{
	"id": "50e53406-6808-49a6-8093-f574d5d27245",
	"created_at": "2026-04-06T00:09:24.987257Z",
	"updated_at": "2026-04-10T03:20:32.15302Z",
	"deleted_at": null,
	"sha1_hash": "78bb22ecc16771578e2022c4cc3ab7958329b9de",
	"title": "Luminosity RAT - Re-purposed",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 803280,
	"plain_text": "Luminosity RAT - Re-purposed\r\nBy malwarenailed\r\nPublished: 2016-07-30 · Archived: 2026-04-05 15:29:04 UTC\r\nSo I came across a sample which was sent inside a .7z file and strangely was detected by a file filter and not any\r\nspam or antivirus filter. The file was interestingly named as EmiratedNBD.exe, which indicates that this attack is\r\ntargeted to the region as Emirates NBD is one of the biggest financial entities in the GCC region. The sample was\r\nnot identified by any antivirus and also unknown to Virustotal till today.\r\nMD5: 9b2da7bfb9dedaba7e4d14d623081d7f\r\nSHA1: cfa3ce2a7743181775870d00f4f418efdd737a31\r\nMoreover, the file seem encrypted as there were not many strings found and only a few libraries were visible in\r\nthe import directory. The sample is coded in .NET C#.\r\nI have performed basic static and dynamic analysis of the sample and inital findings strongly indicates that the\r\nsample is an encrypted payload of Luminosity RAT which is infecting the endpoint and performing a C2\r\ncommunication with its server (C2 ip address: 204.45.103.37). Till date there is not much OSTI available on this\r\nip address. \r\nThe sample when starts as a process, seems to start a child process in suspended mode and writes its memory\r\nspace with the decrypted payload. The decrypted payload is responsible for all Botnet communication with the C2\r\nserver. The original parent process terminates after spawning the child process. I was able to extract many useful\r\nstrings from the memory of the running child process. I also noticed another artifact left by the sample\r\n\"explorer.exe\" in the temp folder and placed in the startup as an IE shortcut.\r\nThe sample bot beaconing is periodic and seems to be utilizing a custom network protocol whereby destination\r\nport is 19881 and the information sent to the C2 server comprise of information on analysis tools running and the\r\nGUI processes which are running, the domain and user information, OS version, something \"True\", Antivirus\r\nrunning, a hash of some sort, current date, an \"N\" and lastly 8_=_8 in the end. It is noticeable that the request sent\r\nacross is always preceded by a ping to the ip address. The communication from the client starts with \"CONNECT\"\r\nand each message is preceded by \"=P4CK3T\". The response from the server is \"ACT=P4CK3T=8_=_8\". \r\nFireEye detects the communication protcol as Trojan Luminosity Link. \r\nAttempting to decompile the sample with .NET Reflector and JetBrains dotPeek yields no results obviously as the\r\nsample is encrypted. DEbugging with DILE also yields no results as the execution never stops at the entry point\r\nmentioned in the optional headers of the PE. \r\nhttp://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html\r\nPage 1 of 9\n\nI had to resort on ILSPY to decompile to CIL opcode and see what is going on. Currently, I am also searching for\r\nsome other ways to successfully debug the sample. The decompiled opcode shows the entry point of the code is\r\nthe module  lohnfraz(\"lohnfraz.NN v5.5.5\"). \r\nThe sample looks for certain config and ini files as well in the same directory as the sample, indicating that it was\r\naccompanied by some configuration and I am guessing that the threat actors have re-purposed the Luminosity\r\nRAT, encrypted the client payload and delivered through inside a weaponized .7z archive, aimed to target the GCC\r\nregion.\r\nThe sample detection by file filter\r\nThe email header\r\nhttp://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html\r\nPage 2 of 9\n\nThe delivery\r\nContained communication\r\nProcess spawning the child process\r\nProc Mon Activity output\r\nLooking for config file\r\nLooking for INI configuration\r\nMalware can check if there are any unusual entries under the IFEO key(s) as a way of determining if it has\r\nlanded on an analysts machine and change its behavior accordingly.\r\nThis file is created in the temp folder with the MD5 hash value of the original binary. I am guessing this is an\r\nintegrity check being done by the sample of itself\r\nSome of the interesting strings extracted from the decrypted child process memory space:\r\nhttp://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html\r\nPage 3 of 9\n\nThe explorer.exe artifact left by the sample\r\nhttp://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html\r\nPage 4 of 9\n\nSome more strings showings various commands to be received from the server and executed on the client. We can\r\nalso see reference to Luminosity in some of the detected strings\r\nhttp://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html\r\nPage 5 of 9\n\nnet user and net localgroup commands to add local users and to add them to most probably local admin group.\r\nhttp://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html\r\nPage 6 of 9\n\nip address of C2 server hard coded\r\nhttp://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html\r\nPage 7 of 9\n\nOne of client message (hello to C2 server)\r\nping before every request\r\nClient communications\r\nServer replies\r\nhttp://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html\r\nPage 8 of 9\n\nDe-compile failure\r\nDe-compile failure\r\nReversing the CIL opcode\r\nSource: http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html\r\nhttp://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html"
	],
	"report_names": [
		"luminosity-rat-re-purposed.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434164,
	"ts_updated_at": 1775791232,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/78bb22ecc16771578e2022c4cc3ab7958329b9de.pdf",
		"text": "https://archive.orkl.eu/78bb22ecc16771578e2022c4cc3ab7958329b9de.txt",
		"img": "https://archive.orkl.eu/78bb22ecc16771578e2022c4cc3ab7958329b9de.jpg"
	}
}