin.click beastsrandompack.click +befall-sm0ker.sbs benyex.cl bersowir.org besatsrandompacks.click @@ -2445,6 +2447,7 @@ kusjxka.xyz lastimaners.ug lebomashilo.co.za leopolfa.shop +librari-night.sbs lieferdienste-deutsche.com liferacer.shop linkedinin.com @@ -2498,13 +2501,17 @@ osapol.net ostarcub.xyz otwareng.xyz ountab.com +owner-vacat10n.sbs p.usertrackktc.top +p10tgrace.sbs +p3ar11fter.sbs packtrack-help.top paipaisdvzxc.ru papychat-quete.site parceltrack-help.top partaususd.ru pastratas.ac.ug +peepburry828.sbs pejusing.xyz pescacancun.com phsw.site @@ -2512,6 +2519,7 @@ playwell.ug portalunimedcrs.com.br premium-acc-payment.com probacons.com +processhol.sbs puroligert.com qd34gf23ewrfsd1233.ru quatro-casino.ca @@ -2541,6 +2549,7 @@ simplylovingproducts.com sitefind.top skimswanp.com sldkhfw.xyz +smiteattacekr.org sosvirus.net southerninsurs.com squad.cl @@ -2672,6 +2681,7 @@ trackvpw.top trackvpy.top triathlethe.ug tricazo.com +tripeggyun.fun tuskslacx.ug u.infotracktou.top ucnlkw.cyou