General
-
Target
07e1fe19e20043c5edd0ffecee3d322070c725b88513f60eeb329f0a2711b819
-
Size
403KB
-
Sample
240926-2e9dqatgjb
-
MD5
a5d8786e0b524918c35e579be77304b9
-
SHA1
3fdcc3304930caf5e2be53172380dd34365c0d5a
-
SHA256
07e1fe19e20043c5edd0ffecee3d322070c725b88513f60eeb329f0a2711b819
-
SHA512
dd2a8f5efa33cecb8a761c8783f18a90e3a7760e9b297a998e923b9bd09cd883b2b973a29f5339a49cd6aeaf99146a466524105e3a62f1012269f8aeb165521e
-
SSDEEP
12288:EKbMBW6swhEIGz3BfWxr+ht81hHDgMfF/+MEO:DhwiIGz3xWchSfHDgMfF/Vt
Malware Config
Extracted
vidar
11
d80be45a1eb6454ca916f92c36ebf67d
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Extracted
lumma
https://reinforcenh.shop/api
https://stogeneratmns.shop/api
https://fragnantbui.shop/api
https://drawzhotdog.shop/api
https://vozmeatillu.shop/api
https://offensivedzvju.shop/api
https://ghostreedmnu.shop/api
https://gutterydhowi.shop/api
https://wallkedsleeoi.shop/api
Extracted
vidar
11
e90840a846d017e7b095f7543cdf2d15
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Extracted
lumma
https://wallkedsleeoi.shop/api
https://gutterydhowi.shop/api
https://ghostreedmnu.shop/api
https://offensivedzvju.shop/api
https://vozmeatillu.shop/api
https://drawzhotdog.shop/api
https://fragnantbui.shop/api
https://stogeneratmns.shop/api
https://reinforcenh.shop/api
https://ballotnwu.site/api
Targets
-
-
Target
07e1fe19e20043c5edd0ffecee3d322070c725b88513f60eeb329f0a2711b819
-
Size
403KB
-
MD5
a5d8786e0b524918c35e579be77304b9
-
SHA1
3fdcc3304930caf5e2be53172380dd34365c0d5a
-
SHA256
07e1fe19e20043c5edd0ffecee3d322070c725b88513f60eeb329f0a2711b819
-
SHA512
dd2a8f5efa33cecb8a761c8783f18a90e3a7760e9b297a998e923b9bd09cd883b2b973a29f5339a49cd6aeaf99146a466524105e3a62f1012269f8aeb165521e
-
SSDEEP
12288:EKbMBW6swhEIGz3BfWxr+ht81hHDgMfF/+MEO:DhwiIGz3xWchSfHDgMfF/Vt
Score10/10-
Detect Vidar Stealer
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Server Software Component: Terminal Services DLL
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4