General

  • Target

    7f2867cbcfd0a7b19a17fc1b54869aa5e33ad1e033c4b22f0efe56ff41f41558

  • Size

    3.6MB

  • Sample

    240707-kmmfgsxhlk

  • MD5

    b113f5e8e3b98d5b34e41bbf976d1dcf

  • SHA1

    b7695636b898716efe7b73ff42d15743cfb110fd

  • SHA256

    7f2867cbcfd0a7b19a17fc1b54869aa5e33ad1e033c4b22f0efe56ff41f41558

  • SHA512

    d9fa28949ba4f5d88dde3d03e81ec35d2257d035e06ccae692277c9e85eb05ac71a0519c3c7fe5eeead09ee052fd318c8496345659fa8394f83576d1a953d805

  • SSDEEP

    98304:ojsXosU2T2V19xSdFfPVhxxUjTJ8yCrlwLHcXUo2:T3U2CV19IdFf1xST6yC6LHqUo2

Malware Config

Extracted

Family

vidar

C2

https://t.me/bu77un

https://steamcommunity.com/profiles/76561199730044335

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1

Extracted

Family

lumma

C2

https://benchillppwo.shop/api

Targets

    • Target

      7f2867cbcfd0a7b19a17fc1b54869aa5e33ad1e033c4b22f0efe56ff41f41558

    • Size

      3.6MB

    • MD5

      b113f5e8e3b98d5b34e41bbf976d1dcf

    • SHA1

      b7695636b898716efe7b73ff42d15743cfb110fd

    • SHA256

      7f2867cbcfd0a7b19a17fc1b54869aa5e33ad1e033c4b22f0efe56ff41f41558

    • SHA512

      d9fa28949ba4f5d88dde3d03e81ec35d2257d035e06ccae692277c9e85eb05ac71a0519c3c7fe5eeead09ee052fd318c8496345659fa8394f83576d1a953d805

    • SSDEEP

      98304:ojsXosU2T2V19xSdFfPVhxxUjTJ8yCrlwLHcXUo2:T3U2CV19IdFf1xST6yC6LHqUo2

    • Detect Vidar Stealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Stealc

      Stealc is an infostealer written in C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks