Analysis
-
max time kernel
93s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
28-09-2024 01:05
General
-
Target
13c42c85bbeaac50ca5cebc9433e1b12c7f2072a833f60c54d59375993af2ecc.exe
-
Size
404KB
-
MD5
10e555691e5bd8608d3afde0c81a61e4
-
SHA1
37480fa81dca9c7fa109820b0b86ed3ec7258b04
-
SHA256
13c42c85bbeaac50ca5cebc9433e1b12c7f2072a833f60c54d59375993af2ecc
-
SHA512
e4280c7b1c114b5b3dba3caa976604c77e69a782ecbff6cdb4c21653016878f90c8bcebd336dd288721ec38f464cd2a78e1bfe0b886e0bcb8a5fd610836df291
-
SSDEEP
6144:kyt602OmYh5I7KU9QPrVI5IgQ0jolIMaszHQTh1u1KjjY9tbCDdBNkioEO:kdt7YMOU2hkflq3jHihamE912kioEO
Malware Config
Extracted
vidar
11
3c2b9e69b31bab816bc6aaf265216d69
https://t.me/jamsemlg
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Extracted
lumma
https://reinforcenh.shop/api
https://stogeneratmns.shop/api
https://fragnantbui.shop/api
https://drawzhotdog.shop/api
https://vozmeatillu.shop/api
https://offensivedzvju.shop/api
https://ghostreedmnu.shop/api
https://gutterydhowi.shop/api
Extracted
vidar
11
0a6eb69ecac8780e90fe30762716c187
https://t.me/jamsemlg
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Extracted
lumma
https://ghostreedmnu.shop/api
Signatures
-
Detect Vidar Stealer 20 IoCs
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon 2 TTPs 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 25 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\13c42c85bbeaac50ca5cebc9433e1b12c7f2072a833f60c54d59375993af2ecc.exe"C:\Users\Admin\AppData\Local\Temp\13c42c85bbeaac50ca5cebc9433e1b12c7f2072a833f60c54d59375993af2ecc.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\GIIIIJDHJE.exe"C:\ProgramData\GIIIIJDHJE.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 13405⤵
- Program crash
-
-
-
-
C:\ProgramData\EBGDAAKJJD.exe"C:\ProgramData\EBGDAAKJJD.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\ProgramData\FBAAAKFCAF.exe"C:\ProgramData\FBAAAKFCAF.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c net user4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet user5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user6⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\RDPWInst.exe" -i4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RDPWInst.exeC:\Users\Admin\AppData\Local\Temp\RDPWInst.exe -i5⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c net user RDPUser_46d33d97 qN7SegZDUuUK /add4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet user RDPUser_46d33d97 qN7SegZDUuUK /add5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user RDPUser_46d33d97 qN7SegZDUuUK /add6⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c net localgroup4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet localgroup5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup6⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=33894⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=33895⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c net localgroup "Administrators" RDPUser_46d33d97 /add4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet localgroup "Administrators" RDPUser_46d33d97 /add5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administrators" RDPUser_46d33d97 /add6⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GDHDHJEBGHJK" & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2424 -ip 24241⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
404KB
MD5931db1103751e5384c11f5aa6c1e0418
SHA101fc054c4132630bca2329b893a14cd2b812bc9f
SHA256de0508dc59523293fd16b194ed4f60124d1664ea8e6c329a6c1ba2d66aa6ad89
SHA512288e1e93c4448e49fb34d9d4af13d08edddb680d4f93ea0e75c4084e09f9736b6213c7b2b1b5ecf255abfcd83def910ba8538560c500d5dd26b7d3c03777540b
-
Filesize
75KB
MD5cee4e023e6afaaa51f600caec3469215
SHA1bf2ceff1f19f09a70863d1f8c7be0fa9662b3b04
SHA256da52143dd6a13c1ea3e24e735f64938830e2a3160ae08989629a43e5020d1173
SHA512186f7a7592e2c21a83afe68bf0d57a3ad598ff5f3a74b626b45d4d555d9af52b66d0cba74445a55f89771f3078b47e18ae30feb6038934a433d99d85250a7ace
-
Filesize
371KB
MD5ac06141a8a10f4f82e8a3959bc903b0e
SHA10b0517ee4e2c70fac223c128279efe9674c2ea5c
SHA256018a06629d08e98974d3e8685e93e5d3992b5690dfec9c4bb12db31d17bda187
SHA51235a743b59b7c8892538249222e5fcabc00691d00c0ecd329ca2201337e405f8fb750daee58b5d8b17e68ce507ea587eabd38c64d9cd0ee0ec1f12dabc1b0f298
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1KB
MD57fb5fa1534dcf77f2125b2403b30a0ee
SHA1365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA25633a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
Filesize
174B
MD59487e661b14c16cea3343ab9c71fa290
SHA18e36ed94b4999dc88d5e469a9681f5aff358539a
SHA256593a2d73fc6b37292d8e98ed53b37b797028a2b29d2bbd3b6ed01476ae795508
SHA512bc8217833f472331cf382b80eb2138a44a91e5d34e7107d8606e3c5c60658141422dcc0711b2023daf6f6746ee9333a2789924ca9c21c87ca78a808a8c674998
-
Filesize
170B
MD5331f8bf8ebba7f8173bece60f860ed15
SHA1530a9582cd9109cb5b757e78d4deca3a6ce846a0
SHA256720efc30c63a142b345c8fb7891b6a38775b1bf2df968489d3202436ed515369
SHA5122596ba135ad1e4b2ba409bb360adf4d197114f5c379c176cf123e2a01a5238e0c4d0aee1a17220096f996b58a53fd0f4153e862c409aafc4a1c9cb549d5348af
-
Filesize
2.3MB
MD590e744829865d57082a7f452edc90de5
SHA1833b178775f39675fa4e55eab1032353514e1052
SHA256036a57102385d7f0d7b2deacf932c1c372ae30d924365b7a88f8a26657dd7550
SHA5120a2d112ff7cb806a74f5ec17fe097d28107bb497d6ed5ad28ea47e6795434ba903cdb49aaf97a9a99c08cd0411f1969cad93031246dc107c26606a898e570323
-
Filesize
1.7MB
MD5c213162c86bb943bcdf91b3df381d2f6
SHA18ec200e2d836354a62f16cdb3eed4bb760165425
SHA256ac91b2a2db1909a2c166e243391846ad8d9ede2c6fcfd33b60acf599e48f9afc
SHA512b3ead28bb1f4b87b0c36c129864a8af34fc11e5e9feaa047d4ca0525bec379d07c8efee259ede8832b65b3c03ef4396c9202989249199f7037d56439187f147b
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
Filesize
433KB
MD592bc5fedb559357aa69d516a628f45dc
SHA16468a9fa0271724e70243eab49d200f457d3d554
SHA25685cd5cd634fa8bbbf8d71b0a7d49a58870ef760da6d6e7789452cae4cab28127
SHA51287e210e22631c1a394918859213140a7c54b75aec9bbc4f44509959d15cfa14abcbfeb1adf9cffa11b2e88f84a8708f67e842d859e63394b7f6036ce934c3cc9
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.4MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.4MB
-
Filesize
1.7MB
-
Filesize
424KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
96KB
-
Filesize
408KB
-
Filesize
96KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
384KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
424KB