Analysis
-
max time kernel
94s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
14/09/2024, 01:58
General
-
Target
ddaa982f06dc35e0759d9077505beb31537f86de88232b91de45130496a61ffe.exe
-
Size
283KB
-
MD5
53ec7e5668474c14f4288fe3f21de5d6
-
SHA1
c9f88214e36dd2feddddb64ef7a3fc82025d6cfd
-
SHA256
ddaa982f06dc35e0759d9077505beb31537f86de88232b91de45130496a61ffe
-
SHA512
6f97c6e66a96ae099158fad91bd3bf6422a90690d919fb1a90eb5774895c4baba07f676bb7ead90cacbd12ff1703f31e0c112e7147d724faf2ac60a0657823d7
-
SSDEEP
6144:y9E/XevjQ9Uodb2ZSJ6HEKudlAFQ1bu8kBRFHg4145HEO:y9E/XevjQ6odbMU6HOo2kBRNfEEO
Malware Config
Extracted
vidar
https://t.me/afsgsdgqr4r
https://t.me/edm0d
https://steamcommunity.com/profiles/76561199768374681
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
Extracted
stealc
default
http://46.8.231.109
-
url_path
/c4754d4f680ead72.php
Extracted
lumma
https://complainnykso.shop/api
https://basedsymsotp.shop/api
https://charistmatwio.shop/api
https://grassemenwji.shop/api
https://stitchmiscpaew.shop/api
https://commisionipwn.shop/api
Signatures
-
Detect Vidar Stealer 22 IoCs
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Stealc
Stealc is an infostealer written in C++.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 4 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 6 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddaa982f06dc35e0759d9077505beb31537f86de88232b91de45130496a61ffe.exe"C:\Users\Admin\AppData\Local\Temp\ddaa982f06dc35e0759d9077505beb31537f86de88232b91de45130496a61ffe.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\JEBKKEGDBF.exe"C:\ProgramData\JEBKKEGDBF.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\ProgramData\DHDAKFCGIJ.exe"C:\ProgramData\DHDAKFCGIJ.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminKJJJDHDGDA.exe"5⤵
- System Location Discovery: System Language Discovery
-
C:\Users\AdminKJJJDHDGDA.exe"C:\Users\AdminKJJJDHDGDA.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminEBAKFIIJJK.exe"5⤵
- System Location Discovery: System Language Discovery
-
C:\Users\AdminEBAKFIIJJK.exe"C:\Users\AdminEBAKFIIJJK.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
-
C:\ProgramData\CGDGHCBGDH.exe"C:\ProgramData\CGDGHCBGDH.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AFBAKKFCBFHI" & exit3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114KB
MD5f0b6304b7b1d85d077205e5df561164a
SHA1186d8f4596689a9a614cf47fc85f90f0b8704ffe
SHA256c3aa800492bc1e5ff4717db8c82d1f3772b24579cde51058bdd73a9cc9822dc7
SHA512d672ea182ddf56a331d3209dcf7b9af8c3ffad0b787b224fe9e3e4c80205e474a66914358fa253c170c85a8366da2f2c3aa9d42e1f6f3291a9e6bdd9ba51fb0a
-
Filesize
282KB
MD5f31d21c664ded57509d1e2e1e2c73098
SHA158abbe186f2324eca451d3866b63ceeb924d3391
SHA25644d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b
SHA5125aff27d9ffb0568072f52e51679bbd9cb3c063d7bb1c3fe658c10241b633a66738d6bd7ee2111e065a1b93098bdaa1e5da6b9b8d063fe3f1ff1de7d71d32aa53
-
Filesize
206KB
MD568076ff4fb08f203da72e47f536db2d3
SHA1c7d2df2f68fefa1b3b9ddc61809966eaa6daef49
SHA25691f03b0ae9dcae932e3043b7cb19cf52541504e9a4510501d9cb2f1ddd6d10f4
SHA512f400d2424839ae1ce5a362cddc759a46be3e0528d45ade309a182c202a03534acb24e90b9a02d17865c6f9a828d91d9d90927d0734ec8ffd8452a10b414ab5d6
-
Filesize
11KB
MD5aa8c535b93c4623b8349e7e16b21337d
SHA150aa50b6622d4f22b5a73bda23da6c070a866699
SHA2567a952523054034f4a0dc1e1a05efe0249aeb27f99a3c88222d152ad330cd13ac
SHA512de5333a43f86b88e327245d66f3ba3607550d8209cfebea8804d2d7be6d4feea84e849bac53d71a1ed4f029dbec7730ba4b9fc9eec6aa9ac0be4713c8199e734
-
Filesize
321KB
MD55831ebced7b72207603126ed67601c28
SHA12ba46b54074675cc132b2c4eb6f310b21c7d7041
SHA25602097348db100eb22d46dc474a1078b5ddbb56ee916cc81f24fadd0a6938ac58
SHA512a9924ef2373851156d981bc3c5b5d533e8b510abf6c3f12e62af0c019e740f0d077efb8f7f93699d797335df33013c72fd9ead3b2253dd82f14b7b330faacb8e
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
20KB
MD5a603e09d617fea7517059b4924b1df93
SHA131d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
117KB
MD5b0ee8a4da9592c72ea70a18db5d68555
SHA162def2c2fd5575980fe7523adfab0cb32d1498c6
SHA256bcbee8361a2808b1fa8a5f1b7c7df0cf8db0cd17bdc06c8ec7cf199e584c17ef
SHA5124c06c636773133a1c599bfe430a5be2a723e669c60dc0286fa31a275f891ada410be0bb3fe7954b368878b9a37ceb58c0718d6811850030cb4f164212c6143f7
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
5KB
MD5b7a56ed8b6ef61f601305f5c42ffa64f
SHA11e194ceee90ec61d9055d9e3cae7715f84d8c85b
SHA2563e81607dcf0b61f73dc2bee6b71b2351575fe1dfc8df5b0ce0a66c324b5844b6
SHA512c17a62c5a24bf10889fafd6a14c6ce1c0f76fd683f64f001a455e67cb37f033baa9835265dfa02b1d88ca03c979d7b134cd9046ee48cd4baa4fa116893d7c8c9
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
13KB
MD516c75e764a9b70ca06fe062d5367abba
SHA1b69856703cc2633f6703368ada943f2ce1e1d722
SHA2563ef27598650d34ccca435d9eb54db0a0ba7c25d6325e17665d7905dfa2423f9f
SHA512edd7391aea11ca27b88c84046e1e88623998f638a0ab7d978aec98e36d7d773f19acbf3c55fefa9ccdaa19adb28124c80431309d21dab2deec152ca2e356aec5
-
Filesize
2KB
MD5ef96d5be97bde25484b4ead9e398f048
SHA143585d5aec977637219d0aa3b6afaff495ea107e
SHA2566ae523a64f736d2653f2f62a183b4e28e3bf9f123883c21de5343899d05a8490
SHA512f8d526c18e339b478162700113a35362a2e4ed4c17f011583d60ce3815565145ca16543ef88487aee37b06bded76a313b7ec54f0ae8f9f5ace1039affe04a109
-
Filesize
2KB
MD520c76cb66f8445aae2e06a51d36214c3
SHA125fa813cac96b5075e0963de5dbc8ec5fb2d9126
SHA2565ce954bfecef5d9967d1d3b5f05879615a75ec21af03940118ae7bcda569c823
SHA512576f59686d06b06b9f2f46d6f3d703d9941208466b9d25f8ea54ef6b7faf20740eb4bb203ea0bae75dbea24b1553352d56c463d23540131053c179d96b83ae3d
-
Filesize
1KB
MD5605ba5b9f6e318cf5ff7e04ca692d865
SHA1bffb9580f2445fce2ecbbe7136df2c7a0bd4cab8
SHA256229b386c2065cfa8333f26ec11eef5b310191e3ea3c4e2faf8e352af03bbcf85
SHA512f9ff561285b6b2b13562e3c557edfd427380106126c3d9da23b0e9a883a517d47f2431cbd80717329921967e13a23425967252e2186d528e1452cb3bdaa75adb
-
Filesize
458B
MD586fc512c2921f27d9c3d741127fd5f83
SHA13a5302b4e58741424206901fb8bbd56e1887e727
SHA2569510eeeace58af5ef46498997f64d41a43de3151e0050cc5180c39c67433f857
SHA512ed223eb0bc5d07313e41bf2b89d7bbed568acb270898e2649d31375aee6b94ba8f3089fba880f26202d26b96b9cc10d2d56dc7e9f41d074e65178d9882496e73
-
Filesize
450B
MD5156fd2c9e2ca78e39641a6fc3d1d7de2
SHA15e1b916ceb950adba2af46ed87723cf62761a482
SHA256caa6244a1eb87739aaf967f8c7adb0f3584c95a9220876698c2c6e439528ba82
SHA512be51f602df659ec2ccb894f2e8f20dc4a887229c37712554b1e652edcf3b13bf7079e71be393f241a43a18f406018a281597c1f88b97e4d3ef3e5b81ab5ba332
-
Filesize
458B
MD5af58e45ad9657d5669701fa56e37a521
SHA14399fb4f1cd0033d725848c1fc9f8f610b4c4af6
SHA256a923f46bef8f704b04a28226c3e0d790141dbd0431bbada6ccb7b9be4d95b052
SHA512db00459fd582e1635643eafef7f2693c3665c411ae1862bf8c0563109656689eb35b9ed275c9fbcd5ab0671a2c9c0475ab21755f90a19227d5953110d41c5b5a
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.4MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.4MB
-
Filesize
352KB
-
Filesize
296KB
-
Filesize
224KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
972KB
-
Filesize
2.3MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
336KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
296KB
-
Filesize
4KB