General

  • Target

    Kling_CompletedPhoto.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe

  • Size

    65.8MB

  • Sample

    241001-z7bbaa1cqp

  • MD5

    4e57a4ffcd80f3323997b7f4d287c43b

  • SHA1

    a5219f47566c3859d4163de2b2248779e4b348c3

  • SHA256

    409b00bb07631e7425f5818b5badbee0e30491a7a89849ccefc6852d78af434e

  • SHA512

    db7ecfc778bcd02b7ab2ad0845120c1303c97831151c83316e1d3b731f8ae41e73a18791d5774d60b7f2062ee0a11c178124cf127fb7d54c804dce97e0233279

  • SSDEEP

    1572864:1pwUgUIgIeCSI9JF+8e2eSLYQA//1YCZG0ISKATMQjlh7k:1hC33VR0Qk/yOGjCMwDk

Malware Config

Extracted

Family

lumma

Extracted

Family

xworm

Version

5.0

C2

lun.servepics.com:25902

Mutex

gUAMuTh5gjsDB7Ov

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7135459618:AAEwjuHVMZ8NswVnkqN9FunxogXRznBbPD0

aes.plain

Extracted

Family

lumma

C2

https://markyclaktwi.store/api

https://gravvitywio.store/api

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7135459618:AAEwjuHVMZ8NswVnkqN9FunxogXRznBbPD0/sendMessage?chat_id=-1002375745755

Targets

    • Target

      Kling_CompletedPhoto.png⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe

    • Size

      65.8MB

    • MD5

      4e57a4ffcd80f3323997b7f4d287c43b

    • SHA1

      a5219f47566c3859d4163de2b2248779e4b348c3

    • SHA256

      409b00bb07631e7425f5818b5badbee0e30491a7a89849ccefc6852d78af434e

    • SHA512

      db7ecfc778bcd02b7ab2ad0845120c1303c97831151c83316e1d3b731f8ae41e73a18791d5774d60b7f2062ee0a11c178124cf127fb7d54c804dce97e0233279

    • SSDEEP

      1572864:1pwUgUIgIeCSI9JF+8e2eSLYQA//1YCZG0ISKATMQjlh7k:1hC33VR0Qk/yOGjCMwDk

    • Detect Xworm Payload

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks