General

  • Target

    Setup

  • Size

    155KB

  • Sample

    240707-rpwkhatflp

  • MD5

    ac30dea1a3c5eed9ab2b04c0d45725ce

  • SHA1

    d2e06abbb03086f09c2ad0489537ae1560c1e116

  • SHA256

    0bdbb1463b042b9f4411cdae307a3f11560190d63eea56ecb0ef6c7aa54f2111

  • SHA512

    14fc9dafca5d57c48fd78d8e316d2d831aeec9d4795f698eb71e3e1d8831db3c32fa474f9dad87ec8a821e19653fede386a72adfab59d9309b215ab6ac249652

  • SSDEEP

    3072:MIHm8fNE+NLZaoA9V+hg3XcqyvMpzi70A7qqHpBmY:RzNLZaoA9V+hg3XcqWMpzi70AsY

Malware Config

Extracted

Family

vidar

C2

https://t.me/bu77un

https://steamcommunity.com/profiles/76561199730044335

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1

Extracted

Family

lumma

C2

https://extorteauhhwigw.shop/api

Targets

    • Target

      Setup

    • Size

      155KB

    • MD5

      ac30dea1a3c5eed9ab2b04c0d45725ce

    • SHA1

      d2e06abbb03086f09c2ad0489537ae1560c1e116

    • SHA256

      0bdbb1463b042b9f4411cdae307a3f11560190d63eea56ecb0ef6c7aa54f2111

    • SHA512

      14fc9dafca5d57c48fd78d8e316d2d831aeec9d4795f698eb71e3e1d8831db3c32fa474f9dad87ec8a821e19653fede386a72adfab59d9309b215ab6ac249652

    • SSDEEP

      3072:MIHm8fNE+NLZaoA9V+hg3XcqyvMpzi70A7qqHpBmY:RzNLZaoA9V+hg3XcqWMpzi70AsY

    • Detect Vidar Stealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Stealc

      Stealc is an infostealer written in C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks