General
-
Target
Kobalc.exe
-
Size
185KB
-
Sample
240506-wx6gwsdd41
-
MD5
15717cd327a723820d71900611545917
-
SHA1
99184ec149d329e98cd3e600cfaba22a2f9a0156
-
SHA256
db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747
-
SHA512
a0de435db809e3e79f89411017e244c76145e010c67f894d41e265804c832f5514ac2f31cc9a0c667afa77aaaf3eccecac148279ca5a0feba492b222d5481a49
-
SSDEEP
3072:LoixrduqW9Goin4lZoD9d16zVfMZ2KKNRdTaB:0W5jOA96xrRd
Static task
static1
Behavioral task
behavioral1
Sample
Kobalc.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Kobalc.exe
Resource
win10v2004-20240419-en
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Targets
-
-
Target
Kobalc.exe
-
Size
185KB
-
MD5
15717cd327a723820d71900611545917
-
SHA1
99184ec149d329e98cd3e600cfaba22a2f9a0156
-
SHA256
db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747
-
SHA512
a0de435db809e3e79f89411017e244c76145e010c67f894d41e265804c832f5514ac2f31cc9a0c667afa77aaaf3eccecac148279ca5a0feba492b222d5481a49
-
SSDEEP
3072:LoixrduqW9Goin4lZoD9d16zVfMZ2KKNRdTaB:0W5jOA96xrRd
-
Detect Lumma Stealer payload V4
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Looks for VMWare Tools registry key
-
Modifies Installed Components in the registry
-
Modifies Windows Firewall
-
Deletes itself
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
7Virtualization/Sandbox Evasion
1