General

  • Target

    86c963538210d4647428af35f50d5c17f597be0094b8bf539e2f6d059d442271

  • Size

    1.5MB

  • Sample

    231213-r7zpwaebhk

  • MD5

    818e21ef80effedc38f0543587bc4b2e

  • SHA1

    3c5c922a22a7d2261eacd0e4a8c6db6a820cf419

  • SHA256

    86c963538210d4647428af35f50d5c17f597be0094b8bf539e2f6d059d442271

  • SHA512

    6dc8adb2129fba806586d6c05a821cab5d551cd4f518175f1db57ef249e7c079706fbe4968bf49cedf70741c8e2b7399ff2d7b66fadc7b2d75a815d7d68a3abc

  • SSDEEP

    24576:dyH+u8Ae3AZFfnnV3Hrc9TcQbcqXcYSs1nBBQ1Nf5qAJmkKW8ysuyDOTfJfk:4d8AZZFPnVIhcQIRs1if5qWm3/yVyDeZ

Malware Config

Extracted

Family

risepro

C2

193.233.132.51

Extracted

Family

lumma

C2

http://soupinterestoe.fun/api

http://dayfarrichjwclik.fun/api

http://neighborhoodfeelsa.fun/api

http://ratefacilityframw.fun/api

Targets

    • Target

      86c963538210d4647428af35f50d5c17f597be0094b8bf539e2f6d059d442271

    • Size

      1.5MB

    • MD5

      818e21ef80effedc38f0543587bc4b2e

    • SHA1

      3c5c922a22a7d2261eacd0e4a8c6db6a820cf419

    • SHA256

      86c963538210d4647428af35f50d5c17f597be0094b8bf539e2f6d059d442271

    • SHA512

      6dc8adb2129fba806586d6c05a821cab5d551cd4f518175f1db57ef249e7c079706fbe4968bf49cedf70741c8e2b7399ff2d7b66fadc7b2d75a815d7d68a3abc

    • SSDEEP

      24576:dyH+u8Ae3AZFfnnV3Hrc9TcQbcqXcYSs1nBBQ1Nf5qAJmkKW8ysuyDOTfJfk:4d8AZZFPnVIhcQIRs1if5qWm3/yVyDeZ

    • Detect Lumma Stealer payload V4

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks