General

  • Target

    adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8

  • Size

    395KB

  • Sample

    240328-2lt8daaf2y

  • MD5

    faeea4484adbb16f4f37872b15d9972a

  • SHA1

    34f5f1a5545344916dad04807ca07743258099be

  • SHA256

    adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8

  • SHA512

    51d068a4df42f6f3f1166a4d11a311aafd7684656e241d013548a32b6b80ab3c07bfb50311cd2b9b3f4bd8a31834039010a0e461f6b05cc2a43551a7883e92f6

  • SSDEEP

    12288:VvpMG3BLI6HW0XuX7XVGB7AKtyqLETeZEDb4C2:VvpM81z+LXV8tvLAeZMb4t

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.209

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Extracted

Family

lumma

C2

https://herdbescuitinjurywu.shop/api

Targets

    • Target

      adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8

    • Size

      395KB

    • MD5

      faeea4484adbb16f4f37872b15d9972a

    • SHA1

      34f5f1a5545344916dad04807ca07743258099be

    • SHA256

      adffd52446d0d94c4f726205482a0c062248d6eb35948df937336957cf747db8

    • SHA512

      51d068a4df42f6f3f1166a4d11a311aafd7684656e241d013548a32b6b80ab3c07bfb50311cd2b9b3f4bd8a31834039010a0e461f6b05cc2a43551a7883e92f6

    • SSDEEP

      12288:VvpMG3BLI6HW0XuX7XVGB7AKtyqLETeZEDb4C2:VvpM81z+LXV8tvLAeZMb4t

    • Detects DLL dropped by Raspberry Robin.

      Raspberry Robin.

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Stealc

      Stealc is an infostealer written in C++.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • UAC bypass

    • Windows security bypass

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Modifies boot configuration data using bcdedit

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks