General

  • Target

    9fade38b54e168fe528b631ca35dedce100d837a92f58837d50000e57fdaf94c

  • Size

    1.5MB

  • Sample

    231214-gq24kabggr

  • MD5

    b2e8f8df9c7d8a1847509ea28ea7e71f

  • SHA1

    b5d77f3d2b6c592cd6780e2ba3323ba7bb5ed56e

  • SHA256

    9fade38b54e168fe528b631ca35dedce100d837a92f58837d50000e57fdaf94c

  • SHA512

    9ab67889f32abf515655a5cdf6442a9ab52da5ccb97d8282464499c6c8e423a500e69ce8d1136e7630723e7c858ae676ded1792982f848370a23c900707ba48b

  • SSDEEP

    24576:DyDqeqdHkuvfVnV3lrc9KnjhGYBAjlNw8ljvwwRJjMiTbGBrGf5zyuFYf2Y4:WaHRvtnVigjqbw8ljv5AiTarK5zyumff

Malware Config

Extracted

Family

risepro

C2

193.233.132.51

Extracted

Family

lumma

C2

http://soupinterestoe.fun/api

http://dayfarrichjwclik.fun/api

http://neighborhoodfeelsa.fun/api

http://ratefacilityframw.fun/api

Targets

    • Target

      9fade38b54e168fe528b631ca35dedce100d837a92f58837d50000e57fdaf94c

    • Size

      1.5MB

    • MD5

      b2e8f8df9c7d8a1847509ea28ea7e71f

    • SHA1

      b5d77f3d2b6c592cd6780e2ba3323ba7bb5ed56e

    • SHA256

      9fade38b54e168fe528b631ca35dedce100d837a92f58837d50000e57fdaf94c

    • SHA512

      9ab67889f32abf515655a5cdf6442a9ab52da5ccb97d8282464499c6c8e423a500e69ce8d1136e7630723e7c858ae676ded1792982f848370a23c900707ba48b

    • SSDEEP

      24576:DyDqeqdHkuvfVnV3lrc9KnjhGYBAjlNw8ljvwwRJjMiTbGBrGf5zyuFYf2Y4:WaHRvtnVigjqbw8ljv5AiTarK5zyumff

    • Detect Lumma Stealer payload V4

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks