Analysis
-
max time kernel
94s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
02-10-2024 07:09
General
-
Target
dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01.exe
-
Size
404KB
-
MD5
9a95bf64bb82802b60c903d8c870f61d
-
SHA1
d889bcfdd4228927887e2eadfeb4030ea5424e13
-
SHA256
dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01
-
SHA512
57f5baaea6a32468ab1c13771a9974b6986a308f3f98c7d26b78ae085d6ba5596ed2a46b43fb42b5834e0d8e086a110989ed929591941ae213019d19ca352111
-
SSDEEP
6144:lLhXbAjomx3DQIW4k283tPTw5hO8uNzPIE9TYFwjJUJZqAEuAQXEO:lL9bpmxDQIbkdwKrIGiwj0ZoQXEO
Malware Config
Extracted
vidar
11
c7664db1b2143bb72073c634fc34cfef
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Extracted
lumma
Extracted
vidar
11
8b4d47586874b08947203f03e4db3962
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Extracted
stealc
default
http://46.8.231.109
-
url_path
/c4754d4f680ead72.php
Extracted
lumma
https://questionsmw.store/api
https://soldiefieop.site/api
https://abnomalrkmu.site/api
https://treatynreit.site/api
https://snarlypagowo.site/api
https://mysterisop.site/api
https://absorptioniw.site/api
https://gravvitywio.store/api
Signatures
-
Detect Vidar Stealer 22 IoCs
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Stealc
Stealc is an infostealer written in C++.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 4 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 6 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01.exe"C:\Users\Admin\AppData\Local\Temp\dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\GCGHIIDHCG.exe"C:\ProgramData\GCGHIIDHCG.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\ProgramData\JJDBAAEGDB.exe"C:\ProgramData\JJDBAAEGDB.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\ProgramData\AFHDAEGHDG.exe"C:\ProgramData\AFHDAEGHDG.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminGCAEHDBAAE.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\AdminGCAEHDBAAE.exe"C:\Users\AdminGCAEHDBAAE.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminBGIJEGCGDG.exe"5⤵
- System Location Discovery: System Language Discovery
-
C:\Users\AdminBGIJEGCGDG.exe"C:\Users\AdminBGIJEGCGDG.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CGHCGIIDGDAK" & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
336KB
MD5022cc85ed0f56a3f3e8aec4ae3b80a71
SHA1a89b9c39c5f6fcb6e770cea9491bf7a97f0f012d
SHA256bb28bb63ed34a3b4f97a0a26bda8a7a7c60f961010c795007edc52576b89e4d3
SHA512ac549b9cf50e631bae01152db4523fdab55f426ee77177af900b088244665e28de03c10784fe9db33a2478bee0d96bd50e5a668d2a2bfdff3e8706aa8f5d71a2
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
20KB
MD5a603e09d617fea7517059b4924b1df93
SHA131d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
381KB
MD5c7e7cfc3ed17aef6c67c265389593ee3
SHA144aaea45a59f194f33ff435a430fcbd9e7434ad5
SHA2560ddebb36beb37631df17f68a14c90519f93ba7c200c62003527273119442e1ff
SHA5126c5f7a6626aac4b583d1165c4ea3bc69e315cdce94d3e1d3442dc9643e0983f2a80e0495bac79d4aa0e4db309f0aab373d917e6af12ffaad333aba21e16249d2
-
Filesize
11KB
MD50b5cdba0c4184359e0ee2d5651cc9d47
SHA17d215274aba125ec3caeff0f11270319d946b9f2
SHA25625e389e4af258a391c419c2a656df15fa379dc55c534202b8845e9b1fc680e34
SHA5129f67ecdfa1a62aa1d56f0e0e64d9aac42cc0d5a760bfbe366f047fac12fde66c5096383007f0c305a7cc260fe5b1e10ccf70f60d49d93ecac527bebfc5877f27
-
Filesize
413KB
MD5237af39f8b579aad0205f6174bb96239
SHA17aad40783be4f593a2883b6a66f66f5f624d4550
SHA256836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957
SHA512df46993a2029b22cbc88b289398265494c5a8f54ea803e15b7b12f4a7bc98152df298916d341e3c3590329b35a806788ae294bae2e6832f2a2ac426d0145504d
-
Filesize
114KB
MD5c3311360e96fcf6ea559c40a78ede854
SHA1562ada1868020814b25b5dbbdbcb5a9feb9eb6ba
SHA2569372c1ee21c8440368f6dd8f6c9aeda24f2067056050fab9d4e050a75437d75b
SHA512fef308d10d04d9a3de7db431a9ab4a47dc120bfe0d7ae7db7e151802c426a46b00426b861e7e57ac4d6d21dde6289f278b2dbf903d4d1d6b117e77467ab9cf65
-
Filesize
5KB
MD505316256fc231667b11f963089a1c29f
SHA1ab7c9a3b82a1eb0870f0ede33506d24e7cb0b8b0
SHA256d3638a9f55bc228cbd203265cca97b3d0af50332ae09ca986e95f4922a13a427
SHA512c7cc2fdfc1883e32060d1e6c24abc9692c824f8fbc70ca4bd913812437c5d89718c4fd9a2f96e436995ad3f84389e055d7041c09b117c0bacbc55084abd02fee
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
471B
MD5c7f2d90f5c90ba421c96700249027a64
SHA1826e331f623ac31cb6d8c470b2b4b64417a69fec
SHA25683957f6b41bae1ee8467d9ba21754f82212b733b2496be9b8fdbe88dda46738c
SHA5128fe79d5578b7ab3ee4b24a130d50a7bb167ffb343f425ccaa26da89c94bed281c9a7dde0a716c36c472bc305330ae6477314c3275b00a877a4d0a3d313182dd9
-
Filesize
400B
MD5d294790d60487aa16245a27f2d0108c1
SHA17df42c10495df5dc9b887e13fd73c229ac6aacaa
SHA2561ba23b28bff07a0cc7ffcd9cfe1cf4526efea8db02d80b122d2639fff8bad61f
SHA5124a02fab3b499155187140388458cf23eb5e5db87bc5c2ec4fc303750778da7d5183b8bf16e747665ec0ff6c56cc84dd8422e4951da5242a202917c94d986c95b
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
34KB
MD573a0536c00e8d4e1e847070277972689
SHA15c73d6074d7637b9b0ec53a9d9015319d8eadaa3
SHA256309b4133051c4a973b72b8a28ccdd4a2849dd910ff8361c88e5435c1bf4e820f
SHA51281ae850982635d9c226e112225ce8094c79b631f79ed5f229ed0bf5c936b4a480c1cd08a9840642dd14a802c631b0aaadb2ac1e4b735e01419117385127a2238
-
Filesize
34KB
MD510e2efe8c863a88a6231c508f2bdc8d0
SHA127c8236682bb758d958a4e7f9b7e6de099fe526c
SHA256dcd2fdceadde11c8607d52b6bc5e24629aac23e1a68cd96b0992b226f3c88cba
SHA512fde5c9e1270ebb5a37b9cb1fc03de144531cd7dcb9be548cf94922d6d38a40a1b66f064ab365b5b4048c344e3c27b225d341158af42db5de1a3cebf27cb1fcb2
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.4MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
416KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
384KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.4MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
396KB
-
Filesize
2.4MB
-
Filesize
972KB
-
Filesize
2.4MB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
416KB
-
Filesize
344KB