General
-
Target
922cc62136078b304e61183fc11d3a6258eecf23da272278897543b25ba1a541.exe
-
Size
403KB
-
Sample
240926-m2vfrawhlh
-
MD5
03c94d73127dfe7f3d12aa591612cad6
-
SHA1
1ced86cbe41cdd4710776c2bfda5ced85e11c5c8
-
SHA256
922cc62136078b304e61183fc11d3a6258eecf23da272278897543b25ba1a541
-
SHA512
dc36256646c2c5af54622be4f46e53bee22b47f4e54981138d0a8e675e679178a31d05bc8bd14e72254304f4a1ba6117c58b61d3be0d8a5a3ec93d0b592541cc
-
SSDEEP
6144:AKSk+V/WTaEEVQTDHSICGdB2mgFwayoEkNS+GSYOuGVYk/xS8s4LegipEO:AnREEVOzSF1vn9EkNmljaYQxoKYEO
Malware Config
Extracted
vidar
11
d80be45a1eb6454ca916f92c36ebf67d
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Extracted
lumma
https://reinforcenh.shop/api
https://stogeneratmns.shop/api
https://fragnantbui.shop/api
https://drawzhotdog.shop/api
https://vozmeatillu.shop/api
https://offensivedzvju.shop/api
https://ghostreedmnu.shop/api
https://gutterydhowi.shop/api
Extracted
lumma
https://drawzhotdog.shop/api
https://gutterydhowi.shop/api
https://ghostreedmnu.shop/api
https://offensivedzvju.shop/api
https://vozmeatillu.shop/api
https://fragnantbui.shop/api
https://stogeneratmns.shop/api
https://reinforcenh.shop/api
https://ballotnwu.site/api
Targets
-
-
Target
922cc62136078b304e61183fc11d3a6258eecf23da272278897543b25ba1a541.exe
-
Size
403KB
-
MD5
03c94d73127dfe7f3d12aa591612cad6
-
SHA1
1ced86cbe41cdd4710776c2bfda5ced85e11c5c8
-
SHA256
922cc62136078b304e61183fc11d3a6258eecf23da272278897543b25ba1a541
-
SHA512
dc36256646c2c5af54622be4f46e53bee22b47f4e54981138d0a8e675e679178a31d05bc8bd14e72254304f4a1ba6117c58b61d3be0d8a5a3ec93d0b592541cc
-
SSDEEP
6144:AKSk+V/WTaEEVQTDHSICGdB2mgFwayoEkNS+GSYOuGVYk/xS8s4LegipEO:AnREEVOzSF1vn9EkNmljaYQxoKYEO
Score10/10-
Detect Vidar Stealer
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4