Overview

overview

10

Static

static

3

27.exe

windows7-x64

3

27.exe

windows10-2004-x64

10

A5.exe

windows7-x64

3

A5.exe

windows10-2004-x64

10

B5.exe

windows7-x64

3

B5.exe

windows10-2004-x64

10

BF.exe

windows7-x64

3

BF.exe

windows10-2004-x64

10

C6.exe

windows7-x64

3

C6.exe

windows10-2004-x64

10

F5.exe

windows7-x64

3

F5.exe

windows10-2004-x64

10

FB.exe

windows7-x64

3

FB.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    27.zip

  • Size

    2.9MB

  • Sample

    240513-qd3n1afh5s

  • MD5

    d537da6ef1067c37eae70a5547b36b85

  • SHA1

    6d671fdba3f904c40c4188254d19cbfc0c788b18

  • SHA256

    79ed95c08bb082698e7cce0c30d74fa53f7043bf4d0fe151d34fe8b9f09229e4

  • SHA512

    1f7d7cee7aba8d6fbe76631d9c3c6949eec8b90be2e9e8c2ecdf958d15f0e007da59ed25221891e5bd7cc61718d026154f1bedb45653077a066b7f98b1151c2b

  • SSDEEP

    49152:Q0lvAw08rXNkFPCSap11L0QSjdqq6vojXmNepFbHe3Sf5n905RNp0hjODSCYCr:Q01AT8rXNkFCSaz3Shuil6S45Dpy/Cjr

Score
10/10
lummaredlinestealc519555252953459874207001210066discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

lumma

C2

https://sofaprivateawarderysj.shop/api

https://lineagelasserytailsd.shop/api

https://tendencyportionjsuk.shop/api

https://headraisepresidensu.shop/api

https://appetitesallooonsj.shop/api

https://minorittyeffeoos.shop/api

https://prideconstituiiosjk.shop/api

https://smallelementyjdui.shop/api

https://glossydecentjuskwos.shop/api

Extracted

Family

stealc

C2

http://80.66.84.6

Attributes
  • url_path

    /d63110d028a428e9.php

Extracted

Family

redline

Botnet

7001210066

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

5345987420

C2

https://pastebin.com/raw/NgsUAPya

Extracted

Family

redline

Botnet

5195552529

C2

https://pastebin.com/raw/NgsUAPya

Targets

    • Target

      27

    • Size

      1.2MB

    • MD5

      62f676dd5d1087f47dc7ef443e86cdd4

    • SHA1

      7faaa3191d243073d562049f7d3f3e2ae35597e9

    • SHA256

      ec36c266fea28f1ecbbfb582b70de34a06c4bd0d0b04731c0967d83615abb8e5

    • SHA512

      03c3a42f024ce3da2896aed73e8e377ffb5075a99d0174036c2fcd30c0c2844b81644c4e038f7480c1ce29922e8c2e8c368f47c93a9001098e789076433f42bb

    • SSDEEP

      24576:ohnKijRQyElyKHt3W5VzWMsY6BID5tHWK7aIqpms6:ohKhlyKHt3WH286ms6

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      A5

    • Size

      1.2MB

    • MD5

      8ebad29fc50d6c433b34b4dad659a6e6

    • SHA1

      d630055923b79c2cc3497f6b1e1b84afe636af2b

    • SHA256

      3594c1cfa7f021c35af6db737d06b1520c21e8a88d086311741394feefd1cfcd

    • SHA512

      59bfb7e319219cf58e41c606d04cb30745eaaf4476db670162077bd63b1b89117905434f38ea31cc929e227a7e81753ed32f1f743a7549b618b777577efee648

    • SSDEEP

      24576:YMrDKiyJIK8luK3932J4NmMsYqBADl4kloanxXB4vIH6nygsj:YM6CluK3932amZkWan/Xtgsj

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      B5

    • Size

      208KB

    • MD5

      298bb7d0270db2eb7f9e1649d826f76e

    • SHA1

      7c7471d83140f5eff813ceb946f9e545e33c670b

    • SHA256

      fb5fde5e2f1f868dabe89f2e13a81a000fa118e7580325db38ed9eeeca11423e

    • SHA512

      28cf7f21b447d3552d3c69747bdddfacf22049662ccb725fb27bf350e5a44aa2777f71d3744f9335ba2cd254a94058708fc404e547e972e70ff773ec785491a0

    • SSDEEP

      6144:A6xIXRr79NvEREa2pZ++Fov+0Rk36Gi+spg:A8Ih9PR3Gv+YLGnspg

    Score
    10/10
    redline5345987420discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      BF

    • Size

      208KB

    • MD5

      1100d4f32e7149b9ef1e58d2116709d2

    • SHA1

      584b24aaeacf35deb6d1020d72dc86caeeb04f65

    • SHA256

      bdfb9fd62f777457f67dfc066d61b439e6038c53b9ebc9f010e4c71cb329408c

    • SHA512

      948c902e2deda504ece97afa60602dc6075d52e39ba4e169c672cea8cca4dee9f8ea89d38d9dcec999fc8d418e8633073c955a11ebba6f559e12c11b7f9d772d

    • SSDEEP

      6144:tdj7PZTv991CZ2xqmY+mcJoRJhCQtC8Gespp:t57d9eFcroRJrtZspp

    Score
    10/10
    redline5195552529discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      C6

    • Size

      1.2MB

    • MD5

      fb193a597680a5496b15e85565f34589

    • SHA1

      f90757fd9777fde967047ed8821f8aa232fa4e56

    • SHA256

      276d3838fa306ed70342fc036c206de735163d04f0a07767023bc3248154f903

    • SHA512

      2024b54e11531f445ed6ed0499c22896d2f1bf18455d652d0f836bc3b1efaeebe5009ab01909b8752f7b516fc79c2a85be2261f725deaa454950bc4d06fff476

    • SSDEEP

      24576:upTQiLH+0Wl7Cl3zM61NJMscdNNDQ2mKDfIwRgfzu5sa:upMZl7Cl3zM4gLR7RgLu5sa

    Score
    10/10
    lummastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      F5

    • Size

      1.0MB

    • MD5

      976d47d3db9c87e839cb747e8f9fd8d7

    • SHA1

      9395ba25830fd190ab37ac1d6677056f0eaf1c28

    • SHA256

      9df9b13531eb4d785fbdaa45ddb9d133355bd45c673aa05bde0937e400c46e07

    • SHA512

      f56793ca2d587563d860e7b52b1174ef834c2193d7a09906e24623389a89da43cbd8c4bb25ee225c0515a14736088a25a92602fb95a71065b162628c97760bf5

    • SSDEEP

      24576:s4VBiCKlz3RPqHZnW33S1MsOb/PdD28f1+sy:s4r4RPqHZnWSy/xgsy

    Score
    10/10
    stealcdiscoveryspywarestealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      FB

    • Size

      1011KB

    • MD5

      15b4617e3eccdcdc5daec9e33a7a3a25

    • SHA1

      a1e8925d66bb58ce88f4c0b0aca41933ceaccc0d

    • SHA256

      c35b07680f550f133b772d80be73f8841441f1bc88f8324f6b3117e4ad32aa3d

    • SHA512

      6b03beacfb8c397e3377112cb3e7711209024aadb805e693b14fc3c643406227fe4204ade9b19f28e76806900b51ca2154f135ef2f52c0d5d30c053c7bbba0ae

    • SSDEEP

      24576:Ta3WiLveEutLSeHfXy3/kIMsM9bWDQ5GsQ:TamZtLSeHfX3nAsQ

    Score
    10/10
    redline7001210066discoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

9
T1552

Credentials In Files

9
T1552.001

Discovery

Query Registry

5
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

9
T1005

Exfiltration

Command and Control

Web Service

3
T1102

Impact

Resource Development

Reconnaissance

Tasks