Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    4363463463464363463463463.bin

  • Size

    10KB

  • MD5

    2a94f3960c58c6e70826495f76d00b85

  • SHA1

    e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

  • SHA256

    2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

  • SHA512

    fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

  • SSDEEP

    192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

  Score

  10^/10

  phorphiexredlinesectopratexodusmarketkircredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerloaderpersistenceransomwareratspywarestealertrojanwormlummananocore30072024keyloggerpyinstaller

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma

  • Modifies security service

    evasion

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore

  • Phorphiex payload

  • Phorphiex, Phorpiex

    Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Windows security bypass

    evasiontrojan

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Renames multiple (837) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Contacts a large (1553) amount of remote hosts

    This may indicate a network scan to discover remotely running services.

    discovery

  • Downloads MZ/PE file

  • Stops running service(s)

    evasionexecution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Windows security modification

    evasiontrojan

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Drops desktop.ini file(s)

  • Indicator Removal: File Deletion

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion

  • Legitimate hosting services abused for malware hosting/C2

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2