General

  • Target

    archi743.7z

  • Size

    7.7MB

  • Sample

    240830-jwh9ratdna

  • MD5

    59f4f9ea8bf1a099b379a618d5d4ba79

  • SHA1

    0a7bbf4afbbffe733faad435b18426f57e759696

  • SHA256

    22c87c01fb31d7ae241eeaa7d560e3c063ba68bfdd519533927929a66f618c9c

  • SHA512

    6a04aaa1c26d1129bd14d9e366ab027f397ea041a09ffcd0ac34e347f6b761aa3c157d992883b918882ef6eafcc58ad653ce254b333077774b8d10a6219621a6

  • SSDEEP

    196608:j0ZE4drEta86a1CThRAQ2tflMWXclhvv8Ye6aYII4tEGfYX:A1dr0uhRAntVXcnXbGtEGfI

Malware Config

Extracted

Family

vidar

Version

10.8

Botnet

1f3c236c672ff2ffe017b396f834c66e

C2

http://147.45.68.138:80

https://steamcommunity.com/profiles/76561199761128941

https://t.me/iyigunl

Attributes
  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36

Extracted

Family

stealc

Botnet

default

C2

http://46.8.231.109

Attributes
  • url_path

    /c4754d4f680ead72.php

Extracted

Family

stealc

Botnet

leva

C2

http://185.215.113.100

Attributes
  • url_path

    /e2b1563c6670f193.php

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

147.45.47.251:2149

Extracted

Family

lumma

C2

https://awwardwiqi.shop/api

https://locatedblsoqp.shop/api

https://traineiwnqo.shop/api

Targets

    • Target

      FileApp.exe

    • Size

      743.0MB

    • MD5

      d0ed6e42966d004ac554d91ac06aaf76

    • SHA1

      b6ad260289983fb23ddee3057b2e8ca1823789c9

    • SHA256

      292c837b6bd1831a84fce1528cc1666ba42eddae362594de068498dd88ccb164

    • SHA512

      50946a555e0a59b9fc48b53bcd8e16dfa34e45f4704cfa30726b47b954ace8930c891d659003717900a99d618c1d8c4edf9d888058473eadee22aa352c437fc2

    • SSDEEP

      49152:CFeCpd9HxrLr9xHMtMFRgUkYxZKXkgW9pUgLMRXlhWZ+52GeqooQ7wtwrn:CwCpbU2XZgWukZ+VDooyswrn

    • Detect Vidar Stealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Stealc

      Stealc is an infostealer written in C++.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Creates new service(s)

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Enumerates processes with tasklist

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      mi/CbsCore.dll

    • Size

      2.1MB

    • MD5

      6ce2e6469625d238d523aeea1a03c13d

    • SHA1

      f0b9c78eeb6769feb29f703991984802fcab8857

    • SHA256

      75de17d67a5f40fef8648ab9c452ce5b2834237a19d92ed7427c3c33b46562e8

    • SHA512

      7bcc637db986a94c833dc39b485b12853be81278af8e927e91e17a9c471a8f89dd0fa0b7a7b1f269c0eed9f5a87cd9265399526412c763ebe1cd485bdbaeba6f

    • SSDEEP

      49152:EqRcwBxPtk2MB7fNmkBKTHg8WkRdNgLqAFE754o56x:EqRcWPtk287fjBKT7WkRd6qAFE75g

    Score
    3/10
    • Target

      mi/libglib-2.0-0.dll

    • Size

      1.2MB

    • MD5

      18e88b04da123bf05b07ff60a4e96654

    • SHA1

      f46cd8411e579da9f31749809a5707fecb28b7db

    • SHA256

      c0f35b0e5f9b25f36bf9ef885a8135e7dcdb77d425f8ac88124d90cf2bf32fde

    • SHA512

      735158b60194205c6262dae0689599babdc2bd0e10d0d6a71c1e1c56695caf432b207e439b5f84a3995c2d8aef3ab26706cf796848c0af0ddd340d388a76f1d4

    • SSDEEP

      24576:Cizs37Kr7hSWn/4bHGA+fWynbzTexXdQSdRImTBm0VmavJUgucuVEv5z:Ciy70n4jGwynbzTex+SdR9TBpVmhgM2

    Score
    3/10
    • Target

      mi/meshsystem.dll

    • Size

      1.2MB

    • MD5

      39eed2616c86e03ef23007e7bf4f0613

    • SHA1

      c87d0b9d3aeccd5239aca85d8a4b2256fdf922ed

    • SHA256

      b5b13a820ab317abf5142368b30231de9ff21345e32ef1f9aa03e74c6c511c3a

    • SHA512

      b14f4f5a8f97e200a78810378d5968f0a40a3621efa8fd9f9dde29095273cca6e860bfe9e913e19ade619f33a50bd7890618cc869b48e41644efd04933ac29cc

