General
-
Target
9c11c097d708312b0a43173749d4eb68cec4f8d4a4102e1345c0e80789da3e8c
-
Size
13.4MB
-
Sample
241006-sanf1stgrg
-
MD5
79fda394178a2b7462cc45bd68553600
-
SHA1
7dea1937b7ce65866cd2c2de712ebd082f9079df
-
SHA256
9c11c097d708312b0a43173749d4eb68cec4f8d4a4102e1345c0e80789da3e8c
-
SHA512
0be3a29c8009906e46dccd1e1e8194ca1d57553ffdb06f351d5237c71b88dc7f6ba71fda32d9c0f7425fa30dbb8ed4214c6b7f098ad9d3e700e7dabe41e58765
-
SSDEEP
393216:3umObCYB5av9K4+Gpz18aTOaiCfQ0i8my:ejunTzbu2
Malware Config
Extracted
njrat
0.7d
Test
45.84.199.218:1604
6a92a61ab784903efa726baa74e277ab
-
reg_key
6a92a61ab784903efa726baa74e277ab
-
splitter
Y262SUCZ4UJJ
Extracted
stealc
save
http://185.215.113.37
-
url_path
/e2b1563c6670f193.php
Extracted
cobaltstrike
http://47.239.242.141:9999/s9bO
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MASB)
Extracted
cobaltstrike
0
-
watermark
0
Extracted
cobaltstrike
391144938
http://47.239.242.141:9999/updates.rss
-
access_type
512
-
host
47.239.242.141,/updates.rss
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
9999
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdhRuZ8bcfavINxDWUlidW6zGVlr+eq6vQhYv5gDf+o/aTecyHiILN27xt4IddBAEK40TDdez2C8i/YM6v9UETgxNCsb8clT6dUFgAjlAOTJaJ9kmfGTdJD1yxwkmvwznW1yh6+ntNJ4mH0jcwp3WP4DjuPxFpEYvEQ35D9v1IjwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MAARJS)
-
watermark
391144938
Extracted
vidar
11
c8450254a9a0920212cb81ae7f386da3
https://t.me/jamsemlg
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Extracted
lumma
Extracted
stealc
default
http://46.8.231.109
-
url_path
/c4754d4f680ead72.php
Targets
-
-
Target
1cb080c3d69281ff2af28a3b9f448ba493bba28b1c2fde989d5fe91eef4689ea.exe
-
Size
1.8MB
-
MD5
a5ac4af7cce548bcdefe3ea60b226f3c
-
SHA1
b1571f043347987ffb4e90806fae84165a664399
-
SHA256
1cb080c3d69281ff2af28a3b9f448ba493bba28b1c2fde989d5fe91eef4689ea
-
SHA512
58b0e239196b961a36649ab9684d917ca7a88c08a0817aece90c2ec6417ddc637ad6092b4dcb5121acfc05757f84eabf18e528fd225148db3f0d4dcaabc39ae5
-
SSDEEP
24576:7HQxE8arKdOhxJ3PHjPEb6UKc8sfjX3BqljMJX/ySEx8EFM5fqCeX:LQxzdcVZLsfjX3slAzM8QM5CC
Score10/10-
Stealc
Stealc is an infostealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70.exe
-
Size
404KB
-
MD5
07beff810640c60bf60464f5e1efb5b0
-
SHA1
2af2ee421ae26a98f9775bfe46821ffb47b406d3
-
SHA256
2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70
-
SHA512
1ed5082b2652d1253c13803c3607afe4befa564c03f1203a6ad157f0187482382d7a1438e34a95667495c89a6ebe020d838fe61ec7f697de865fc55a3b031fa5
-
SSDEEP
12288:eQn647UR3tHxUAbjUgMhcdMnAXTwHqsEO:z647UTjXUgVXTrst
Score10/10-
Detect Vidar Stealer
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
27055280296d10b811b4d76456dbc5d29aac8b4fc33708fa47b36334e1d85700.exe
-
Size
326KB
-
MD5
adcbb5fa5706fb287f01370eb99e0d10
-
SHA1
2bff6fd096b95b1591259d223f7a0ced2bb1c79f
-
SHA256
27055280296d10b811b4d76456dbc5d29aac8b4fc33708fa47b36334e1d85700
-
SHA512
c2c9addbbbad6c678069874428ab54060550e583e018af9052a8445ee32bfb72586592711b6ae25d392378e50fdfb2ff9a6741d4aa4a5b15cd0b16176db0b8f1
-
SSDEEP
6144:Ns/IeaQRgAaVIEs1gsHKyDbrXtkD+yEl9WsAwT92ORxEO:qweRd11d5frdhyEl9WiT93EO
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Stealc
Stealc is an infostealer written in C++.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
49299f91e7332c216e492d160c690a529b1b644bfd5879eefaf2ae37e2ea3a9f.elf
-
Size
8.9MB
-
MD5
b1e65b4b43992ccfa9d4ec32f37f9c78
-
SHA1
740c77d328d1fd9d8fcdcfd6e8d4f77051e70a6a
-
SHA256
49299f91e7332c216e492d160c690a529b1b644bfd5879eefaf2ae37e2ea3a9f
-
SHA512
8f22de2ebf97abdc016d505c3b7b2f0b4e8b358a883e37e8bda0eb85593e43e61028dc51ea2e192e16c698eb6bc9a41a2933e0949935ca5cec35eba8740f1e56
-
SSDEEP
196608:3UWaf1Ko6sGqRd2ivzaBt1aXEaLpodb9WMPJwXfqNeVWtlPrQBs:3aQEGhiOBfaX/L6db9WMeXdI
Score4/10 -
-
-
Target
6f881e1052c12c0f98f059f796602945b01a359c8d6154eb0e731dd6309a5f93.exe
-
Size
31KB
-
MD5
68727ada30812394a13441b47a85f70c
-
SHA1
88df82dfc945d8972e43fa338b40c2a001884e61
-
SHA256
6f881e1052c12c0f98f059f796602945b01a359c8d6154eb0e731dd6309a5f93
-
SHA512
6175b203d266e6ab6954cc3237525ba7cafa49235ba88432c031717bbaa5f335174cac916f1525c60ab974182e8c389cbc0c6dfdfba37a8be809b095983b00fd
-
SSDEEP
768:UrhO5b13hdwzxLy3os0O/dMRvCnQmIDUu0tiFFKj:mcZ6eh6gQVkXj
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
-
-
Target
a8a1a9e80fd7d0ce85227bafd2ec004d2cb52d7e37744cd37bd3641c946822ef.exe
-
Size
19KB
-
MD5
dc66a0481a259a5c8820880822ff0b3a
-
SHA1
cbf0988817adcdf51562a519b1d7d4e5c68e5bf5
-
SHA256
a8a1a9e80fd7d0ce85227bafd2ec004d2cb52d7e37744cd37bd3641c946822ef
-
SHA512
508662d93c5b14f18aea08759f32f12a281161d5e3627dfd63447f2e1e3719c8acea15b9f35c52bc5ba99af67f486488c0c51a2203867b88731e9e65f03abe78
-
SSDEEP
192:bV7qaCF6Op1t2dobVXujRDcBaXWQjwOT/2OcJWF8qa1Dojjgi:1qaCF31cix+Dc4zjbjFF46gi
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
-
-
Target
e52067c5c5842359f70b1196fd0ed1b9e119ae8eb11408f2a08f0487dc2d21a6.exe
-
Size
3.5MB
-
MD5
65feff45a4140b9c22043e9227f7c978
-
SHA1
49f2594e949e49cb97bc14ccddae177d1a890661
-
SHA256
e52067c5c5842359f70b1196fd0ed1b9e119ae8eb11408f2a08f0487dc2d21a6
-
SHA512
74f202cd05e0ee599c9405188d6817f59536e714550f667a8aee4a1614e6b420d60ec2322cba8b16f1c387f0c69821eca788e4a61a2a54ddf44d991639b127c4
-
SSDEEP
98304:Rq7zb/x3ohSLwqyZimcnxTGwvsqXLhUe9eDL:wx3ohxqgcxTPpUeyL
Score10/10-
UAC bypass
-
Windows security bypass
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Windows security modification
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4