Analysis
-
max time kernel
95s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
30-09-2024 17:19
General
-
Target
file.exe
-
Size
404KB
-
MD5
239144713534aecb31e32cae4afb4645
-
SHA1
fc5943e5c7d751bb7225a3856032091090f74748
-
SHA256
926091fb9ecdefb9b61384f2b65084f7b1dbb52d8b1c8de7ee0ea415d828aed2
-
SHA512
57956184064c621f7b8246a4fce73b6678ead6b23135de87b4b645a1afeeb00d801e8225b1717ff214cadf9ea5314779d6ca5724bb2ff081a1b731579735483b
-
SSDEEP
12288:/DZ3CU48cDxa9ZX6SE/Q+UCGoul2q/SW/HhEO:LtN4pD6JG/NUCZ8SW/Bt
Malware Config
Extracted
vidar
11
12d962a0b4176a0c19c4e61c53bd20b5
https://t.me/jamsemlg
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Extracted
lumma
Extracted
vidar
11
a669a86f8433a1e88901711c0f772c97
https://t.me/jamsemlg
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Extracted
stealc
default
http://46.8.231.109
-
url_path
/c4754d4f680ead72.php
Extracted
lumma
https://underlinemdsj.site/api
https://offeviablwke.site/api
Signatures
-
Detect Vidar Stealer 22 IoCs
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Stealc
Stealc is an infostealer written in C++.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 4 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 6 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\ECGDAAFIIJ.exe"C:\ProgramData\ECGDAAFIIJ.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\ProgramData\BAAFBFBAAK.exe"C:\ProgramData\BAAFBFBAAK.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\ProgramData\IIJKJDAFHJ.exe"C:\ProgramData\IIJKJDAFHJ.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminIIJKJDAFHJ.exe"5⤵
- System Location Discovery: System Language Discovery
-
C:\Users\AdminIIJKJDAFHJ.exe"C:\Users\AdminIIJKJDAFHJ.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminJEHIDHDAKJ.exe"5⤵
- System Location Discovery: System Language Discovery
-
C:\Users\AdminJEHIDHDAKJ.exe"C:\Users\AdminJEHIDHDAKJ.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CFBFCGIDAKEC" & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
404KB
MD538dabc7063c0a175a12c30bd44cf3dbc
SHA16d7aabebd8a417168e220c7497f4bc38c314da3b
SHA256de664956d799e59e1cca0788d545922ee420e3afdcf277442f148f52bc78df89
SHA512674760ad37cf7886ca4cd786e4d1966d3827fdad008a85a125e18bd474d073dae8d4296427253bb86e78d3173a300611ee5eb2e01c1f968700679350fc17a24d
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
20KB
MD5a603e09d617fea7517059b4924b1df93
SHA131d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
371KB
MD532c2e31313c3df4a7a36c72503a5beba
SHA11c88051112dab0e306cadd9ee5d65f8dc229f079
SHA256f1fa2872fcd33c6dbce8d974c0c0381c0762d46a53ceaca14a29727ad02baef3
SHA512ee04d786e53f7fa203dbc4f8c018c72a907dabbd2d1c57e219b2ccc2dbd9d79a4ee8580b98f9b5c5024e628c0207cdd2bf93b9468e457f4ee00326c7c689f1ae
-
Filesize
11KB
MD5756a2b90e98ea5db1194635e348f08e5
SHA1dc73caf2af8df1882f0acbff22bbd9f0a76f583f
SHA256b475fc5d65f4640ac0393664576e2034bad0fefb3d0c328b41aed3d4b04d824e
SHA5120a53b8ec3fde21d1a0dab8be8c03f5cf87a5b76679b36c072c8594750891db93a3b2ba6e1abf87b358f30cd52df9f8f2ed9be07e82607d0dfb7e092e33113773
-
Filesize
114KB
MD5f0b6304b7b1d85d077205e5df561164a
SHA1186d8f4596689a9a614cf47fc85f90f0b8704ffe
SHA256c3aa800492bc1e5ff4717db8c82d1f3772b24579cde51058bdd73a9cc9822dc7
SHA512d672ea182ddf56a331d3209dcf7b9af8c3ffad0b787b224fe9e3e4c80205e474a66914358fa253c170c85a8366da2f2c3aa9d42e1f6f3291a9e6bdd9ba51fb0a
-
Filesize
326KB
MD52832fbde1cf7ea83bd6fd6a4a5e8fe15
SHA11ced7a749d257091e0c3b75605fd3bc005e531de
SHA2562b8bcd9d7d072feb114e0436dc10aa80fda52cdd46a4948ea1ae984f74898375
SHA512c69f1197a0c74d057ab569d35c9af675fc465ce6abcc6c8fc32b316d3586871a426d7ab904c43827be7413748f0f45f7f3689076ca031fd858a4a8abf78b9299
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
104KB
MD5c1002d485f7c555ba87761bc399132ea
SHA12ea1dc717911611e2c51c8e5ec024cf89854e332
SHA25641d5e5483dd1013d1a2c268e13fded9a1445446969b8df654eb2b1268284897b
SHA5127b0fff6e8322870f1d099b5536b3d2fdd316e1aa751fd4fd4503e757a82062bfd5718778e95eee7de9590c3f4249e06465c24130b1294eb1ad5226ecce1a0248
-
Filesize
125KB
MD5af430d3c12436b668d34b47a2071d92d
SHA1c53f4426e2922eac515c4aed9eadec75dd341c01
SHA256c8f2e07018e9931a1a0c87c034cc88986f426c7d9e01b1f648d8a04f9fecd008
SHA512ee04d5b053d4ad5b634f8996e74206ed8a05eb30ad6f069be25c8034b786db62a9bad5276790590488a22dd8b4976dc5e0fd31f812e86b799753380f60d994ac
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
238KB
MD58b3898ac702b98c058c1e343f03c52bc
SHA1dbecb21037732b6bd09df50ea93a6dbf0f0ba30c
SHA256ae6082cc08296284023cffa7afea39ec2a613958d1e43d308a914b45c6105817
SHA5128546f4b06ccb9c8b368fa451e9b4e84b03cc367aae514c5935760bc7ca7ba05974c17f443b383d122bf4841002ac686a4e9fd66f65a4e4bfeab35059711708a4
-
Filesize
2KB
MD50ebee1a9b9e35e191042d46d08b040f0
SHA1feb35a5f729a753bf41b24c13452fcfcb28b7b7a
SHA256184f2732015e7e04f702a66175be34f02765256f60480aa8264de4942d15cadb
SHA51251f23f614cb7e45d94b4ad9ff26ed5e9d3bc9f6aef6f9e7c06ce3ee16247179ea8875a473aa0d6b7c7ac2746788df395b94b4b83573691da10ee0c6f5911e018
-
Filesize
2KB
MD5bdfe363f0de5d2e807e20a5a6c8499c8
SHA1a880b4f2861a2a6ff0c8c2712273cfbd63f8aad4
SHA2560426a9e73ea5ba71f09352820f459c3d58a8b100baa0492ce9b87079b6840ba1
SHA512730ab23e9683712aaa5629853ecc8a8e75ef792c157bef960167d063005f2e01f2fafa6c49b7229bbeb80be3820b2287a0e5ea4c4a795cdc94de7b5fc8cddfee
-
Filesize
1KB
MD5b4c0bc836b86f9884b2df37368191974
SHA19f060ec860ac774c051ae9748ec5476ebfb4afb5
SHA2566208a38050c05af8455a57597c24de022f937c111a488873ec5cf0ffcd545b8a
SHA51216e55dcc621b3a79434f41db4468ddd441d580e5055917ced73c408c5b6493618f077e16d74c71b6e48b460a50e7088255f026d6cb300721b82fa5c829a237bc
-
Filesize
458B
MD5b42bd761023194ba6ad86141c5b5dc99
SHA1a1c55ce3fd9d07d004533260167466c38c2125e3
SHA256105ea15b0016740723bd85b9fa356b9525354124c908cb212ef6904e33d37e73
SHA5123b932944c2f1e42eb482131a608c3d6ee227ba04e15eb27fda2d58525b8dbbc0e21556ad5f23edeec529d3e41f13f722742c0ce1b02844d52c37d829455d5082
-
Filesize
450B
MD5dafa8732e1f42a3761bbf5bc7097a56c
SHA1821d5620beb1553af2f073fae5ba4b78282df32b
SHA256c8f24c40dc715254bfa97b05574f8f7e96ee29613a7a2e541ed724c6b33ce312
SHA512608a8411e77d006c9c93828c4ce5dabfae844c5a5e5dc410eb98b76a601191b616b14d9fcfd9755c89c1e6e5655e808cdac5dfe040a4991f6f96f4fc254957ad
-
Filesize
458B
MD539c1635f7a283f8ddb88033b3b7dd657
SHA157d3434a87d765db7ce21d8f9ebf1c8a301035c3
SHA2564c8d94fa0d2d33865c9af646b88cd88fb3478151cd5051b44e7dac1c7e2b51cf
SHA5122940c22ee6019d41f8a8fc4cd3a127beceae80aab3885d1b47cd5b188ca1d0083cb5da76237d00dcf4fac279dd72a4d1546f439a51df395ab1858c11747fd5d3
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
2.3MB
MD590e744829865d57082a7f452edc90de5
SHA1833b178775f39675fa4e55eab1032353514e1052
SHA256036a57102385d7f0d7b2deacf932c1c372ae30d924365b7a88f8a26657dd7550
SHA5120a2d112ff7cb806a74f5ec17fe097d28107bb497d6ed5ad28ea47e6795434ba903cdb49aaf97a9a99c08cd0411f1969cad93031246dc107c26606a898e570323
-
Filesize
396KB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.4MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
424KB
-
Filesize
344KB
-
Filesize
4KB
-
Filesize
384KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
424KB
-
Filesize
972KB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.5MB
-
Filesize
2.4MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB