Overview

overview

10

Static

static

3

d1bc91bd44a0.exe

windows10-1703-x64

10

d1bc91bd44a0.exe

windows7-x64

6

d1bc91bd44a0.exe

windows10-2004-x64

6

d1bc91bd44a0.exe

windows11-21h2-x64

6

Resubmissions

03-11-2024 11:03

241103-m5vwpasekd 5

04-10-2024 13:45

241004-q2khbs1fjc 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d1bc91bd44a0.exe

  • Size

    2.0MB

  • Sample

    241004-q2khbs1fjc

  • MD5

    3abcb3be6004e8a635837eae43b97526

  • SHA1

    89361ec18490b2648bb4e45a3cebadfce46e1ee6

  • SHA256

    6d335f02de4d26746ced3035a3568a97c035e5bbc7b37ebe767bb5925f32f07a

  • SHA512

    4e4a36b3f05f3347a8e753a43677a9a1bfae681aad49d468bd50e356600650911fdfd6798f5afbd13fa9c8ede0644ff1495ab4d5f28f45e09a719967731465fd

  • SSDEEP

    49152:kDASSX9iPo2rTRRme2Nu7l1XApC6TD1rbgoSk2ak+1b:ks/tixTTmewupSLf1rUy

Score
10/10
lummastealcvidardefaultcredential_accessdiscoveryspywarestealer

Malware Config

Extracted

Family

vidar

C2

http://proxy.johnmccrea.com/

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

stealc

Botnet

default

C2

http://46.8.231.109

Attributes
  • url_path

    /c4754d4f680ead72.php

Extracted

Family

lumma

Extracted

Family

lumma

C2

https://clearancek.site/api

https://mobbipenju.store/api

https://eaglepawnoy.store/api

https://dissapoiznw.store/api

https://studennotediw.store/api

https://bathdoomgaz.store/api

https://spirittunek.store/api

Targets

    • Target

      d1bc91bd44a0.exe

    • Size

      2.0MB

    • MD5

      3abcb3be6004e8a635837eae43b97526

    • SHA1

      89361ec18490b2648bb4e45a3cebadfce46e1ee6

    • SHA256

      6d335f02de4d26746ced3035a3568a97c035e5bbc7b37ebe767bb5925f32f07a

    • SHA512

      4e4a36b3f05f3347a8e753a43677a9a1bfae681aad49d468bd50e356600650911fdfd6798f5afbd13fa9c8ede0644ff1495ab4d5f28f45e09a719967731465fd

    • SSDEEP

      49152:kDASSX9iPo2rTRRme2Nu7l1XApC6TD1rbgoSk2ak+1b:ks/tixTTmewupSLf1rUy

    Score
    10/10
    lummastealcvidardefaultcredential_accessdiscoveryspywarestealer

    • Detect Vidar Stealer

      stealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks