Overview

overview

10

Static

static

1

fc810b97cd...f1.exe

windows7-x64

10

fc810b97cd...f1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7676e9e26e9d68ed4333b48962e246df.bin

  • Size

    276KB

  • Sample

    240914-bqnnaazblq

  • MD5

    ea1d14c07a00676025d0f8b7d85bb940

  • SHA1

    e6a2d54e30671785b72e1568ef8d36f1b60f7265

  • SHA256

    d79249047c64182675f0f3a6ad19b30b73ad935acb81ab00a98453e896453a47

  • SHA512

    be43bdd12960298836ac50b61b59dd73a5cb5945511d3eae55552c0051844ccf60faa1c7afbe3899b131ba5f312e4cf26c7251d3829610cd118544e051442971

  • SSDEEP

    6144:HYsMVgWAS54jNjRBPUw8/eg1S/2o6X/hfu91ZJkiDU:4s1WR4jNjRBMw8/eBG/hfUxk/

Score
10/10
lummastealcvidardefaultcredential_accessdiscoveryspywarestealer

Malware Config

Extracted

Family

vidar

C2

https://t.me/edm0d

https://steamcommunity.com/profiles/76561199768374681
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0

Extracted

Family

stealc

Botnet

default

C2

http://46.8.231.109

Attributes
  • url_path

    /c4754d4f680ead72.php

Extracted

Family

lumma

C2

https://complainnykso.shop/api

https://basedsymsotp.shop/api

https://charistmatwio.shop/api

https://grassemenwji.shop/api

https://stitchmiscpaew.shop/api

https://commisionipwn.shop/api

Targets

    • Target

      fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1.exe

    • Size

      282KB

    • MD5

      7676e9e26e9d68ed4333b48962e246df

    • SHA1

      8acf019a18dcf8e817a5665fcbb9a2e17e5d448a

    • SHA256

      fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1

    • SHA512

      4d8b18a648d5248291714868d0bfa56e8f3e051b8db18551c4c422278767111766e1dfdc373ccddd0d6139f932dc273258113a69aff79c057716e80a1b2f5c22

    • SSDEEP

      6144:sobHX7AuhXt+uvGlAs5Y9hpgeGnXU0ms3HxpRxIEt4V68EO:lbHc2TeteqE0tXxpMECVZEO

    Score
    10/10
    stealcvidardefaultcredential_accessdiscoveryspywarestealerlumma

    • Detect Vidar Stealer

      stealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks