asyncrat | 0e6fc77a72dd0b4c8f8fe7607c92eac7cf5b0d607c9904e09d9fb1b2128a2e51

Sharing

Copy URL

Twitter E-mail

General

Target

Potential Lumma C2C (infected).zip
Size

24.5MB
Sample

241101-jw22vszpdn
MD5

9e5157cbb3ad6e7d5136213da77ce13b
SHA1

abe195d97807b8dbb15c182b60b6a5209112e1b9
SHA256

0e6fc77a72dd0b4c8f8fe7607c92eac7cf5b0d607c9904e09d9fb1b2128a2e51
SHA512

dc409bd9965d18995ace55b5aee00b0a1fb82ace63a670dac93c23ba3c03c8f1050d92a35a440fd5eece625fce4eabb03e32568cbb29c274705d8604bc4f514c
SSDEEP

786432:d4A2cr6DZVRtmN8eVLQ1ib1/HjniGRGevZe5L:dCo61rtWRFh/HLiGRjC

Malware Config

Extracted

Family

stealc

Botnet

7140196255

http://83.217.209.11

Attributes

url_path
/fd2453cf4b7dd4a4.php

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

82.117.243.110:5173

Mutex

edH11NGQWIdCwvLx00

Attributes

encryption_key
aGPuRaDerdUDJPrAfXtB
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Framework
subdirectory
SubDir

Extracted

Family

vidar

https://t.me/asg7rd

https://steamcommunity.com/profiles/76561199794498376

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Extracted

Family

lumma

https://goalyfeastz.site/api

https://contemteny.site/api

https://dilemmadu.site/api

https://authorisev.site/api

https://navygenerayk.store/api

https://necklacedmny.store/api

https://founpiuer.store/api

Targets

- Target
  
  -pril-main/dwthjadth.exe
- Size
  
  1.2MB
- MD5
  
  0d7c313b85166c863035ad3ec18c6e4f
- SHA1
  
  37707f9bf2e4125aeb25723417645d27b6196f70
- SHA256
  
  88a65937fdd2aabdee1cbf35c91c68f42ff2781dcc1683f47a76bf22369d8b99
- SHA512
  
  06bf4da4b84da41494eb3a5d2d233fad46d17998150fd2141e2fea97d35ca5b1e5def47e6736d5b3ffcafa4c31b1288ad6343f4166c04d7b17f86485590540bc
- SSDEEP
  
  24576:+MHoh+68XmR4ftxOYM7kyMVqfScf/hFkz28OAo4DV75KJeYE:+go860htxOYMx+qa6SzW/uV75bB
Score

10^/10

lumma discovery stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1
- Target
  
  -pril-main/feuiyjjdaw.exe
- Size
  
  1.2MB
- MD5
  
  bbdf2348280d48f42e73698286a12ca9
- SHA1
  
  c81c885ec8b2699e0d0f575f412ceaab19d449f0
- SHA256
  
  378fa3b7ca6692130a3f6612c1fcb8e383c3ae032274d26f89aa49662b88a9dd
- SHA512
  
  82213d3748a278cab7e1db73ba9572bf09743af5c42f45be94b78f6a7ed7d4f40248eec89e659976e2b2e2490c21dd2c69bb08caf230cffa02cde7930847b365
- SSDEEP
  
  24576:ZrmKiW3vM+VVSvan2oq0XtdFp/0+YxA7iR6VjtEtp0Ky9EV:dVvSin2o9XHE+YKVhp
Score

10^/10

lumma discovery stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral2
- Target
  
  -pril-main/kldrgawdtjawd.exe
- Size
  
  415KB
- MD5
  
  c7b0cb9208e2b95e4feb6b741ff1d84c
- SHA1
  
  5d7446910dbbdca73e8b54657effbe4bca26c848
- SHA256
  
  686b2be963226d6ce410599e55e87854d8ccbcaf323fed1cfc8120a16880b712
- SHA512
  
  7d9ebee121b5191a3b7e5cd51661a47db6d396c1dd5f38b9fa12cb222e3508db9ef31bdbfc7fbbcbdd0011e0d8cb6da8c2c4091ad94497cd62f6ad7675fe7681
- SSDEEP
  
  12288:x1kr8FfCb2FwUv8ONiweKY+eCszyL4f3a:LkrKfC6wUv8ONiwGN/
Score

7^/10

spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral3
- Target
  
  -pril-main/pothjadwtrgh.exe
- Size
  
  868KB
- MD5
  
  ca5762b75aecc07225105e53f65b8802
- SHA1
  
  9abd37e3eda743422a7240ed8caacc0ab12ec7d7
- SHA256
  
  f7182909f0bf61829d5fab95d5211e8b21e186247a5265d6cae1cacc77eca0fb
- SHA512
  
  a36b9512b772b51e926e42e32d78510cf585ecac7ff19fce0de8f692e00b5394de3ff209b0c06bdc99e36c723cac8a73e0ad02363119484a944d3c246a430e90
- SSDEEP
  
  24576:maIXlg5MGNL/geFyNcTN+jv75TQn652VBuNyb:zIXlgiGJtF4ch+jvNm0Nyb
Score

10^/10

stealc 7140196255 discovery stealer
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
behavioral4
- Target
  
  -pril-main/ptjjsekfthse.exe
- Size
  
  631KB
- MD5
  
  4d95ea8721d0a84b69c2d60951a8a65e
- SHA1
  
  b3b9230b284c32e8d35c65b6b31d0a1b729c6d7c
- SHA256
  
  1aeaabc57a89dd8508a5e997236b91b3cd7e584dad94700fcad9d8637d2b926d
- SHA512
  
  7500b73aa452a6452fd6fe41df0fbffa96821918df34fcff2a29bf2072f5fdb02886fa0945f5d567fefcf30de6d042b4e17e6760bb5e5a3ceba11767316c3fee
- SSDEEP
  
  12288:Cr2N7ewZcHjHkoP19jpVgUbdxGU2NjCa8UQGqIJ7uHXNI8W2Zx:Cr2EEypVg4x8NmtjS+
Score

10^/10

dcrat infostealer persistence rat spyware stealer
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral5
- Target
  
  -pril-main/thadkythjawed.exe
- Size
  
  1.2MB
- MD5
  
  69d72f6f5c7d8e466e4508debf3c25ce
- SHA1
  
  323adedde44004b5b2756484523f6d42fcf19169
- SHA256
  
  b01136e7edb6f8a6216fcbc97064ecff3c2e3139dd89f2c309fbe4cc7c42592f
- SHA512
  
  fc98f9f9ea603ecc3aee9fe7a81dea8a770ac11090b8eba3d147974fb6ab0dd341fa91b9bf1d634ed39006e08c9911df53ce8a80cfc16ce6153eb359eeb83215
- SSDEEP
  
  24576:KCr82vV+b9bKcfS1xritdLiFZS0M2z9y4LHRgaEy2T2lHIishkMhSf:KCrBqTfSLrifCS0Zy4zKavblBs5I
Score

10^/10

lumma discovery stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral6
- Target
  
  Installer/CapCut.exe
- Size
  
  332KB
- MD5
  
  9095698e073c305cb31934f911e2f224
- SHA1
  
  3c3a7cf49ecc1faf01d8f85d345425a3c417361e
- SHA256
  
  a274bbefeca015c06188faf15493b32f3ed4b175a92fa4fdf59a0da55059f6db
- SHA512
  
  8470d517a74c721911b7a5b93a8513630a9cfef747ef143296bfdcb3174620ddec7d2e170afbed2621f441aaa663b46eec676c9e8065b9fde87bf15633190fb6
- SSDEEP
  
  6144:KurqFF99YI+Ka804ozhmKuRb5B/OalLbQg1/R:YFFXY9vrzoKud59Oahbv
Score

10^/10

lumma discovery execution stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral7
- Target
  
  start-main/Session.exe
- Size
  
  1.5MB
- MD5
  
  a8578b1ff74aa8506b592af6e80dd7bc
- SHA1
  
  6d28f1e3f26a9417eca24735ef4cc5319c71a6ee
- SHA256
  
  d4bdf4588069d6c2ff81830097755f1202c643c9da2298525e845bb7d615a15e
- SHA512
  
  972443fede85c401f84509644930cb26aea926a00911bb283227cf2ab758d3e3584800471c86a39a2fd738ac9b45afd195b2e3a98d9240383c5aad3a88fb74df
- SSDEEP
  
  768:hnlqO2/uz1/egx2LeGaja2fr9644XtH2:hEZGz1/Caja2fr9644s
Score

8^/10

discovery execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Legitimate hosting services abused for malware hosting/C2
behavioral8
- Target
  
  start-main/Sushi.exe
- Size
  
  12KB
- MD5
  
  3c21bbb4c39b971d4a9b1cbf2278bfe1
- SHA1
  
  4d16934c233d41a83e9ee1539deb49b844b0bb9e
- SHA256
  
  d38bb1435e7b381645983377916233aa5eaa453a2ce800471a1bac5b178644a0
- SHA512
  
  01a5ce1e7b675d220a96b57ae7b809f31335a038f4be2140286fbc0ec541cc00d62f8f57c8f00000759dd77a008c058fb1d4e4f0ff0ff69677ad2d94a0389f4e
- SSDEEP
  
  192:14G1UU5tiCLdrZtefSU0x1EagBsOp+kVnMe:14UUuLdrZg6UieawVM
Score

10^/10

lumma discovery execution stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral9
- Target
  
  start-main/fgthawd.exe
- Size
  
  472KB
- MD5
  
  95a8abfcc4bdd662984351539c7fc9c4
- SHA1
  
  8ac52de0cdb2288b41c9f647af2cc879a5390c2f
- SHA256
  
  6022fdab4f5ac5267337aab5a6eefd5076f4e615838b3ff31c6335d985306cb8
- SHA512
  
  32a0b205b725e90d6e8ca728ffd0712d743c9380ed58ffde489fb5517f60ddca893e5bcd0e9313ed9c3690633ad58613b3d52fb595c43dae7297dbd0b156b582
- SSDEEP
  
  12288:8+2Ksc+c1YpqA9CO2Iev1xAdsw81niKfx:EKs5MYIA9Xev1x2s71ikx
Score

1^/10
behavioral10
- Target
  
  start-main/gawdrgasd.exe
- Size
  
  329KB
- MD5
  
  81ab7fea76bf6da3974c36621aa4cb31
- SHA1
  
  6372c305ef2ce39889fdfe7af2c793230de7fc85
- SHA256
  
  b08683d5fcb12088546ac00c82a97920d4c7ab6b81dbb041acdf2c33c4950e34
- SHA512
  
  c62b402c52b5d565467b06799ebba12005a3897ccd4bb36e598b2fab4975f73ecacd58c62e3b7e6be53d61bc3a22c8a1f01981fd0baa82b70c615961ba57232d
- SSDEEP
  
  6144:s+NevZ1DxnKawbFXF1qmHyuLUC2UoMZH:VeB1FnAFV1qQRYC2Ot
Score

10^/10

lumma discovery execution stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral11
- Target
  
  start-main/hbfgjhhesfd.exe
- Size
  
  288KB
- MD5
  
  2b3a191ee1f6d3b21d03ee54aa40b604
- SHA1
  
  8ecae557c2735105cc573d86820e81fcff0139c4
- SHA256
  
  f0d45f8340cd203ee98c7765267175576d8017df5166f425f8a7483cb35a91c8
- SHA512
  
  31f621fd96bf2964529607ae64a173c4a99f3976a91283a3609edc3799d98f59de80da6266ca10c26e5c8733644f1764aab00c7ba3e4dc5456573b9b20b6a393
- SSDEEP
  
  6144:k7zO0LSclT6FOwEP5Kq+SMv0VGb7bDcllbken:alJtTF9zVGkllbkm
Score

10^/10

quasar office discovery spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral12
- Target
  
  start-main/hdawuithjawe.exe
- Size
  
  1.2MB
- MD5
  
  cee5bab49d1d0a50638850890cd4a700
- SHA1
  
  cbfd2ec7599c72df635a59c2bfb0ed33e25435a6
- SHA256
  
  b287d2057d489ff4a90316ee3fb0d4d83d84ed6d4e58c4560181be412e6bf586
- SHA512
  
  f3e6add5fa4fd66b8ad83cdd12abf0d1bb264d300bca01d3392aae0b3b349c124083f8bf454ab366ab593aa4ec3b08cbf7d4d7425982a84a9de509bf26aa380a
- SSDEEP
  
  24576:Wu+uTl0eITgu8mYoJrXsHClGBm7DZ6IjjcyGWyloX454DvJjkH379tjWlvs:WTclITgu4CyWDUIjjEuvJjkHrTWG
Score

5^/10

discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral13
- Target
  
  start-main/hnfsefawd.exe
- Size
  
  933KB
- MD5
  
  7842a71a8910e4e39077f7b7e9c08eb6
- SHA1
  
  1446760ee849308d7ed97b4e215f96db54681a5f
- SHA256
  
  9cc4afb19c3702ceb41940a0261c7bdc8dafb347aa9aea1b6c84a88e62669e84
- SHA512
  
  ae90232ecdc9ca11eb768fe579b356699ecf25829b38a83b0ff57b74278d250adf96f96c083115c87a1346e5192a1f721141f42f1719b30e5251871f1b1b56d2
- SSDEEP
  
  12288:Zj71U9TGD8RPSSDoioHTDN3UpW3Ari4VVyZC0+1cw2jINofdiBZRwsCM9hsJeY60:ZP+QMZD9oHTW3iE0nHmd9Y61+
Score

10^/10

dcrat discovery execution infostealer rat spyware stealer
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral14
- Target
  
  start-main/jerniuiopu.exe
- Size
  
  288KB
- MD5
  
  d0d7ce7681200387de77c7ab2e2841cd
- SHA1
  
  8b6c4315e260954b6c33f450ad3baa9f79fe72e2
- SHA256
  
  b64b141eb3b3fa67f6605eb99b0e6f78eb5df7d483a2a0889821ccfac71a7a96
- SHA512
  
  bc3cfac3450cbc17ce8c9758f10c7e4034764f40a6797edd4a8eb6e95d6db9c5f46a46487a6e483ef0eed23243e9f92c0ea391a0416ebbc6854e2b9914ad9788
- SSDEEP
  
  6144:w7zO0LSclT6FOwEP5Kq+SMv0VGb7bDcllbk9n:OlJtTF9zVGkllbkh
Score

10^/10

quasar office discovery spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral15
- Target
  
  start-main/jthusjefth.exe
- Size
  
  1.2MB
- MD5
  
  00e59658c53df6a6fa31a635e1dc6bc8
- SHA1
  
  f761c91f428390f205f975dce57ab16f91480c9b
- SHA256
  
  afee949b260be87c08ed4db102681e63a872816be5b3e99e31a477d543d4a7d5
- SHA512
  
  f0b9cf30d6fdc1d80c26bd955c9e0829188447d04996cea7460a727db2330f962e56bec9f65ca70eb8e86d500d6c0504675332e9016c6a02316fe7454aac5544
- SSDEEP
  
  24576:QZwAn2KJSXMtH/E1CRrNv0HwHicFX84Q5KxEbq+ptXWGyfUP51Vhc7HDAJoh:QZdnoXseCRrN8HwCrK2e+3WG6KC7bh
Score

5^/10

discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral16
- Target
  
  start-main/jythjadthawed.exe
- Size
  
  855KB
- MD5
  
  fda06a638ce0756950f40dff83a675e8
- SHA1
  
  7d121e94b2c4885f8838a2a18ffaa4a25afd96d0
- SHA256
  
  6b986293d3057fb2ffb8759b53182756595f68aa95c584d73b9e1e9e3997826d
- SHA512
  
  26d033f6d3e490a1773622072674001c1c962214a19b38d9a0a63383cde9fbfadf6658359895f19c9a68890d5c8a21a047beb578134d35ecd18f733dd002d1e0
- SSDEEP
  
  12288:OWTns93nQb1f13TH3XmaZ4JJMA+zpW3Ari4VVyZC0+1cp9rcDNpTWDTQGFZ6:OWTnbb1f1bmaZKJMA+z3iE0nTr/6
Score

10^/10

dcrat discovery infostealer persistence rat spyware stealer
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Modifies WinLogon for persistence
  persistence
- DCRat payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral17
- Target
  
  start-main/khseofk.exe
- Size
  
  1.2MB
- MD5
  
  99ce1a5c77d557edc51c446dc8bad726
- SHA1
  
  d7a96730b111c26e0273405dc0007a4b61ac04a0
- SHA256
  
  f24dd18ba78871ead826608c2d0a32dad08d7f76640e6eb47ca968e076d1511e
- SHA512
  
  132c9aaf2cce823f402034d94b9e80b125c1e5e13288cd0bf5831b42d27c8a44dd4347e10cc09ac2e6ff28abe450990dfb9e59d04942b9c2c7602dd9b1d15eec
- SSDEEP
  
  24576:/lnycwIeFS2eYQPxKY0dXTylMvqeYD46wipwzadXq5A49sw+GK:/lny5Zr6xGddvr6IipwzX5ZD+G
Score

5^/10

discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral18
- Target
  
  start-main/khtoawdltrha.exe
- Size
  
  1.2MB
- MD5
  
  21eb0b29554b832d677cea9e8a59b999
- SHA1
  
  e6775ef09acc67f90e07205788a4165cbf8496ca
- SHA256
  
  9aaa862061c903f3f5a1d509f0016a599b9152d02ea0365dfd3bbd9c5c147656
- SHA512
  
  e7434e0d46e37e4a76bd8e394063a3ac531892b972347b3de8aa71689ded1ce4968b1a1defda720af4cfa66037390cbe771105e7bf892ef640cbee12e862e742
- SSDEEP
  
  24576:VUt6SS6/lwChL5nLexP9eVKN3RjJMDnhY3YnBypzcnNftDquJN:+t6fYFexPoKNfMbcYnEINVG8
Score

10^/10

lumma discovery stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral19
- Target
  
  start-main/ksfawtyha.exe
- Size
  
  855KB
- MD5
  
  fda06a638ce0756950f40dff83a675e8
- SHA1
  
  7d121e94b2c4885f8838a2a18ffaa4a25afd96d0
- SHA256
  
  6b986293d3057fb2ffb8759b53182756595f68aa95c584d73b9e1e9e3997826d
- SHA512
  
  26d033f6d3e490a1773622072674001c1c962214a19b38d9a0a63383cde9fbfadf6658359895f19c9a68890d5c8a21a047beb578134d35ecd18f733dd002d1e0
- SSDEEP
  
  12288:OWTns93nQb1f13TH3XmaZ4JJMA+zpW3Ari4VVyZC0+1cp9rcDNpTWDTQGFZ6:OWTnbb1f1bmaZKJMA+z3iE0nTr/6
Score

10^/10

dcrat infostealer persistence rat spyware stealer
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral20
- Target
  
  start-main/ktyhpldea.exe
- Size
  
  1.2MB
- MD5
  
  e9a83661d98fca881cd4497a985a20de
- SHA1
  
  38c9937610d563b848a634aed39366ef8b2a8f37
- SHA256
  
  f8dbff120f44cf68bcb802c11f24bbc506f11803e8745883a0f650decea1db47
- SHA512
  
  df008a6302c877f4dae1780bb3ed3682498586c9e556681c8359012948ba9bb6d720af87b51f1f850d6550d809eb6e9242992b07c6dbf1b9c7b2fd3afe389e2e
- SSDEEP
  
  24576:uSdwEX22dRlHrWJd7NvGSv6C+amn+TBlT7SYr4kBtDUs8/Xa:uS+EX2QudpQamn+1RS+4xs8/
Score

10^/10

lumma discovery stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral21
- Target
  
  start-main/lhoefskghas.exe
- Size
  
  415KB
- MD5
  
  c7b0cb9208e2b95e4feb6b741ff1d84c
- SHA1
  
  5d7446910dbbdca73e8b54657effbe4bca26c848
- SHA256
  
  686b2be963226d6ce410599e55e87854d8ccbcaf323fed1cfc8120a16880b712
- SHA512
  
  7d9ebee121b5191a3b7e5cd51661a47db6d396c1dd5f38b9fa12cb222e3508db9ef31bdbfc7fbbcbdd0011e0d8cb6da8c2c4091ad94497cd62f6ad7675fe7681
- SSDEEP
  
  12288:x1kr8FfCb2FwUv8ONiweKY+eCszyL4f3a:LkrKfC6wUv8ONiwGN/
Score

7^/10

spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral22
- Target
  
  start-main/ltpohpadw.exe
- Size
  
  2.9MB
- MD5
  
  038ccf7da7eaea8511b82fc514af1ec7
- SHA1
  
  380e9b386e877d188b967ab41fc5f2d561cc25ad
- SHA256
  
  60700457539dee99f5c3fcad53c5ef6dac76a4ca838c11234420bd94ff4b76a2
- SHA512
  
  758fa847d6f5f7d99229138a4a2803f1189835f0a572a8709a1e95039fa2032c4aa73b2f6614295e9c3940aa890cba9d17feced1cf4392689012aef2eede2bc3
- SSDEEP
  
  49152:Ugmjw6s/KHSc8unyD/zCpeEI3TyGpB4BNkG5P+YUa9kyXITBPxBRo:WTs4ScD8qeybkqUa9Dudo
Score

8^/10

defense_evasion evasion execution persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral23
- Target
  
  start-main/mhbiwejrtgha.exe
- Size
  
  313KB
- MD5
  
  89fa96935b10329dd2ca85165a2117b7
- SHA1
  
  8f8a9841caba7287f8608117d77e7849133a0b70
- SHA256
  
  7bc005cf74975a16d641094c34335de9533ae3a7bad07e8cde787622bd0667f1
- SHA512
  
  79ba570c62939356f09a5f7071981c41d20f6e4af9cb724814cc08b9add2efd6a5adb55dd0f7d41bdf49b011b74b31242082fa0547562ba0bf5e22900075ae46
- SSDEEP
  
  6144:IMtTmCSh9wbLYUvftSwNTILx5HzMCVB3wBDDJnoSLdkrEeh99qbDUyJ:IM9m99slRQx5HzMCVB3wBDDJoSLGrEeG
Score

1^/10
behavioral24
- Target
  
  start-main/njrtdhadawt.exe
- Size
  
  943KB
- MD5
  
  96e4917ea5d59eca7dd21ad7e7a03d07
- SHA1
  
  28c721effb773fdd5cb2146457c10b081a9a4047
- SHA256
  
  cab6c398667a4645b9ac20c9748f194554a76706047f124297a76296e3e7a957
- SHA512
  
  3414450d1a200ffdcc6e3cb477a0a11049e5e86e8d15ae5b8ed3740a52a0226774333492279092134364460b565a25a7967b987f2304355ecfd5825f86e61687
- SSDEEP
  
  24576:ajfMVHefX7eO2FwYPMGNL/geFyNcTN+jv75TQn652VBuNyb2i:oEQreO8wRGJtF4ch+jvNm0Nyb2
Score

10^/10

vidar credential_access discovery spyware stealer
- Detect Vidar Stealer
  stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Downloads MZ/PE file
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral25
- Target
  
  start-main/odrsfgawd.exe
- Size
  
  526KB
- MD5
  
  29f1c1d7a651b39f96ec5cef9cd4071d
- SHA1
  
  ce27d36c953fe12c733c920ca9aee4199ee4dbb7
- SHA256
  
  bdf890b78dc6fd33cec86be7fe593714ae1b713f0644402819cabd5bba5f1bbd
- SHA512
  
  24149490810f23f2b08fde9e7ab4c8702784bf26d5b72c76b0eab9dce5881fb3412faa6ec1f7c5e183a015fe4e7a3dc332d94782fbd21361f66f19f1cbbb659a
- SSDEEP
  
  6144:tSveb1jQZD0wmWozuZW5DwwzqLhh13QEGQnh9lTRXvtkpAbj7KvaP5fsz61+:tom1Mh0AZYtzE3TvnhhXFU0j5M61+
Score

10^/10

dcrat discovery infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral26
- Target
  
  start-main/opthjdkawrtgh.exe
- Size
  
  392KB
- MD5
  
  fb4d937965edc85f6283ac8bd239b92d
- SHA1
  
  a316279a002dd18ede5fce6e560b052e438491c5
- SHA256
  
  dd3b16a32ef24a5b566d5ddee47ad2b500121653b526f55cb632c4897da59ce4
- SHA512
  
  9e53eb5c4b936ad5611617e49e54c9b19ec289c19db5ff9654bc56f5ee540118dbb0fc43923d779ab669510ad9ef0871765eeacd86904f34d662fa68e1a7db7b
- SSDEEP
  
  12288:84WcRRT+qaLO8i5id1RWlds1WASepDwJEek2N5vdhnvSfvo:845jsFewgRSf
Score

3^/10

discovery
behavioral27
- Target
  
  start-main/pdf.exe
- Size
  
  2.7MB
- MD5
  
  cf84711e3c2b8a0d6df8ac0550185893
- SHA1
  
  16238c6487a5c00398458658a123be9a8bf63532
- SHA256
  
  3b738aca822d7d42a1e7700ee8a8e3c3c86bcc0b5ba6f5ef8d3583003c17c81c
- SHA512
  
  ead98b871890458131bb096124fd92f38e94795e19ecf5a70597b74ab8617b87ec81368113660c6588d60f98f74372728134c4cd81cc938e1afa76e4fb2cef96
- SSDEEP
  
  49152:/ZEkRPDWaRdGSQ5K//XMCs9pvilPahSzWXXyvd0jX3N6XbOE+HfW:/ZHHcvsnMleaszWng0b3NWa/W
Score

10^/10

asyncrat stormkitty discovery rat stealer
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Stormkitty family
  stormkitty
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Enumerates processes with tasklist
  discovery
behavioral28
- Target
  
  start-main/pthjadh.exe
- Size
  
  2.3MB
- MD5
  
  9c044a232b3f817c3b91ce10adc92e0c
- SHA1
  
  12c9eb2e4c0b014356112a40cde6f4ff6ea5af6b
- SHA256
  
  798b09042289ed11db467e8c1d239b68e9ae1cf1f73401e5bf2bdc95bcc8a123
- SHA512
  
  37b8c133ca63e3f32e44d1417d3d6f7ff6c682696012bbedc65d07e0773ec9d70a9e12e519b9368ccc1bdf6273edb63d5b797b7b3e7c1bf749f42ed08052bef6
- SSDEEP
  
  49152:Rwcx9pgRLTOTnqEOEvERC2F9L0ViBBM84yv8Pdm/c7YrFUJUUUUUUU:Rwcx9pgRLTOT3dERjUJUUUUUUU
Score

10^/10

asyncrat stormkitty rat stealer
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Stormkitty family
  stormkitty
- Async RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral29
- Target
  
  start-main/ptihjawdthas.exe
- Size
  
  29KB
- MD5
  
  3ace4cb9af0f0a2788212b3ec9dd4a4e
- SHA1
  
  2914bd74b5553f5f4dbd5f7b23bc00d04a2c77cb
- SHA256
  
  121bfcb759e561bca3f63777498646c80d030a92dac5a27c7c9cc8f5581e672e
- SHA512
  
  76ecc354b1fb5bf93f18bbe9f85401ef40e0826f7eea73a0cb5afda5d69ec384a459c07b6cc2386176888978d2dbb9bac9360e249114c59799de0984bbba5c56
- SSDEEP
  
  384:EhEy+hzv91UqVY8+JppEhKe+Ej7sI4GSFdX9NAb/QX22r5A/w/o0el7xI:IEy+hT91UqVY8+XpEh6CMs7gx/o17
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
behavioral30
- Target
  
  start-main/yjadyjasfdtj.exe
- Size
  
  855KB
- MD5
  
  5780dbae6ac61a88c8d89f216f324146
- SHA1
  
  cebcebedc7aaea3a4dd1fbec933cd169bf92e9dc
- SHA256
  
  4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605
- SHA512
  
  8a595384247649e31ef0c69a63243199d224334d75b66fd486a8e6ba0ac3c2b5521e1ead4b64fb9c968c21a4836581dde10e78f36217b62862c40bed2d105920
- SSDEEP
  
  12288:I/TnPz84JfpflKH6qHJJMA+7pW3Ari4VVyZC0+1cp9rcDNpTWDTQGCZ6:I/TnzfS6qpJMA+73iE0nTr66
Score

10^/10

dcrat infostealer persistence rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- DCRat payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral31