General

  • Target

    f3544211710d293dfe623411feb7e121f5a8b2ea8b9e5e545d1f51b1aa9aabe3

  • Size

    4.2MB

  • Sample

    240706-bajdma1bpm

  • MD5

    b9c98b028ee3a0ece95c0de562950397

  • SHA1

    b01ba75e6e1c3e4f4c9bf4d3df58b1a342448a6a

  • SHA256

    f3544211710d293dfe623411feb7e121f5a8b2ea8b9e5e545d1f51b1aa9aabe3

  • SHA512

    08d1487cad27f64ec0829b3175a0c41f896ff8cfb331de3db671810c371309c05426ea8d3b892235dc1b8a6e82c95dfbed1c079cfe84e63a3a1a5992c10befb2

  • SSDEEP

    98304:2xPJJVzsnf1ozRfFzsa5a7LhDfO7F9wf1/xP8OvO8LH+u:25anivs/LBO7EV5Hiu

Malware Config

Extracted

Family

vidar

C2

https://t.me/bu77un

https://steamcommunity.com/profiles/76561199730044335

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1

Extracted

Family

lumma

C2

https://civilizzzationo.shop/api

Targets

    • Target

      WezoAutoUP.exe

    • Size

      332KB

    • MD5

      46748aff6fcab034d0affddc99c6d876

    • SHA1

      b9374a9f4b85ebf36218860f3f80da69505194db

    • SHA256

      82a9537d99a9ccc5c534dd87f642a7e77b594f7554c2ed7a32a1a9518634a42c

    • SHA512

      8e91545dd88d436abf6afe3245c18254d38cbf994ef2226798544b48ed047e060b466d8ef06e7514cda50d367999a350b9695890510607d327c7bc9390ddf3d5

    • SSDEEP

      6144:m68oipnnK9jqXEX52Ums+Tbxzbx9SmIqQyPodMUf8Dkzel6R8zHe1IH:WfnnK9zABs+TbFx9SXOPCf8DkqAR8zHB

    Score
    7/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Target

      culclientUp.exe

    • Size

      329KB

    • MD5

      915b7366ba2e87a3f5a6810903cbc38a

    • SHA1

      0d8fe32290ad5294cc6770daf316114e8cbcc60f

    • SHA256

      f6c833657a31e9f8fc136f74aa251d428a6d2ee7bcc6fb74c00ba4f44e902edd

    • SHA512

      a6981d6a94ada77245eaeefdb577055e36f1465d400bbcbae064723dd3a3e7f37495926d45a4227e31631b87b513446901e7e48fa75a97823ff1eef681b7ce08

    • SSDEEP

      6144:u68oipnnK9jqXEX52Ums+Tbxzbx9SmIqQyPodMUf8Dkzel6R8zHe1IBG:OfnnK9zABs+TbFx9SXOPCf8DkqAR8zHu

    Score
    7/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Target

      software.exe

    • Size

      5.5MB

    • MD5

      1ed6f9d578e14edad0bf47edf1f6269f

    • SHA1

      0e6546d7a7f237a4c094e24810fd4ab29ab6a970

    • SHA256

      83b2f6c63dc3ec6cea64755ce2042ff747d52571daaef8a47934e00378f0afd3

    • SHA512

      7481e391bc9fd0b0a30ca7464847e6ab0bbaa4febb8bfb33407742fd2e90f7fb0d88fd2ab0dc49fa499864e16a234d6f910926944c2a3ce337d614351dccfd60

    • SSDEEP

      98304:zeL9fRCBL/JS6w1PMcf5blPwJp003KOIupEAjlgJHc6:zeL9ROL/Eh/PQbaObEACl

    • Detect Vidar Stealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Stealc

      Stealc is an infostealer written in C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

    • Target

      vncDbnt.exe

    • Size

      329KB

    • MD5

      3597cd93701c4505d035a34271e0b931

    • SHA1

      63b311fd5f0d98166273e22ca8fb16c219d3ba07

    • SHA256

      acd89e772ca1bc9d3c69cff7430fa4bb921d4468d6115c57cade092944572eb3

    • SHA512

      32175d64523038c480a21f609a036c1ed206a1b45eb986da6d20b8e2e1924aefe1eb93d66c1bcd03334e8c126df40d272f0e4e02397ed16db167d3994738a6a3

    • SSDEEP

      6144:J68oipnnK9jqXEX52Ums+Tbxzbx9SmIqQyPodMUf8Dkzel6R8zHe1IX:ffnnK9zABs+TbFx9SXOPCf8DkqAR8zHN

    Score
    8/10
    • Stops running service(s)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Target

      wzoptup.exe

    • Size

      330KB

    • MD5

      206c606e09f81262fbc85065ceca4f59

    • SHA1

      96fa2aba33f86d809697d04d083ef3f6108ab197

    • SHA256

      7a3271b0079e9f56f20acdb731e46174fc0a1f1a59e5fbd951a6ce9c07db48f9

    • SHA512

      57b0fe98b3da4193c6ea267c4be05c5f3a6d2a24f2e79a4cf98d6a3e68e03f1bf9a7438f7f90bb2b6eb11a59ff4e81c5422538f20abf69b4feb4107be900f5e0

    • SSDEEP

      6144:e68oipnnK9jqXEX52Ums+Tbxzbx9SmIqQyPodMUf8Dkzel6R8zHe1I3A:efnnK9zABs+TbFx9SXOPCf8DkqAR8zHK

    Score
    7/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Enterprise v15

Tasks