General

  • Target

    7f3c2473d1e6.exe

  • Size

    580KB

  • Sample

    241006-raqqpssarb

  • MD5

    6831d86595ae93dcede5d664ca433f76

  • SHA1

    807c269907d7678e434570a6efcd4d93c6074649

  • SHA256

    fbfaa4457eebac3cc3df1a4e3ce9d4c7fb889f1e4a4edba71b245dd2445da3f7

  • SHA512

    994c9caa806b0386a3bab6633ba132298868db59d1439d6b076cab08734480abcd17580617dd1d58efa46c4676bcbfc972c0253e013d46ab7329472fdb92d083

  • SSDEEP

    12288:1K/vg3InPBxdMQImQooPAP/MI6WqTGozr3fUr8rKw:1Kg3IPBIm0AP/M1TpUWp

Malware Config

Extracted

Family

vidar

C2

http://proxy.johnmccrea.com/

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

Targets

    • Target

      7f3c2473d1e6.exe

    • Size

      580KB

    • MD5

      6831d86595ae93dcede5d664ca433f76

    • SHA1

      807c269907d7678e434570a6efcd4d93c6074649

    • SHA256

      fbfaa4457eebac3cc3df1a4e3ce9d4c7fb889f1e4a4edba71b245dd2445da3f7

    • SHA512

      994c9caa806b0386a3bab6633ba132298868db59d1439d6b076cab08734480abcd17580617dd1d58efa46c4676bcbfc972c0253e013d46ab7329472fdb92d083

    • SSDEEP

      12288:1K/vg3InPBxdMQImQooPAP/MI6WqTGozr3fUr8rKw:1Kg3IPBIm0AP/M1TpUWp

    • Detect Vidar Stealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks