General

  • Target

    51c75077bca69383b83b1c94c2406e05.exe

  • Size

    431KB

  • Sample

    240712-gw14fs1fnj

  • MD5

    51c75077bca69383b83b1c94c2406e05

  • SHA1

    efc8d7ef37661dadc02171817ff344c84790683f

  • SHA256

    f3f2ee666e572cea6eb5bcfd31fbfbc3b0edc9f99db528bb0a640751fb223033

  • SHA512

    607455d7fc1bb272c03f24205fdbb401ef3b7b09d192b2cb62e9ec271fd44bc5bc83ae8b620446ded5f9998aee3a47d9966ee5b84bb9f5ac7b11648f119b664f

  • SSDEEP

    6144:LwcfOnB0WvTtMMR0Q+uGQ8n97bfrd1NFqGOGOwqGz5n3eU7FhdSs4ztWTH8S8EO:CnTvT729zd3RObwqGz5n3VFLqS8EO

Malware Config

Extracted

Family

vidar

C2

https://steamcommunity.com/profiles/76561199735694209

https://t.me/puffclou

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1

Extracted

Family

lumma

C2

https://contemplateodszsv.shop/api

https://applyzxcksdia.shop/api

https://replacedoxcjzp.shop/api

https://declaredczxi.shop/api

https://catchddkxozvp.shop/api

https://arriveoxpzxo.shop/api

https://bindceasdiwozx.shop/api

https://conformfucdioz.shop/api

https://reinforcedirectorywd.shop/api

Targets

    • Target

      51c75077bca69383b83b1c94c2406e05.exe

    • Size

      431KB

    • MD5

      51c75077bca69383b83b1c94c2406e05

    • SHA1

      efc8d7ef37661dadc02171817ff344c84790683f

    • SHA256

      f3f2ee666e572cea6eb5bcfd31fbfbc3b0edc9f99db528bb0a640751fb223033

    • SHA512

      607455d7fc1bb272c03f24205fdbb401ef3b7b09d192b2cb62e9ec271fd44bc5bc83ae8b620446ded5f9998aee3a47d9966ee5b84bb9f5ac7b11648f119b664f

    • SSDEEP

      6144:LwcfOnB0WvTtMMR0Q+uGQ8n97bfrd1NFqGOGOwqGz5n3eU7FhdSs4ztWTH8S8EO:CnTvT729zd3RObwqGz5n3VFLqS8EO

    • Detect Vidar Stealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Stealc

      Stealc is an infostealer written in C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks