Analysis
-
max time kernel
27s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
26-09-2024 02:24
General
-
Target
c45269675dbf15f6ef65637952f5e57c50f124f2182bb6d526cff137bdd07008.exe
-
Size
326KB
-
MD5
93d82638ef554a5117ce5b0d23449d01
-
SHA1
72f96fae5b89aec666887d34655552e8f9cca90b
-
SHA256
c45269675dbf15f6ef65637952f5e57c50f124f2182bb6d526cff137bdd07008
-
SHA512
271b1a758070354bb1ae8530c21fa7a25937f739b1d2844dc0c23a8984e3a8e5b0478e7bc6053e36dbcaa460eca814e751d770553b224c0081e46981d8ad2a79
-
SSDEEP
6144:G64ysmRhhpPdrxp7jylbwq6sua07m680VqjS65EkSDcVtw4ufST7/JcG6EO:GdmnVxp0XNua07m30Vqjz5EHAVO4u672
Malware Config
Extracted
stealc
default
http://46.8.231.109
-
url_path
/c4754d4f680ead72.php
Extracted
vidar
11
3a15237aa92dcd8ccca447211fb5fc2a
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Extracted
lumma
https://drawzhotdog.shop/api
https://gutterydhowi.shop/api
https://ghostreedmnu.shop/api
https://offensivedzvju.shop/api
https://vozmeatillu.shop/api
https://fragnantbui.shop/api
https://stogeneratmns.shop/api
https://reinforcenh.shop/api
https://performenj.shop/api
Signatures
-
Detect Vidar Stealer 13 IoCs
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Stealc
Stealc is an infostealer written in C++.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 64 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 4 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c45269675dbf15f6ef65637952f5e57c50f124f2182bb6d526cff137bdd07008.exe"C:\Users\Admin\AppData\Local\Temp\c45269675dbf15f6ef65637952f5e57c50f124f2182bb6d526cff137bdd07008.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminAEGHIJEHJD.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\AdminAEGHIJEHJD.exe"C:\Users\AdminAEGHIJEHJD.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\JEGHCBAFBF.exe"C:\ProgramData\JEGHCBAFBF.exe"6⤵
-
-
C:\ProgramData\IDHDGIEHJJ.exe"C:\ProgramData\IDHDGIEHJJ.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IJJKKJJDAAAA" & exit6⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 107⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminJKFCBAEHCA.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\AdminJKFCBAEHCA.exe"C:\Users\AdminJKFCBAEHCA.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminHIIIJDAAAA.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\AdminHIIIJDAAAA.exe"C:\Users\AdminHIIIJDAAAA.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Malewmf\MFDBG.exe"C:\Users\Admin\AppData\Local\Temp\Malewmf\MFDBG.exe"5⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Malewmf\FDWDZ.exe"C:\Users\Admin\AppData\Local\Temp\Malewmf\FDWDZ.exe" --checker6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD50a5dd118470222ba7779b9c3c88c9fa9
SHA1140d9e8913f833e25137ac8e5e0b0be2954b4017
SHA256c521816d1e04b24819f556f77d1a3aa932ffe537d50ab1ffc1ea1dc243839620
SHA512138cc4d0e958b7fae1d1423656aaa63126e71f455a4e6ee85d4a1b80a48fe7b4f854b47bc12f607f43da7b95d8ba227ce5060c524de39d5d9d15164d3bee592c
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
114KB
MD5e110cbe124e96c721e3839076f73aa99
SHA102c668c17c7fae5613073e9641bc9bcff96c65a0
SHA256a793f3d212f395bfc8973231a22a6013c0e334443aa4172a8b5d611bb0f378a7
SHA5128d91ff245f703e5dbee68085e9ca0de4b2fc044befcf79977f46bb8bfd908fa0e22ec0dd6a2b400e9ff447f888b550635ed82ebda18575d17b1f3d478a45f5dc
-
Filesize
669KB
MD5550686c0ee48c386dfcb40199bd076ac
SHA1ee5134da4d3efcb466081fb6197be5e12a5b22ab
SHA256edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa
SHA5120b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
439KB
MD55ff1fca37c466d6723ec67be93b51442
SHA134cc4e158092083b13d67d6d2bc9e57b798a303b
SHA2565136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA5124802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
251KB
MD54e52d739c324db8225bd9ab2695f262f
SHA171c3da43dc5a0d2a1941e874a6d015a071783889
SHA25674ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA5122d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6
-
Filesize
78KB
MD5a37ee36b536409056a86f50e67777dd7
SHA11cafa159292aa736fc595fc04e16325b27cd6750
SHA2568934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA5123a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356
-
Filesize
403KB
MD5c7f95fc671d7bf1bec293e9500577bcf
SHA15366030099354e76ab5f8b8df4b2e226a29679ef
SHA256d1bd0c0a32f154e4a9c6eca1eafee762ccea17a390706025b63e657f0305f432
SHA51282b932b03c091cf27c4671ae2bf14a35b4c9a80d0eca01204cc67b85ff215468d2de2db6f2950df9a86c165fbbe2156bb5314e8fcf841b7439badfa122eec99f
-
Filesize
25KB
MD5168087c84c5ff3664e5e2f4eec18d7dd
SHA1639e9e87103f576617ed08c50910ca92fe5c8c5b
SHA2562a7cdb79045658b9c02ebbb159e5b3680d7d6d832dbd757572f7d202c3fa935d
SHA51289491261e1234f917964566def4b1a50505ba4c2eb90d14c19e2130d78fe65cd61c4bba685909109c7088b35e7fd48f6311ace7a0dd8c703a6d1b1d23d1a54bb
-
Filesize
368KB
MD50cee1d66332dec523210f62e479284b9
SHA133f950916e13a6ec654c52160ee47e88c64a5724
SHA2560a6a258bfdb9b1947f2945b44e274ff3f06a7c5c733ff83c2a71c5f911fa9cc0
SHA512603aa4834c6d3a9f3b6b1629eeb2108cecfd7192110f0cf948f2971957a9231ad9d405d8424e3a41b32a8ff415d8f84e55afdec38bf996703093084162d11972
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
1KB
MD59348a6a7246837fc8c93eadd701c1108
SHA10db3e5d1ac62c5b9866fca75f20029c4950dc2f6
SHA25682c44953db7ea378a2f65ecc3a49700611b8e60ac9a76e16610f1206966bdd9f
SHA51279820e6ffca17fd220d0f0d914714c445459742454307453f09a0aae921c3b61d97978cf2f841f5db8f6e1d73122d823876b1647bfb511cfc328b32265c9a489
-
Filesize
1KB
MD5833973c0ea9d550cb267c89aea7742af
SHA1197a8c82b5a1fdf3d1d366ce6bab6730a4c96a3d
SHA256ae79e8abd3e7455b0b7803dab527e2eb5bb24faf27a0cb554076000958fed881
SHA512be3eaa8eb9c5203a4f9d7a5e6eb6798e22213486f961568fa2ef6e35cb736782d6d3fb6ea945f158b8eb921e568fbbd0c79a691ff97795438f2075f5a663d737
-
Filesize
416KB
-
Filesize
4KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
384KB
-
Filesize
2.4MB
-
Filesize
972KB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.5MB
-
Filesize
2.4MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
48KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
344KB