General

  • Target

    1e77d4bacf57b3dd13454fb60957eb737e7faf03db338e7a1d3f826f3b43d90a

  • Size

    1.5MB

  • Sample

    231213-wzdjwsgafl

  • MD5

    2e74f5245ca7a51dc842716cdfa0e930

  • SHA1

    ddfa93de3110aa0589aef5608018c6282be562c7

  • SHA256

    1e77d4bacf57b3dd13454fb60957eb737e7faf03db338e7a1d3f826f3b43d90a

  • SHA512

    dc949a5443810a61785c491e0246db4c6e7b994dc9b5e54f0fa049db1e9a2994b24301333eeecd2de2ac443a5aa03748a6b560414ea2a6035e5aae70e7c2e991

  • SSDEEP

    24576:ayfOwiR2fLnV3/rc9zTiwzGU2MB5rDqVlj+tDEEJeqgajY4225VAbW5JsWyuJYfu:hKR2znVg9TwC6latoIvjV+wsWyuyf

Malware Config

Extracted

Family

risepro

C2

193.233.132.51

Extracted

Family

lumma

C2

http://soupinterestoe.fun/api

http://dayfarrichjwclik.fun/api

http://neighborhoodfeelsa.fun/api

http://ratefacilityframw.fun/api

Targets

    • Target

      1e77d4bacf57b3dd13454fb60957eb737e7faf03db338e7a1d3f826f3b43d90a

    • Size

      1.5MB

    • MD5

      2e74f5245ca7a51dc842716cdfa0e930

    • SHA1

      ddfa93de3110aa0589aef5608018c6282be562c7

    • SHA256

      1e77d4bacf57b3dd13454fb60957eb737e7faf03db338e7a1d3f826f3b43d90a

    • SHA512

      dc949a5443810a61785c491e0246db4c6e7b994dc9b5e54f0fa049db1e9a2994b24301333eeecd2de2ac443a5aa03748a6b560414ea2a6035e5aae70e7c2e991

    • SSDEEP

      24576:ayfOwiR2fLnV3/rc9zTiwzGU2MB5rDqVlj+tDEEJeqgajY4225VAbW5JsWyuJYfu:hKR2znVg9TwC6latoIvjV+wsWyuyf

    • Detect Lumma Stealer payload V4

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

MITRE ATT&CK Enterprise v15

Tasks