Overview

overview

10

Static

static

1

dd2e52949e...01.exe

windows7-x64

10

dd2e52949e...01.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01.exe

  • Size

    404KB

  • Sample

    241002-hy3whatbmr

  • MD5

    9a95bf64bb82802b60c903d8c870f61d

  • SHA1

    d889bcfdd4228927887e2eadfeb4030ea5424e13

  • SHA256

    dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01

  • SHA512

    57f5baaea6a32468ab1c13771a9974b6986a308f3f98c7d26b78ae085d6ba5596ed2a46b43fb42b5834e0d8e086a110989ed929591941ae213019d19ca352111

  • SSDEEP

    6144:lLhXbAjomx3DQIW4k283tPTw5hO8uNzPIE9TYFwjJUJZqAEuAQXEO:lL9bpmxDQIbkdwKrIGiwj0ZoQXEO

Score
10/10
lummastealcvidar8b4d47586874b08947203f03e4db3962c7664db1b2143bb72073c634fc34cfefdefaultcredential_accessdiscoveryspywarestealer

Malware Config

Extracted

Family

vidar

Version

11

Botnet

c7664db1b2143bb72073c634fc34cfef

C2

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

Extracted

Family

vidar

Version

11

Botnet

8b4d47586874b08947203f03e4db3962

C2

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

stealc

Botnet

default

C2

http://46.8.231.109

Attributes
  • url_path

    /c4754d4f680ead72.php

Extracted

Family

lumma

C2

https://questionsmw.store/api

https://soldiefieop.site/api

https://abnomalrkmu.site/api

https://treatynreit.site/api

https://snarlypagowo.site/api

https://mysterisop.site/api

https://absorptioniw.site/api

https://gravvitywio.store/api

Targets

    • Target

      dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01.exe

    • Size

      404KB

    • MD5

      9a95bf64bb82802b60c903d8c870f61d

    • SHA1

      d889bcfdd4228927887e2eadfeb4030ea5424e13

    • SHA256

      dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01

    • SHA512

      57f5baaea6a32468ab1c13771a9974b6986a308f3f98c7d26b78ae085d6ba5596ed2a46b43fb42b5834e0d8e086a110989ed929591941ae213019d19ca352111

    • SSDEEP

      6144:lLhXbAjomx3DQIW4k283tPTw5hO8uNzPIE9TYFwjJUJZqAEuAQXEO:lL9bpmxDQIbkdwKrIGiwj0ZoQXEO

    Score
    10/10
    lummastealcvidar8b4d47586874b08947203f03e4db3962c7664db1b2143bb72073c634fc34cfefdefaultcredential_accessdiscoveryspywarestealer

    • Detect Vidar Stealer

      stealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks