General
-
Target
adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8
-
Size
395KB
-
Sample
240328-2lt8daaf2y
-
MD5
faeea4484adbb16f4f37872b15d9972a
-
SHA1
34f5f1a5545344916dad04807ca07743258099be
-
SHA256
adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8
-
SHA512
51d068a4df42f6f3f1166a4d11a311aafd7684656e241d013548a32b6b80ab3c07bfb50311cd2b9b3f4bd8a31834039010a0e461f6b05cc2a43551a7883e92f6
-
SSDEEP
12288:VvpMG3BLI6HW0XuX7XVGB7AKtyqLETeZEDb4C2:VvpM81z+LXV8tvLAeZMb4t
Static task
static1
Behavioral task
behavioral1
Sample
adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8.exe
Resource
win7-20240221-en
Malware Config
Extracted
stealc
http://185.172.128.209
-
url_path
/3cd2b41cbde8fc9c.php
Extracted
lumma
https://herdbescuitinjurywu.shop/api
Targets
-
-
Target
adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8
-
Size
395KB
-
MD5
faeea4484adbb16f4f37872b15d9972a
-
SHA1
34f5f1a5545344916dad04807ca07743258099be
-
SHA256
adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8
-
SHA512
51d068a4df42f6f3f1166a4d11a311aafd7684656e241d013548a32b6b80ab3c07bfb50311cd2b9b3f4bd8a31834039010a0e461f6b05cc2a43551a7883e92f6
-
SSDEEP
12288:VvpMG3BLI6HW0XuX7XVGB7AKtyqLETeZEDb4C2:VvpM81z+LXV8tvLAeZMb4t
-
Detects DLL dropped by Raspberry Robin.
Raspberry Robin.
-
Glupteba payload
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Modifies boot configuration data using bcdedit
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Subvert Trust Controls
1Install Root Certificate
1