Overview

overview

10

Static

static

1

URLScan

urlscan

https://www.youtube....

windows10-ltsc 2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbERIZjhRcm4yYVU5aVlxcW1mcUtqMUt4eUstQXxBQ3Jtc0tta25wUWE5T01ZWEFtaURraU1hengxcjRyVEZoWmVuS3dGZkJxMGJfQUlsanYzV1dKNmNTdllDZHFKdlRMdjVSV18zNGRpd0pXUXdOTnhmOWFqcG1GbXJIQXo4Y2ZwcXhjdVNNTWlXUFllZ25NMXB6VQ&q=https%3A%2F%2Fgithub.com%2FAmsterdamA1%2FAmsterdam%2Freleases%2Fdownload%2F2.0%2FSetup.Program.zip&v=nSi4avg7vM4

  • Sample

    241126-wj2a1symbj

Score
10/10
darkcometlummaguest1690credential_accessdiscoverypersistenceratspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    188.120.227.9
  • Port:
    21
  • Username:
    PK1
  • Password:
    PK1

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    193.149.189.199
  • Port:
    21
  • Username:
    ins
  • Password:
    installer

Extracted

Family

lumma

C2

https://p3ar11fter.sbs

https://3xp3cts1aim.sbs

https://owner-vacat10n.sbs

https://peepburry828.sbs

https://p10tgrace.sbs

https://befall-sm0ker.sbs

https://librari-night.sbs

https://processhol.sbs

Extracted

Family

darkcomet

Botnet

Guest1690

C2

65.38.120.136:1690

Mutex

DC_MUTEX-F54S21D

Attributes
  • gencode

    U2oxviM8ZSYf

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbERIZjhRcm4yYVU5aVlxcW1mcUtqMUt4eUstQXxBQ3Jtc0tta25wUWE5T01ZWEFtaURraU1hengxcjRyVEZoWmVuS3dGZkJxMGJfQUlsanYzV1dKNmNTdllDZHFKdlRMdjVSV18zNGRpd0pXUXdOTnhmOWFqcG1GbXJIQXo4Y2ZwcXhjdVNNTWlXUFllZ25NMXB6VQ&q=https%3A%2F%2Fgithub.com%2FAmsterdamA1%2FAmsterdam%2Freleases%2Fdownload%2F2.0%2FSetup.Program.zip&v=nSi4avg7vM4

    Score
    10/10
    darkcometlummaguest1690credential_accessdiscoverypersistenceratspywarestealertrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Modify Authentication Process

1
T1556

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Authentication Process

1
T1556

Modify Registry

2
T1112

Credential Access

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks