Overview

overview

10

Static

static

1

656c581533...f5.exe

windows7-x64

10

656c581533...f5.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2930fb1c03a7f08218c2761395bfaf42958177abea9972a10ad2c3afcc849b3e

  • Size

    282KB

  • Sample

    240908-bjk9kswarq

  • MD5

    627adaa170a2f4ae5e3182a6da593110

  • SHA1

    0070be9137b53b4712ed379ffb44f61d064ea0f2

  • SHA256

    2930fb1c03a7f08218c2761395bfaf42958177abea9972a10ad2c3afcc849b3e

  • SHA512

    48856b0b33c5860ce67ef795c0d4e44d54abab61dc8ae00da46783194893f7664dd75c0a2947879cd5af3c6df4927f410b6962aa5fe088539c40d6b4344b775b

  • SSDEEP

    6144:8L3tq4EB4PX84y5QZXiArX0iqHDKLDgNmWLkiOir6B6h8LM6:8L3QDB4PXi0iArXTqwALhr6jLB

Score
10/10
lummavidarcredential_accessdiscoveryspywarestealer

Malware Config

Extracted

Family

vidar

C2

https://t.me/fneogr

https://t.me/edm0d

https://steamcommunity.com/profiles/76561199768374681
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0

Extracted

Family

lumma

C2

https://commisionipwn.shop/api

https://preachstrwnwjw.shop/api

https://complainnykso.shop/api

https://basedsymsotp.shop/api

https://charistmatwio.shop/api

https://grassemenwji.shop/api

https://ignoracndwko.shop/api

https://stitchmiscpaew.shop/api

https://tenntysjuxmz.shop/api

Targets

    • Target

      656c58153302a82bdc4994a170163628f1aedd101b0efe6471b5af0d4173c1f5.exe

    • Size

      294KB

    • MD5

      20c0e4911043acdf83cd6f5818060b6d

    • SHA1

      b38d5071947e729ea05caa84958b515b53da5db6

    • SHA256

      656c58153302a82bdc4994a170163628f1aedd101b0efe6471b5af0d4173c1f5

    • SHA512

      aece9c46c5274e3660016d2795ccc0eae9578fa40ec39679e8385398675fcfbc2d08d7ed105cbafb75ced2224ee8e76720e2bf41d2c25f4a7992fa245b71543b

    • SSDEEP

      6144:RTdOxN3KvIKuzpHwR9WUoNAsWKGHgVmA5EO:jOwIKJR0NLSAf5EO

    Score
    10/10
    lummavidarcredential_accessdiscoveryspywarestealer

    • Detect Vidar Stealer

      stealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks