Overview

overview

10

Static

static

1

3ecf0a5fdc...80.exe

windows7-x64

10

3ecf0a5fdc...80.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3ecf0a5fdc66d37c9e726334a0e57d6dc1e3ab622653d032f8db827185cc7c80.exe

  • Size

    238KB

  • Sample

    241009-xdxlbawbpa

  • MD5

    f37e0267c53ae8e94fe38e87524b8c45

  • SHA1

    facaa93a619ab87da8ac448dd1fc71fb72e5380e

  • SHA256

    3ecf0a5fdc66d37c9e726334a0e57d6dc1e3ab622653d032f8db827185cc7c80

  • SHA512

    9684c9d8b8c6995f889be8e8a72e8340d12b32e85327c5b70892191f4510b32f374fc408aed1e37022326af43f620d187abfbc93f8f218488c65c3dd732ddb74

  • SSDEEP

    3072:CeuFCkfRp1vGUfQuDHI4AwFW2NcRscYhQ7zkt1gZyAJhETpee5n0dJhhGhzLsygP:CeuNp5GNuDHI4DyWlAif5neJC+S3S7

Score
10/10
lummastealcvidar8ecc9c7eaebfdf2a8cc0586d7419d6eadefaultcredential_accessdiscoverypersistencespywarestealer

Malware Config

Extracted

Family

stealc

Botnet

default

C2

http://46.8.231.109

Attributes
  • url_path

    /c4754d4f680ead72.php

Extracted

Family

vidar

Botnet

8ecc9c7eaebfdf2a8cc0586d7419d6ea

C2

https://t.me/maslengdsa

https://steamcommunity.com/profiles/76561199786602107

https://t.me/lpnjoke
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

C2

https://drawwyobstacw.sbs

https://condifendteu.sbs

https://ehticsprocw.sbs

https://vennurviot.sbs

https://resinedyw.sbs

https://enlargkiw.sbs

https://allocatinow.sbs

https://mathcucom.sbs

Targets

    • Target

      3ecf0a5fdc66d37c9e726334a0e57d6dc1e3ab622653d032f8db827185cc7c80.exe

    • Size

      238KB

    • MD5

      f37e0267c53ae8e94fe38e87524b8c45

    • SHA1

      facaa93a619ab87da8ac448dd1fc71fb72e5380e

    • SHA256

      3ecf0a5fdc66d37c9e726334a0e57d6dc1e3ab622653d032f8db827185cc7c80

    • SHA512

      9684c9d8b8c6995f889be8e8a72e8340d12b32e85327c5b70892191f4510b32f374fc408aed1e37022326af43f620d187abfbc93f8f218488c65c3dd732ddb74

    • SSDEEP

      3072:CeuFCkfRp1vGUfQuDHI4AwFW2NcRscYhQ7zkt1gZyAJhETpee5n0dJhhGhzLsygP:CeuNp5GNuDHI4DyWlAif5neJC+S3S7

    Score
    10/10
    lummastealcvidar8ecc9c7eaebfdf2a8cc0586d7419d6eadefaultcredential_accessdiscoverypersistencespywarestealer

    • Detect Vidar Stealer

      stealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks