Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
-
submitted
15-09-2024 01:23
General
-
Target
9ca478d53da793e89bf97d72d84ea97dcad229ecc0f776f91d10368ac7fa53ff.exe
-
Size
283KB
-
MD5
8dcf4fc19083ae426969bf2ceb8b77fc
-
SHA1
0dc30df55018d77a2ac41c6a3df426b5309968be
-
SHA256
9ca478d53da793e89bf97d72d84ea97dcad229ecc0f776f91d10368ac7fa53ff
-
SHA512
ed40862be510522262f5d4f774fd13bb66b25776f87a9004620bf312e5b3506a86761cb3ab871726cec77387fef1494ba2f4e89819d996275cfbfb795930bb1c
-
SSDEEP
6144:u++kCouGcPAEY2PrLEsjSK4C2F3NGAiAjNtGsWWhEO:WHQEY2PrLx2pF3sAes/EO
Malware Config
Extracted
vidar
https://t.me/edm0d
https://steamcommunity.com/profiles/76561199768374681
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
Extracted
stealc
default
http://46.8.231.109
-
url_path
/c4754d4f680ead72.php
Extracted
lumma
https://complainnykso.shop/api
https://basedsymsotp.shop/api
https://charistmatwio.shop/api
https://grassemenwji.shop/api
https://stitchmiscpaew.shop/api
https://commisionipwn.shop/api
Signatures
-
Detect Vidar Stealer 19 IoCs
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Stealc
Stealc is an infostealer written in C++.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 4 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 6 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ca478d53da793e89bf97d72d84ea97dcad229ecc0f776f91d10368ac7fa53ff.exe"C:\Users\Admin\AppData\Local\Temp\9ca478d53da793e89bf97d72d84ea97dcad229ecc0f776f91d10368ac7fa53ff.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\DGDBAKKJKK.exe"C:\ProgramData\DGDBAKKJKK.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\ProgramData\DHCFIDAKJD.exe"C:\ProgramData\DHCFIDAKJD.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminGHDBKFHIJK.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\AdminGHDBKFHIJK.exe"C:\Users\AdminGHDBKFHIJK.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminHJDBKJKFIE.exe"5⤵
- System Location Discovery: System Language Discovery
-
C:\Users\AdminHJDBKJKFIE.exe"C:\Users\AdminHJDBKJKFIE.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
-
C:\ProgramData\GHDBKFHIJK.exe"C:\ProgramData\GHDBKFHIJK.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GHDBKFHIJKJK" & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
321KB
MD55831ebced7b72207603126ed67601c28
SHA12ba46b54074675cc132b2c4eb6f310b21c7d7041
SHA25602097348db100eb22d46dc474a1078b5ddbb56ee916cc81f24fadd0a6938ac58
SHA512a9924ef2373851156d981bc3c5b5d533e8b510abf6c3f12e62af0c019e740f0d077efb8f7f93699d797335df33013c72fd9ead3b2253dd82f14b7b330faacb8e
-
Filesize
207KB
MD5818da6b91266ff0f0553ca430a1a013f
SHA12534cd6690636983590a57bb416f4ffb290c20c4
SHA25639849b935f7316cf070f1f2e00806049c0aa6ca4d3bda48578b55854808b2324
SHA5123d3a7badc146ec9eedc19b749a2dfbc9b9450c487a72e04f51aad13ebe8c8434630b17ccef58256221bc8b3bb57cedf65770be8c6143ce29758dd088b64e9b43
-
Filesize
114KB
MD5f0dcd0735cfcef0c15ceda75deb5cb3e
SHA1af257a650681983a6c9e087615165269a6d0ceab
SHA256d3ca053889263104532ef68de1a1200f5e1b1177cfeea702e882c5c4075c35ee
SHA512cc2a123eea72756ce0914ec7c2e077b9f14c6def40a3131fdc02d5f981c5c79bba7859d02296cb1a15e4ff2491818e91c3790706cf46fffdf9a7b7fcb5a33ec4
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
283KB
MD51cde2674d9a208de4e632a3639289335
SHA109398eb768685dc62eeff0e6346784fc07633154
SHA2567e88fb99b3d96daf529f9f09f8221e1e6dee655003a05fb7bb4d5eed96b71f34
SHA5120f5d9ff219fc9be57a43d594edbf955f175def88769ebe91841534a69c63fea97bafe5c768f44edde6574540f086861bf598b2a8587b39ee3660d4fd00d9e565
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
20KB
MD5a603e09d617fea7517059b4924b1df93
SHA131d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc
-
Filesize
10KB
MD507563c2710cff54b5fcac180912861a7
SHA14eb3b98c5642f4620faa67ae81a43f19e1753336
SHA2568102ef3fa2a52908939e0c4045a91cc20d0bc197f653f9e4797c371464c4165a
SHA512fb32cf03ed5bc61b2c3bbd0ef9a2f2c96db73a2e74631e31ce69ba12e615fd630113b766a63e31774cdf6cca90a5cf87d82576df2caa1aa341182f3ba3ea61cb
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2KB
MD53511277ef0b694d1828927bd3b4e73aa
SHA1e208b123479fe57b7df93dcff842635490a1215b
SHA2569cfaf3d7999257fb153bee75fc1ea41084e4cc11d07d1730411c5721429e4730
SHA512c0a2e1c30c60dee16dedf464b48a82cd79ed9796bb71eabc7299364b85d3fc35a09a632b66183774537b614d1926149bf1b491c54ef23dba93a5a4cadc696211
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
2KB
MD56ba6baf8c30e293ce5700eda09151f5c
SHA1094a3e9f8f520a8056d9116845f57ae2c39f684d
SHA256776200a5ac3287bf49f49d1573039f48d5411910fe5f6845c450af83cff81ed5
SHA5124ba302ff6293de426ec55534aaa183f77b83bdd91bd814758b48187f64d36a24ff454e18f670d26ff4d96276063381082ee8e4c5b50fbda15793530c84acba10
-
Filesize
2KB
MD575881d635c114ab58a865a8a4d0440b6
SHA192d9c31570e78d27d1fa1f26b1c7d3b2669554df
SHA2565d5657084887ec619b5f3a5f17afcf7744a3c9f48932b923187b52a25c3cf10c
SHA512fd34e08a303ff6fe374f1c93e079baa2cadf2f8b8cdd51e0ce4cbeac8df2ad67fa296d3d97facfbe346efbd9d264373ffdb3ebf673d2211c359c2c4ea41431c1
-
Filesize
1KB
MD57fb5fa1534dcf77f2125b2403b30a0ee
SHA1365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA25633a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
Filesize
1KB
MD537caf12e7f08c24b241201d67acf61d7
SHA1d4d556f78462f343024a22d201e77203e7021909
SHA25633a908c32c51489f7234b7dcfffc7329b623b9bf659b65021cdbd9806342a573
SHA512c00e9d2df7a5424aa2bbdfe60cf57f2910464c5698899ff3ce8617c8b43a58fd6e98d33b0e0ca698fea4b5583c75a1c53801ae73b123adeeb2ada5619bdfe229
-
Filesize
458B
MD55c2bd0296ab1bec4e0f6d44a905495df
SHA13c8661bf2cc66f1ff5988d5186237a8291eb0383
SHA256d2b6f7184870f15acd1a93f89abfa9fe47b9efb300c3ad03c50ffaf7eec78947
SHA51240cc6cbb3d5e9160c1c1dd3d164a141072abf341a57de8eff7ae6c1f61e8d774c95b1e167644249f341023b6074c8355b7d677bc9cb358dbfbb31ffdc119fc00
-
Filesize
450B
MD5bde91cc1aa8afcf679f24ef1efa68410
SHA1f9d0a2f762e06b177911c369aa0358ee6b70b41f
SHA2560532b9326a3e2de0387736f96e70d0b9ee59f1e9460a32c8be647b1c5add8115
SHA512753c8c57abb66950f352c6b2efdb658d92ba6c2c0f01a08adde7346d043bce02a7619fd70ac5b77529d93f0b718bc43ae16676d012ad5c09be11c04d930ef194
-
Filesize
174B
MD5646b047439d611ec0392a694c68bb483
SHA1042ee16c4f18675d1e37372a00bebab1e7717a9f
SHA256442bc0102ef519244611586b5c1e67049624308064c4157ed503787a546cb9b4
SHA512f6caa9053de953741cf894bec160639f00cc4b669167e6812cae876dc9c287b191c0a29f113c56969eabeb518afa13ca2d55a0e1d8055555316612cbde52e845
-
Filesize
170B
MD5f60e89a9f82f662ac1eafb8d8399c328
SHA1d51a9269505843b72471292969f917206821e8ee
SHA256d907069796752dc87b2fee150da2e36a5f3b0edc3ec3a66884b808999ac4b568
SHA51239f1d40230efa5ae05f0f297d696db8c67e69622f4eb0b032db8eb330534f5f3b17f799322fd7362393aca8868eead7e20a8f27f7b4c570694050178c010d243
-
Filesize
458B
MD5ac3b6ee0ca1171efeba898d490a37d8b
SHA1b4412b69a3003764452b6179171aad94b5ac3d2a
SHA256a75ca4c226048bb9800690d5b1fc41e395486f06e8be30adc932f99dbbe6c514
SHA5122e7f1f61f7d916b1f285bf70ac71c9dc5a2b38ec0085503a8a62de431e84f137050923b0dc81615f3a5818a00f5b807bee13dab4bb4a4a59569717db01e5d39e
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
2.3MB
-
Filesize
972KB
-
Filesize
2.3MB
-
Filesize
296KB
-
Filesize
2.3MB
-
Filesize
2.4MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
336KB
-
Filesize
4KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.4MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
5.6MB
-
Filesize
224KB
-
Filesize
296KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB