vx-underground · Feb 17, 2024 · 7:49 PM UTC

vx-underground

vx-underground

@vxunderground

17 Feb 2024

An individual on Reddit reported purchasing a USB-based vibrator and, when attempting to charge the device, was inundated with web browser pages opening, the antivirus flagged the files as malicious. tl;dr vibrator delivering Lumma stealer File shared: tria.ge/240215-xvx86seb91

lumma | 3729104fc485ea9c5a752f6de9226ad5add663f528b8114050d0f958a68ae774 | Triage

Check this lumma report malware sample 3729104fc485ea9c5a752f6de9226ad5add663f528b8114050d0f958a68ae774, with a score of 10 out of 10.

tria.ge

151

963

TheGift73 · Feb 17, 2024 · 11:33 PM UTC

TheGift73 · Feb 17, 2024 · 11:33 PM UTC

TheGift73 @TheGift73

17 Feb 2024

Replying to @vxunderground

Interesting. I submitted the same file (hashes match) 2 days after this submission and it came back with 8/10 instead of 10/10? Diff machine selection for analysing it? tria.ge/240217-27slnsbf3x

3729104fc485ea9c5a752f6de9226ad5add663f528b8114050d0f958a68ae774 | Triage

Check this report malware sample 3729104fc485ea9c5a752f6de9226ad5add663f528b8114050d0f958a68ae774, with a score of 8 out of 10.

tria.ge

Feb 17, 2024 · 11:33 PM UTC

WifiRumHam · Feb 18, 2024 · 7:04 PM UTC

WifiRumHam

@WifiRumHam

18 Feb 2024

Replying to @TheGift73 @vxunderground

Yes. Some of them submitted were further down in the zip and didnt include the xml "bomb." Some used a variation of win10/11. They also have interactive sessions which got more IOCs out of the files, running as admin/non admin/modifying the compatibility setting in the execution.

TheGift73 · Feb 18, 2024 · 7:09 PM UTC

TheGift73 @TheGift73

18 Feb 2024

Ah, thank you for the explanation.