General

  • Target

    bcc75a703d829adfb645704ac8e9772cfe320fee82ceedcbf1bebb40182aaa13

  • Size

    64.6MB

  • Sample

    241007-r7s74ayhrp

  • MD5

    7854056968780ef9d932c48f3c404b8d

  • SHA1

    51be32f3ba072e907c1d77b3ad0fdaf9150c9631

  • SHA256

    bcc75a703d829adfb645704ac8e9772cfe320fee82ceedcbf1bebb40182aaa13

  • SHA512

    154c3f5e7dfd9b4faa7e8d160afc9d8e91abd31d9e38c55e445ea978c0df0ce0cd970fcd426dc8e8f0cf5fd11c30c456665b076c2f92d0da2be3e3ed63794a16

  • SSDEEP

    1572864:UkTQtD108qdyfZFBanNsnIfnbJYuWiiXS4/6rUXPsDrTSC:UN910xdyfdManIfbJG5D/6rUXPESC

Malware Config

Extracted

Family

lumma

C2

https://reinforcenh.shop/api

https://stogeneratmns.shop/api

https://fragnantbui.shop/api

https://drawzhotdog.shop/api

https://vozmeatillu.shop/api

https://offensivedzvju.shop/api

https://ghostreedmnu.shop/api

https://gutterydhowi.shop/api

https://reliabledmwqj.shop/api

Extracted

Family

xworm

Version

5.0

C2

lun.servepics.com:25902

Mutex

gUAMuTh5gjsDB7Ov

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7135459618:AAEwjuHVMZ8NswVnkqN9FunxogXRznBbPD0

aes.plain

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7135459618:AAEwjuHVMZ8NswVnkqN9FunxogXRznBbPD0/sendMessage?chat_id=-1002375745755

Targets

    • Target

      bcc75a703d829adfb645704ac8e9772cfe320fee82ceedcbf1bebb40182aaa13

    • Size

      64.6MB

    • MD5

      7854056968780ef9d932c48f3c404b8d

    • SHA1

      51be32f3ba072e907c1d77b3ad0fdaf9150c9631

    • SHA256

      bcc75a703d829adfb645704ac8e9772cfe320fee82ceedcbf1bebb40182aaa13

    • SHA512

      154c3f5e7dfd9b4faa7e8d160afc9d8e91abd31d9e38c55e445ea978c0df0ce0cd970fcd426dc8e8f0cf5fd11c30c456665b076c2f92d0da2be3e3ed63794a16

    • SSDEEP

      1572864:UkTQtD108qdyfZFBanNsnIfnbJYuWiiXS4/6rUXPsDrTSC:UN910xdyfdManIfbJG5D/6rUXPESC

    • Detect Xworm Payload

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks