General

  • Target

    24b2f4d166acaa53e399d79b0942811e.jpg

  • Size

    11KB

  • Sample

    240226-1ltfeagg68

  • MD5

    5196c2a576b01221d14d6841b085212d

  • SHA1

    ddcfe273c74c38c95bf24d13b6eb95808e175336

  • SHA256

    1e4ff97d7c0f8c32e9b5a7b4fbb05e69f91c10c88d5ee58c8a1d2ce9805759bc

  • SHA512

    08a42fc2074f137354fd00efe7c2bbc6b3b48040ee068529dccdc7f7cee890388347f06441b34a3af6f8dcb9aeceddd5b5240fbbe5ce5d7c689489e78e0bc266

  • SSDEEP

    192:0f1E4Yittld8GRbkqCUqDtGy+GL3DRyXNtpaaes6jBchxJJsgG5NGOmvveca:0f64Y+ld8IbkHc0L3DRotsk6jBclJw5f

Malware Config

Extracted

Family

vidar

Version

8

Botnet

ab8ba484d8a6c9be7d043c05bea0aa9f

C2

https://t.me/neoschats

https://steamcommunity.com/profiles/76561199644883218

Attributes
  • profile_id_v2

    ab8ba484d8a6c9be7d043c05bea0aa9f

  • user_agent

    Mozilla/5.0 (Linux; Android 11; M2102J20SG) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Mobile Safari/537.36 EdgA/97.0.1072.78

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.64.3

5.42.65.115

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

18.ip.gl.ply.gg:43389

Mutex

4ac5522ba6619835b9ac056e603570c4

Attributes
  • reg_key

    4ac5522ba6619835b9ac056e603570c4

  • splitter

    |'|'|

Extracted

Family

lumma

C2

https://technologyenterdo.shop/api

https://detectordiscusser.shop/api

https://turkeyunlikelyofw.shop/api

https://associationokeo.shop/api

Targets

    • Target

      24b2f4d166acaa53e399d79b0942811e.jpg

    • Size

      11KB

    • MD5

      5196c2a576b01221d14d6841b085212d

    • SHA1

      ddcfe273c74c38c95bf24d13b6eb95808e175336

    • SHA256

      1e4ff97d7c0f8c32e9b5a7b4fbb05e69f91c10c88d5ee58c8a1d2ce9805759bc

    • SHA512

      08a42fc2074f137354fd00efe7c2bbc6b3b48040ee068529dccdc7f7cee890388347f06441b34a3af6f8dcb9aeceddd5b5240fbbe5ce5d7c689489e78e0bc266

    • SSDEEP

      192:0f1E4Yittld8GRbkqCUqDtGy+GL3DRyXNtpaaes6jBchxJJsgG5NGOmvveca:0f64Y+ld8IbkHc0L3DRotsk6jBclJw5f

    • Detect Vidar Stealer

    • Detect ZGRat V1

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks