Overview

overview

10

Static

static

3

d1bc91bd44a0.exe

windows10-1703-x64

10

d1bc91bd44a0.exe

windows7-x64

6

d1bc91bd44a0.exe

windows10-2004-x64

6

d1bc91bd44a0.exe

windows11-21h2-x64

6

Resubmissions

03-11-2024 11:03

241103-m5vwpasekd 5

04-10-2024 13:45

241004-q2khbs1fjc 10

Analysis

  • max time kernel
    140s
  • max time network
    142s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04-10-2024 13:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d1bc91bd44a0.exe

  • Size

    2.0MB

  • MD5

    3abcb3be6004e8a635837eae43b97526

  • SHA1

    89361ec18490b2648bb4e45a3cebadfce46e1ee6

  • SHA256

    6d335f02de4d26746ced3035a3568a97c035e5bbc7b37ebe767bb5925f32f07a

  • SHA512

    4e4a36b3f05f3347a8e753a43677a9a1bfae681aad49d468bd50e356600650911fdfd6798f5afbd13fa9c8ede0644ff1495ab4d5f28f45e09a719967731465fd

  • SSDEEP

    49152:kDASSX9iPo2rTRRme2Nu7l1XApC6TD1rbgoSk2ak+1b:ks/tixTTmewupSLf1rUy

Score
10/10
lummastealcvidardefaultcredential_accessdiscoveryspywarestealer

Malware Config

Extracted

Family

vidar

C2

http://proxy.johnmccrea.com/

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

stealc

Botnet

default

C2

http://46.8.231.109

Attributes
  • url_path

    /c4754d4f680ead72.php

Extracted

Family

lumma

Extracted

Family

lumma

C2

https://clearancek.site/api

https://mobbipenju.store/api

https://eaglepawnoy.store/api

https://dissapoiznw.store/api

https://studennotediw.store/api

https://bathdoomgaz.store/api

https://spirittunek.store/api

Signatures

  • Detect Vidar Stealer 13 IoCs
    stealer
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 5 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Program crash 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d1bc91bd44a0.exe
    "C:\Users\Admin\AppData\Local\Temp\d1bc91bd44a0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3888
      • C:\Users\Admin\Documents\iofolko5\Pd3qyNx7NSELdezOZD6ffikN.exe
        C:\Users\Admin\Documents\iofolko5\Pd3qyNx7NSELdezOZD6ffikN.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3712
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3796
          • C:\ProgramData\FCFBFBFBKF.exe
            "C:\ProgramData\FCFBFBFBKF.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4108
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2316
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 236
              6⤵
              • Program crash
              PID:2748
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IIIECAAKECFH" & exit
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4900
            • C:\Windows\SysWOW64\timeout.exe
              timeout /t 10
              6⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:2808
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 244
          4⤵
          • Program crash
          PID:1556
      • C:\Users\Admin\Documents\iofolko5\Kd5B9aaMmPDvVwjd_4TjNYPY.exe
        C:\Users\Admin\Documents\iofolko5\Kd5B9aaMmPDvVwjd_4TjNYPY.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1820
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4216
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminHCFBKKEBKE.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1508
            • C:\Users\AdminHCFBKKEBKE.exe
              "C:\Users\AdminHCFBKKEBKE.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4688
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1596
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 256
                7⤵
                • Program crash
                PID:3068
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 244
          4⤵
          • Program crash
          PID:1612
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 248
      2⤵
      • Program crash
      PID:1404

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\BKFHCGIDBAAFHIDHDAAE
    Filesize

    6KB

    MD5

    206fd7e45f632fe3a57c07cd693b6da9

    SHA1

    ba0ffdca99979cc72aaee0128b033f3591812087

    SHA256

    9fbd0e47f405173a0dfab793183953736b00d9bb4413ee65d3f0fe9f7f7bd130

    SHA512

    f0ab86c85f49f00806f16443a7f58bbf8392e089ebdb9bd4607355217f482fdaa2c442b0bd6639486119b4a743fd23a6cd80eee9b3ccea881fd28e58ed7b80ed

    Download Submit

  • C:\ProgramData\CFCGIIEH
    Filesize

    92KB

    MD5

    3daad470df391b2f80f1355a73f49b47

    SHA1

    fd3d71f1d5bcca2c56518cdb061fc1e0a2465dec

    SHA256

    a0732dc29331aee2809c08b9dd1bbddcfd6badc2b90a932b1e5c220d573e7b08

    SHA512

    a03c5c17710c1ecafebca8b3066db41e1d682a619162da61d12f7f84c8ead35b49b6f390a473e23c41baff6072ffc6000a52345d5a1f73371b8711f470216b6a

    Download Submit

  • C:\ProgramData\FCFBFBFBKF.exe
    Filesize

    518KB

    MD5

    6c7d97ae1b013c0b5aba8ca2186fda7e

    SHA1

    505ddef1e6bb7d132615a25c51d7094a7ef1807a

    SHA256

    c68856eee73796bc835c205be54888e3c99caf983dc5d35aedf2981fd41be527

    SHA512

    a8a886494e276dd07f2e497784b84552c03e8b1397dc30c8bfdf720e9c36bd422b9dab339527abff43c46b12e6561154942087a3a3736575c74315d6a5e64df9

    Download Submit

  • C:\ProgramData\msvcp140.dll
    Filesize

    4KB

    MD5

    5ea4919025090d4f0347abd7b1177163

    SHA1

    d1f0b69d5b6e2c675ade8a87545b47c270023f7b

    SHA256

    ab8d315c3faf73e26f55924541e8439022d76f3629853b028d9bddef9cd709cd

    SHA512

    1d3eeedb1722ba552d1994a2beaa8742a628fac7fc9b496ec07df2667ff135efb58e71291e71b35aab1520fcf2b2fb68e49af3d4799f7bb35339c2de14945477

    Download Submit

  • C:\ProgramData\softokn3.dll
    Filesize

    1024B

    MD5

    85414e833687ab4cce762d248d6d5bd2

    SHA1

    67a548684b7f5940d1292f5b715469f2a537d20d

    SHA256

    adc79a4f50ed3557b42c04cb30a38c0b22fa268d5c087e22e23aa112a339bf30

    SHA512

    50a7fa45029c6ee46459a799ef19f381c48e8904bcd75865e5f9fcfef2e8b6006681ef03c37137a97e6afb00ea737d45fe7e573ee5c424b77de405491b99cdfd

    Download Submit

  • C:\Users\Admin\Documents\iofolko5\Kd5B9aaMmPDvVwjd_4TjNYPY.exe
    Filesize

    473KB

    MD5

    2b7045094692bc5dd208cd1e195a6128

    SHA1

    4830718ca327e4717d42586579d7311387c04853

    SHA256

    53f74c71c625da6b7ff77c3a61aad3be0ff4a7199ee447c57c0d12dbbfaccf32

    SHA512

    57374d733a732b5a70ca79115f8107967ef9d5e36f58799f963494cd541486bf911c457fd667553c56dc5217b9d103d7ab55c71b4585a0056b6b70eeb7069003

    Download Submit

  • C:\Users\Admin\Documents\iofolko5\Pd3qyNx7NSELdezOZD6ffikN.exe
    Filesize

    550KB

    MD5

    33f127e35338687a1a64f67fa6ed3b9a

    SHA1

    672dc4d194a5ffe2fd5c23b411bca7b99647ebd2

    SHA256

    60bd16249ed2f24c98380920cb581f447a806541827d4eb2a5c1e889b9379c30

    SHA512

    c50878d3cb82e12384f1a1c214d9bec19dc7e0e54285336261837a4c92aa42fd9068ec27c6d0361e60935b097a59d3262c4295c6660eaabb57503e4a2f82b4c8

    Download Submit

  • \ProgramData\mozglue.dll
    Filesize

    593KB

    MD5

    c8fd9be83bc728cc04beffafc2907fe9

    SHA1

    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

    SHA256

    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

    SHA512

    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

    Download Submit

  • \ProgramData\nss3.dll
    Filesize

    2.0MB

    MD5

    1cc453cdf74f31e4d913ff9c10acdde2

    SHA1

    6e85eae544d6e965f15fa5c39700fa7202f3aafe

    SHA256

    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

    SHA512

    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

    Download Submit

  • memory/1580-0-0x00000000013A3000-0x00000000013A4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2316-138-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

    Download

  • memory/2316-139-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

    Download

  • memory/3712-28-0x0000000000EF8000-0x0000000000EFA000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3712-101-0x0000000000EF8000-0x0000000000EFA000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3796-102-0x0000000000400000-0x0000000000676000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/3796-100-0x0000000000400000-0x0000000000676000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/3796-172-0x0000000000400000-0x0000000000676000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/3796-103-0x0000000000400000-0x0000000000676000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/3796-42-0x0000000000400000-0x0000000000676000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/3796-43-0x0000000000400000-0x0000000000676000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/3796-45-0x000000001FE00000-0x000000002005F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3796-59-0x0000000000400000-0x0000000000676000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/3796-60-0x0000000000400000-0x0000000000676000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/3796-36-0x0000000000400000-0x0000000000676000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/3796-29-0x0000000000400000-0x0000000000676000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/3796-89-0x0000000000400000-0x0000000000676000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/3796-90-0x0000000000400000-0x0000000000676000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/3796-31-0x0000000000400000-0x0000000000676000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/3888-2-0x0000000000400000-0x00000000005E0000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3888-41-0x0000000000400000-0x00000000005E0000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3888-26-0x0000000000400000-0x00000000005E0000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3888-6-0x0000000000400000-0x00000000005E0000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3888-7-0x0000000000400000-0x00000000005E0000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3888-5-0x0000000000400000-0x00000000005E0000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3888-4-0x0000000000400000-0x00000000005E0000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3888-35-0x0000000000400000-0x00000000005E0000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3888-3-0x0000000000400000-0x00000000005E0000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3888-1-0x0000000000400000-0x00000000005E0000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4216-39-0x0000000000400000-0x0000000000661000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/4216-104-0x0000000061E00000-0x0000000061EF3000-memory.dmp

    Filesize

    972KB

    Download

  • memory/4216-40-0x0000000000400000-0x0000000000661000-memory.dmp

    Filesize

    2.4MB

    Download