General
-
Target
https://costweb3.com/download
-
Sample
240817-wsrsyayhja
Malware Config
Extracted
stealc
mainteam
http://147.45.47.68
-
url_path
/a8f961c72f0d877c.php
Extracted
lumma
https://samledwwekspzxp.shop/api
https://writerospzm.shop/api
https://deallerospfosu.shop/api
https://bassizcellskz.shop/api
https://languagedscie.shop/api
https://complaintsipzzx.shop/api
https://quialitsuzoxm.shop/api
https://tenntysjuxmz.shop/api
Targets
-
-
Target
https://costweb3.com/download
Score10/10-
Buer
Buer is a new modular loader first seen in August 2019.
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Stealc
Stealc is an infostealer written in C++.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Indicator Removal
1File Deletion
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2