General

  • Target

    4da047e7133eebf2b2220d7329fac13094a46b0b430c4e7870da39c813efdae2.exe

  • Size

    404KB

  • Sample

    241004-btvk1a1bmc

  • MD5

    5af7d57744592ed62c6ecde2348d721a

  • SHA1

    1a3aaecedbf90f300a33c0b68314cf9b4e5084fe

  • SHA256

    4da047e7133eebf2b2220d7329fac13094a46b0b430c4e7870da39c813efdae2

  • SHA512

    1033e908b43ef9821ee63bb29ea4a7820e26ce0779627b1bab1f0c0dca5c8040bdfabdb3a9ae60725ae6a4de6ab6c0b757444349afa5fae72df872deb0bdf28b

  • SSDEEP

    12288:+1nfasvb+wZd4+/2ghnEOBe74Ege5je2xk:+1nfVjnd4UvhnGpjje2xk

Malware Config

Extracted

Family

vidar

Version

11

Botnet

b74ef0d8ce56e494b0d83e1d5be9dbeb

C2

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

Extracted

Family

lumma

C2

https://beearvagueo.site/api

Targets

    • Target

      4da047e7133eebf2b2220d7329fac13094a46b0b430c4e7870da39c813efdae2.exe

    • Size

      404KB

    • MD5

      5af7d57744592ed62c6ecde2348d721a

    • SHA1

      1a3aaecedbf90f300a33c0b68314cf9b4e5084fe

    • SHA256

      4da047e7133eebf2b2220d7329fac13094a46b0b430c4e7870da39c813efdae2

    • SHA512

      1033e908b43ef9821ee63bb29ea4a7820e26ce0779627b1bab1f0c0dca5c8040bdfabdb3a9ae60725ae6a4de6ab6c0b757444349afa5fae72df872deb0bdf28b

    • SSDEEP

      12288:+1nfasvb+wZd4+/2ghnEOBe74Ege5je2xk:+1nfVjnd4UvhnGpjje2xk

    • Detect Vidar Stealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.