General
-
Target
Setup
-
Size
155KB
-
Sample
240707-rpwkhatflp
-
MD5
ac30dea1a3c5eed9ab2b04c0d45725ce
-
SHA1
d2e06abbb03086f09c2ad0489537ae1560c1e116
-
SHA256
0bdbb1463b042b9f4411cdae307a3f11560190d63eea56ecb0ef6c7aa54f2111
-
SHA512
14fc9dafca5d57c48fd78d8e316d2d831aeec9d4795f698eb71e3e1d8831db3c32fa474f9dad87ec8a821e19653fede386a72adfab59d9309b215ab6ac249652
-
SSDEEP
3072:MIHm8fNE+NLZaoA9V+hg3XcqyvMpzi70A7qqHpBmY:RzNLZaoA9V+hg3XcqWMpzi70AsY
Static task
static1
Malware Config
Extracted
vidar
https://t.me/bu77un
https://steamcommunity.com/profiles/76561199730044335
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1
Extracted
lumma
https://extorteauhhwigw.shop/api
Targets
-
-
Target
Setup
-
Size
155KB
-
MD5
ac30dea1a3c5eed9ab2b04c0d45725ce
-
SHA1
d2e06abbb03086f09c2ad0489537ae1560c1e116
-
SHA256
0bdbb1463b042b9f4411cdae307a3f11560190d63eea56ecb0ef6c7aa54f2111
-
SHA512
14fc9dafca5d57c48fd78d8e316d2d831aeec9d4795f698eb71e3e1d8831db3c32fa474f9dad87ec8a821e19653fede386a72adfab59d9309b215ab6ac249652
-
SSDEEP
3072:MIHm8fNE+NLZaoA9V+hg3XcqyvMpzi70A7qqHpBmY:RzNLZaoA9V+hg3XcqWMpzi70AsY
-
Detect Vidar Stealer
-
XMRig Miner payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-