Analysis
-
max time kernel
93s -
max time network
124s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
02-10-2024 14:12
General
-
Target
66fbfccd837ac_vadggdsa.exe
-
Size
413KB
-
MD5
237af39f8b579aad0205f6174bb96239
-
SHA1
7aad40783be4f593a2883b6a66f66f5f624d4550
-
SHA256
836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957
-
SHA512
df46993a2029b22cbc88b289398265494c5a8f54ea803e15b7b12f4a7bc98152df298916d341e3c3590329b35a806788ae294bae2e6832f2a2ac426d0145504d
-
SSDEEP
12288:hQq9JI/vWhNOAE2wMUZ0iR4HHW02AEPzYhDU9qcEO:5JXfOATt3202AHhD5ct
Malware Config
Extracted
vidar
11
8b4d47586874b08947203f03e4db3962
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Extracted
lumma
Extracted
stealc
default
http://46.8.231.109
-
url_path
/c4754d4f680ead72.php
Signatures
-
Detect Vidar Stealer 19 IoCs
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Stealc
Stealc is an infostealer written in C++.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 4 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 6 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\66fbfccd837ac_vadggdsa.exe"C:\Users\Admin\AppData\Local\Temp\66fbfccd837ac_vadggdsa.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\BAFCFHDHII.exe"C:\ProgramData\BAFCFHDHII.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\ProgramData\GIJJKFCGDG.exe"C:\ProgramData\GIJJKFCGDG.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\ProgramData\HJDBFBKKJD.exe"C:\ProgramData\HJDBFBKKJD.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminHCAAEBKEGH.exe"5⤵
- System Location Discovery: System Language Discovery
-
C:\Users\AdminHCAAEBKEGH.exe"C:\Users\AdminHCAAEBKEGH.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCGIDAAAKJJ.exe"5⤵
- System Location Discovery: System Language Discovery
-
C:\Users\AdminCGIDAAAKJJ.exe"C:\Users\AdminCGIDAAAKJJ.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KKJKKJJKJEGI" & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
381KB
MD5c7e7cfc3ed17aef6c67c265389593ee3
SHA144aaea45a59f194f33ff435a430fcbd9e7434ad5
SHA2560ddebb36beb37631df17f68a14c90519f93ba7c200c62003527273119442e1ff
SHA5126c5f7a6626aac4b583d1165c4ea3bc69e315cdce94d3e1d3442dc9643e0983f2a80e0495bac79d4aa0e4db309f0aab373d917e6af12ffaad333aba21e16249d2
-
Filesize
114KB
MD57db6cef80eafac6e18a510ab209edfe2
SHA13ee98c48386788861bf1d99043e6836df4763308
SHA2564db72158cdd9735367a53c79b929d7e93d2778c970e883faa1b37f741ae01bed
SHA51278e958b8a7b712349471879d6449f6e9c165511942f71093259cd139f6709f08498bb664562552ba2aa3e218bc3f396f43f26360ca646f1999573772a5b63c2d
-
Filesize
413KB
MD5237af39f8b579aad0205f6174bb96239
SHA17aad40783be4f593a2883b6a66f66f5f624d4550
SHA256836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957
SHA512df46993a2029b22cbc88b289398265494c5a8f54ea803e15b7b12f4a7bc98152df298916d341e3c3590329b35a806788ae294bae2e6832f2a2ac426d0145504d
-
Filesize
10KB
MD5d4f13fc077aab76e50bdfb443288fe9c
SHA1eae51ce4ad264af3a874a1e478ac6cc51680de72
SHA25643f0da0c1a3d4214a7ed9a13e4819ce442ed899063300dbe5b3ed3ce237fa5e9
SHA5128d6263cc9f759c23b039a4cb875d1306b445c8efedbceafe0a78b3af7eb06a6665d3778daf667eba5a21cb1cb56599a62ac920e42821e16fef4eb0fd31d75bcf
-
Filesize
336KB
MD5022cc85ed0f56a3f3e8aec4ae3b80a71
SHA1a89b9c39c5f6fcb6e770cea9491bf7a97f0f012d
SHA256bb28bb63ed34a3b4f97a0a26bda8a7a7c60f961010c795007edc52576b89e4d3
SHA512ac549b9cf50e631bae01152db4523fdab55f426ee77177af900b088244665e28de03c10784fe9db33a2478bee0d96bd50e5a668d2a2bfdff3e8706aa8f5d71a2
-
Filesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0
-
Filesize
20KB
MD5a603e09d617fea7517059b4924b1df93
SHA131d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
75KB
MD577d04e2964867110389ee59aecb0a2b8
SHA1c5ebff3722bbad458593ed093b3630f0691b8c4d
SHA256b5d2a4f72b1e7b73dcb5e2ca2e31bd58de8444512cc2699b2fa51b3581d835aa
SHA5126438c0d47b9e99527269569a829f200147cc770d51616f557eef1b9603705d9912139ad77f46f03aebcee8721458c6fdc855cb8c8333a8cd23489fcd1e6655ce
-
Filesize
1024B
MD5ef8872dbb1e0de26c4daadb4e2ba1231
SHA13d2931acbf70418c2e5d997efb92191a0aa1c370
SHA2563c3473cd478011ef47a57b88ec6fda2427c944085bbb929bbde6ed88ba4cd624
SHA51268aafdca48c3830d035fecec97fecfbe11f7691561e53cd9b8c126bc0a9675056f807869f6248ad9e3d8f6dcf0a5d7ce8355490aec7e2a09376ac0673a6392c4
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
43KB
MD5c898cfad53ae5002bfb591bfa1c118dc
SHA1534be028d48ac0fdab15a695918e296ad1f042bf
SHA2565eef8bf1f84ee4676da62b36a8b68e2c4577b69d34013c3a51f05cf79552ab49
SHA5129d5d37e96b4e6e4f28f5ff2382ffb2713938696f342498ebc798373f0981ae89607b81f0d1c7dae8ca7b6002e7d505bfd0448ace51f40daf39dae27b118c0969
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
69KB
MD52f9d6ae2adf251d205e758a7d0df80e6
SHA18be6009c294318a8f61cf15771adfc5d038c469c
SHA256400ea2841e3d18c59ff787e7e16c3ca6f58a3b256b6e99f3b0effdd506c8aa29
SHA512d4b36af3efb020c3f0216a897c9eb9042c4e7125f819861375d13f2fd1c56ea2f600c55179c1e3ff4b752c735d0c1317b8f72fc9230d71e028c5260a23ad2659
-
Filesize
471B
MD5c7f2d90f5c90ba421c96700249027a64
SHA1826e331f623ac31cb6d8c470b2b4b64417a69fec
SHA25683957f6b41bae1ee8467d9ba21754f82212b733b2496be9b8fdbe88dda46738c
SHA5128fe79d5578b7ab3ee4b24a130d50a7bb167ffb343f425ccaa26da89c94bed281c9a7dde0a716c36c472bc305330ae6477314c3275b00a877a4d0a3d313182dd9
-
Filesize
400B
MD59ce596073621eb2ef8b1618c6cbd8a25
SHA11f01455fd89ed756db77e640168ccdbafb1f6407
SHA256a1898ca1668c4c53e3a4675a27584be17dff9d43e1fd01aae6c5ba821621e3cf
SHA512a8dbfc8db530f3736037994a7c6642ae29cafd0094ef49d3fdf1da3076585cb903b516bab9071e8ae8e0f8b5ae8bd6ea4355641bbbe18d252369fb6c7eae1ff2
-
Filesize
425B
MD5bb27934be8860266d478c13f2d65f45e
SHA1a69a0e171864dcac9ade1b04fc0313e6b4024ccb
SHA25685ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4
SHA51287dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb
-
Filesize
34KB
MD54055cfb023d2c507b0cd1d9cc59d29a1
SHA18948ffa334b4713fe6725bca986099b84856fe9e
SHA256c72f8b8e3c46f90f18da99833e6c60d9963644194518debc0836a441ab65ae9d
SHA512d265ee547b75c5f15d7f98b73125652508424b9d2b706b2b38e09d06eb5f3eac557c49a0db325b05338a688b1c50435ce59706cf50ad28b2bb80b25ccb2e2e6f
-
Filesize
34KB
MD59137961d1fd57f1904849f2fc242b449
SHA1ac3aaae9e91053da45dbdb1901fcf7816d28ed56
SHA256fd928a3564ddb74df844be696a62a0efeee47847a4f0e6145b5e03f8bbe04f71
SHA512addf099d4db2da2e95db5d3d01b1f5219886f3db07d2166617cd1b01632d2d0e795beabca33c3d473b3d76cb376779e2a0892b7b5dae7a2e86801fc2b68591a3
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.4MB
-
Filesize
2.5MB
-
Filesize
344KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.4MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
4KB
-
Filesize
384KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
416KB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
972KB