General

  • Target

    Kling_CompletedVideo.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe

  • Size

    68.4MB

  • Sample

    240927-j9avjaweld

  • MD5

    fafa18991a490387dc823be9adf6e29f

  • SHA1

    eab943f4576e79904a94055926484747189c77de

  • SHA256

    eff974059b7909f8283fdb630a6951d83b772470bf96d748f7510ec73dfeca13

  • SHA512

    ecc5cd90108371ea2d5f999e6b95af106dfbb392e500943fa983702f334ef8c00d573ec9eebf70e9238c3e4d20faab6533676bdd01f6d23e8f5b32e7e2fc4c59

  • SSDEEP

    1572864:I+zJ89Xx5ouCMhpsJLGix8PJXz8twcwcnLBw2+TGeRBeWqJ58v9AvgPsDrTSC:F8J/oEhWJLPuJjrcwcN/YnRQjJ9gPESC

Malware Config

Extracted

Family

lumma

C2

https://reinforcenh.shop/api

https://stogeneratmns.shop/api

https://fragnantbui.shop/api

https://drawzhotdog.shop/api

https://vozmeatillu.shop/api

https://offensivedzvju.shop/api

https://ghostreedmnu.shop/api

https://gutterydhowi.shop/api

Extracted

Family

xworm

Version

5.0

C2

lun.servepics.com:25902

Mutex

gUAMuTh5gjsDB7Ov

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7135459618:AAEwjuHVMZ8NswVnkqN9FunxogXRznBbPD0

aes.plain

Extracted

Family

lumma

C2

https://gutterydhowi.shop/api

https://ghostreedmnu.shop/api

https://offensivedzvju.shop/api

https://vozmeatillu.shop/api

https://drawzhotdog.shop/api

https://fragnantbui.shop/api

https://stogeneratmns.shop/api

https://reinforcenh.shop/api

https://ballotnwu.site/api

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7135459618:AAEwjuHVMZ8NswVnkqN9FunxogXRznBbPD0/sendMessage?chat_id=-1002375745755

Targets

    • Target

      Kling_CompletedVideo.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe

    • Size

      68.4MB

    • MD5

      fafa18991a490387dc823be9adf6e29f

    • SHA1

      eab943f4576e79904a94055926484747189c77de

    • SHA256

      eff974059b7909f8283fdb630a6951d83b772470bf96d748f7510ec73dfeca13

    • SHA512

      ecc5cd90108371ea2d5f999e6b95af106dfbb392e500943fa983702f334ef8c00d573ec9eebf70e9238c3e4d20faab6533676bdd01f6d23e8f5b32e7e2fc4c59

    • SSDEEP

      1572864:I+zJ89Xx5ouCMhpsJLGix8PJXz8twcwcnLBw2+TGeRBeWqJ58v9AvgPsDrTSC:F8J/oEhWJLPuJjrcwcN/YnRQjJ9gPESC

    • Detect Xworm Payload

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks