General

  • Target

    tmp

  • Size

    1.5MB

  • Sample

    231213-v39aashbf9

  • MD5

    6d9f060cd728271d3d5c2210c8c9a3c8

  • SHA1

    2a65466e8c122521c344cb911eda7d10dc082126

  • SHA256

    55a6870b236e59e5a1b8dcfc8ad69ef3ec57f1c6db86b2629047c63ea0714b0b

  • SHA512

    9353516a1a57922093e81edf6f2721101362347855f9c5a260a558d906bd59919a3c2e486b22a4e044d44db8c86e13a7dc363d2f712ad29c5021c3c67f5e12a2

  • SSDEEP

    24576:LyJELbdrfTnV3drc9vkkaW9QvQlySePHLmEgKynHByqqEyuFYfKaI7n:+eXtbnVatxHuvrSePHLLVytyumfZI

Malware Config

Extracted

Family

risepro

C2

193.233.132.51

Extracted

Family

lumma

C2

http://soupinterestoe.fun/api

http://dayfarrichjwclik.fun/api

http://neighborhoodfeelsa.fun/api

http://ratefacilityframw.fun/api

Targets

    • Target

      tmp

    • Size

      1.5MB

    • MD5

      6d9f060cd728271d3d5c2210c8c9a3c8

    • SHA1

      2a65466e8c122521c344cb911eda7d10dc082126

    • SHA256

      55a6870b236e59e5a1b8dcfc8ad69ef3ec57f1c6db86b2629047c63ea0714b0b

    • SHA512

      9353516a1a57922093e81edf6f2721101362347855f9c5a260a558d906bd59919a3c2e486b22a4e044d44db8c86e13a7dc363d2f712ad29c5021c3c67f5e12a2

    • SSDEEP

      24576:LyJELbdrfTnV3drc9vkkaW9QvQlySePHLmEgKynHByqqEyuFYfKaI7n:+eXtbnVatxHuvrSePHLLVytyumfZI

    • Detect Lumma Stealer payload V4

    • Detected google phishing page

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks