Overview

overview

10

Static

static

3

2024-11-06...ch.exe

windows7-x64

1

2024-11-06...ch.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch

  • Size

    6.8MB

  • Sample

    241106-es4ztsvfmj

  • MD5

    d5c151a1b87b4c1964149ba51b284112

  • SHA1

    026b3cf796511e5bc99a6ebf97b9699b4545feff

  • SHA256

    bfc8c61db414e9edbcd5d6ccbfa742481a53b6da1fc3b8a209adc01fa76a253c

  • SHA512

    3ef4c70d5a600eb2e661ef5a8ce3cb432680ce970d783b134d69ac612957501dc3f88cb4d1bacf8e311ce11a5e099efbf4fca4b6338e7f8eadb46ef5f4356a6e

  • SSDEEP

    98304:DOj1RilKq5sOlzNqWTjZAgeoLO1NNU9BS1:Bzg0aX1NNU

Score
10/10
lummameduzastealc7122819010collectiondefense_evasiondiscoveryspywarestealer

Malware Config

Extracted

Family

stealc

Botnet

7122819010

C2

http://83.217.209.11

Attributes
  • url_path

    /fd2453cf4b7dd4a4.php

Extracted

Family

meduza

C2

109.107.181.162

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    458

  • extensions

    none

  • grabber_max_size

    1.048576e+06

  • links

    none

  • port

    15666

  • self_destruct

    true

Extracted

Family

lumma

C2

https://geerkenmsu.shop/api

https://worddosofrm.shop/api

https://mutterissuen.shop/api

https://standartedby.shop/api

https://nightybinybz.shop/api

https://conceszustyb.shop/api

https://bakedstusteeb.shop/api

https://respectabosiz.shop/api

https://moutheventushz.shop/api

Targets

    • Target

      2024-11-06_d5c151a1b87b4c1964149ba51b284112_poet-rat_snatch

    • Size

      6.8MB

    • MD5

      d5c151a1b87b4c1964149ba51b284112

    • SHA1

      026b3cf796511e5bc99a6ebf97b9699b4545feff

    • SHA256

      bfc8c61db414e9edbcd5d6ccbfa742481a53b6da1fc3b8a209adc01fa76a253c

    • SHA512

      3ef4c70d5a600eb2e661ef5a8ce3cb432680ce970d783b134d69ac612957501dc3f88cb4d1bacf8e311ce11a5e099efbf4fca4b6338e7f8eadb46ef5f4356a6e

    • SSDEEP

      98304:DOj1RilKq5sOlzNqWTjZAgeoLO1NNU9BS1:Bzg0aX1NNU

    Score
    10/10
    lummameduzastealc7122819010collectiondefense_evasiondiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

      stealermeduza

    • Meduza Stealer payload

    • Meduza family

      meduza

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Stealc family

      stealc

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • System Binary Proxy Execution: Rundll32

      Abuse Rundll32 to proxy execution of malicious code.

      defense_evasion

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks