General
-
Target
790b8ec5a42591a245011d49484da552d65544354fb6c5a993443eedbc65ee7a
-
Size
63.4MB
-
Sample
241010-a3fyjasenc
-
MD5
8a3b1b5afd0271e204325ce9eb9158fe
-
SHA1
1ef496e949d1604df04e01bb671481b605bf19b8
-
SHA256
790b8ec5a42591a245011d49484da552d65544354fb6c5a993443eedbc65ee7a
-
SHA512
a7fd6a354c9b3a0696d6d6daea0bddd4b53d2d438a4af2cd37e068c479e9156708ad39ce6cf59b3318aa166c95e62f3fefb3b93219ff4364bce8c66ae6082028
-
SSDEEP
1572864:SLq4DIntRFxi0ef09rzefa/ythYOZdWFS/lz5dowWM:SLq4DInDFKf0lzea/yF8FSvdowj
Static task
static1
Behavioral task
behavioral1
Sample
790b8ec5a42591a245011d49484da552d65544354fb6c5a993443eedbc65ee7a.appx
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
790b8ec5a42591a245011d49484da552d65544354fb6c5a993443eedbc65ee7a.appx
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
TinyPatch/TinyPatch.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
TinyPatch/TinyPatch.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
lumma
https://drawwyobstacw.sbs
https://condifendteu.sbs
https://ehticsprocw.sbs
https://vennurviot.sbs
https://resinedyw.sbs
https://enlargkiw.sbs
https://allocatinow.sbs
https://mathcucom.sbs
Extracted
stealc
mainteam
http://95.182.96.50
-
url_path
/2aced82320799c96.php
Targets
-
-
Target
790b8ec5a42591a245011d49484da552d65544354fb6c5a993443eedbc65ee7a
-
Size
63.4MB
-
MD5
8a3b1b5afd0271e204325ce9eb9158fe
-
SHA1
1ef496e949d1604df04e01bb671481b605bf19b8
-
SHA256
790b8ec5a42591a245011d49484da552d65544354fb6c5a993443eedbc65ee7a
-
SHA512
a7fd6a354c9b3a0696d6d6daea0bddd4b53d2d438a4af2cd37e068c479e9156708ad39ce6cf59b3318aa166c95e62f3fefb3b93219ff4364bce8c66ae6082028
-
SSDEEP
1572864:SLq4DIntRFxi0ef09rzefa/ythYOZdWFS/lz5dowWM:SLq4DInDFKf0lzea/yF8FSvdowj
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
TinyPatch/TinyPatch.exe
-
Size
149.3MB
-
MD5
421b9213f8ac3c4e3f33a8c1d53583e7
-
SHA1
c24383ddbc6fce79dc7a482bfdb0b8a374327131
-
SHA256
911410b12ddb12ace59782c6e23d23c8fc2ad32405fec6d6c0ea4cac08da1872
-
SHA512
d68133b0120f77a9d0fc1048b00841af643072cb2b7cd36d21d3894239061faa694b6c4e517e9c28eda95db751ec4a861cb2993a3f29723bd979fe9822947a5c
-
SSDEEP
786432:cATKLb5CC7Ncquk/8ld61cU+nWbHrtoDHSv+g6kQarnqqN69fTIKR8I:tTKLbcalkRWXtS9UqF9f0KGI
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Indicator Removal
1File Deletion
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3