    • SSDEEP

      12288:pYpDYxT6Nbe1shgrOyUUgCkxPrxSuUVMSWcA/JC98kcWjXcJdqRJgguA9ansN6Ma:pnxT0bMnsXUWJhhC9aZYrgGJy

    Score
    1/10
    • Target

      mi/tmp/PresentationCore.dll

    • Size

      4.0MB

    • MD5

      196ef466d99343e89ce3e384eb7ff615

    • SHA1

      e8328dbdd6608bfc2ac37b2d4ca98169daa3d428

    • SHA256

      14c0eca6c6c09423dc6681c549c56c3da9001ab6ac9f1a0518c7ef8ed3292900

    • SHA512

      6c11ccdc25336df99d97bde9882947f56a04fc7ff0ff00c837067d2bdd7eafe57c37f9b0ce836391d0e632089136a4c72087fc5b86dda8bcfae3822a79f01d5a

    • SSDEEP

      49152:QWYdDqsaUbdG8XDMML1Tht9k5tFLW171o/VP45O0o:QWYdDqsaUbdG8XDTL1TFk5tFLW1G

    Score
    3/10
    • Target

      mi/tmp/cmiaisupport.dll

    • Size

      1.6MB

    • MD5

      68449b2b4f0501e49dda0cef00e950f2

    • SHA1

      fc7e200d12a4518b625c8af20a12d60d6ea2f220

    • SHA256

      175bde039507f02b84b3e367c35e5eb463b36a942feed24e5293d6171c851e9d

    • SHA512

      7a96a88e282589b1a829373b78619b8bd0bbaa521760ad0945134192c246c7c9d689817d80a8ce3c518efa2caeb04e28d042ecfadf634ba42ba9b9ae4882a5f2

    • SSDEEP

      24576:YVxy0MFZqBSdCQDmnpUgaeitdVXenH+s76rjc0CTOIk9E/Ec3ndp18RTsn4ODmcv:YVIqBSdvDypUoEc3d78Ns9DmnuwQOmp

    Score
    3/10
    • Target

      mi/tmp/mscordacwks.dll

    • Size

      1.3MB

    • MD5

      d0ee513805aa4cc9ef6e9c6b27939035

    • SHA1

      848709ac5c8984c48bdf5b67f7534cb37068a1ea

    • SHA256

      133ede25f199de80ad751258c44639c95d08e899be25c458ec98e02428536889

    • SHA512

      89db8457170885eb422c9898c65340a4207ddac84e3b291c61ad95683d2b18eb5331cb453ed27585469e1663434a4507d7fcd4a9e36b5d41b36e21e8bc863923

    • SSDEEP

      24576:/BbmstF7FYcu1YOP9zWxKVFOZEjrm9eAyYd9aGdNdOvTh5D/vzN4EnC/mCkaZs:pltfYcEn9zWOvTCjI7DHx4KYmCkaZs

    Score
    3/10
    • Target

      mi/tmp/updateagent.dll

    • Size

      2.0MB

    • MD5

      3629dc4d1eb8ecbbe42f4deee407865f

    • SHA1

      99737fc8bd13eb56e3e933b92fc9b4ee65ad4989

    • SHA256

      88a6adc03576cb8e2d5616e47205493195c257f4d12fb832dfd91f8920fc0697

    • SHA512

      9a6ba384d4a880cfb85c63d5a7535d65163a16e51bde45a544b7ca02925a671a3fc4774a2efdc6d962a6b44a7175176bf5313c61fef8d217249c12dbd7b92c4a

    • SSDEEP

      49152:yqRRcz9BPGAfBelw99MFJ6d8NfEz1L9tsDU7akEtlYTr8XdSx+jyfZ0A:tRRcjGAfBelw9OFwd8Ncz3+DU7C/grBr

    Score
    3/10
    • Target

      mi/wcp.dll

    • Size

      3.1MB

    • MD5

      de6c5dc9968e59957eade9e2244aebd8

    • SHA1

      ad2fa90f6d215666127c0a27c47d15e5f7ad7123

    • SHA256

      b1bb713f8dabcc297284149af7ca6f74a6c4c28503e9f9f0721303566ce2273d

    • SHA512

      2501f4cc93a8c041c74283e3b41b764912f62b4559df2dd8ba9f2c729cbc79c1f4721e084c54b0eb5ea3930f7fc878cda1762f9d5d6cde781655f7bc7cc590ae

    • SSDEEP

      49152:OvChBvd9eTQkTag1BYBYq3Agvjgl4iUD5Q9qh94hRogwKQEJbULui826gPuu7UvS:OBNq3AgvjglPUVQEh94rogxQDad5fC

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks