Overview

overview

10

Static

static

10

InstalIŠµr...18.exe

windows10-2004-x64

10

TT18.exe

windows10-2004-x64

10

TTDesktop18.exe

windows10-2004-x64

10

TikTokDesktop18.exe

windows10-2004-x64

10

adjthjawdth.exe

windows10-2004-x64

10

bxftjhksaef.exe

windows10-2004-x64

10

cli.exe

windows10-2004-x64

3

dujkgsf.exe

windows10-2004-x64

5

fdaerghawd.exe

windows10-2004-x64

7

fkydjyhjadg.exe

windows10-2004-x64

10

fsyjawdr.exe

windows10-2004-x64

10

gjawedrtg.exe

windows10-2004-x64

10

hfaewdth.exe

windows10-2004-x64

10

jgesfyhjsefa.exe

windows10-2004-x64

10

jhnykawfkth.exe

windows10-2004-x64

10

kfhtksfesek.exe

windows10-2004-x64

10

kohjaekdfth.exe

windows10-2004-x64

7

krgawdtyjawd.exe

windows10-2004-x64

10

kthkksefd.exe

windows10-2004-x64

10

kyhjasehs.exe

windows10-2004-x64

10

kyjjrfgjjsedf.exe

windows10-2004-x64

7

lfcdgbuksf.exe

windows10-2004-x64

10

lkyhjksefa.exe

windows10-2004-x64

10

lyjdfjthawd.exe

windows10-2004-x64

10

nbothjkd.exe

windows10-2004-x64

10

nhbjsekfkjtyhja.exe

windows10-2004-x64

10

nothjgdwa.exe

windows10-2004-x64

7

nthnaedltg.exe

windows10-2004-x64

10

pghsefyjhsef.exe

windows10-2004-x64

10

pyjnkasedf.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    inv.zip

  • Size

    32.9MB

  • Sample

    241130-z4lb3szmar

  • MD5

    395df612211bd2ab91e4b5ed7cd8aaab

  • SHA1

    26da38e651426bf17c9c634e168fbd3c67536e46

  • SHA256

    12ca4ad8cd613c8d086cd39a5c6e787c12209f2271ba850817b72eae3cd559da

  • SHA512

    5a8e583a5f9009ea6a7469ac85ffb3c74650f9fbf468464829ccad8c19350efa2e522cd21f6d58769f04104fe78cac582a3eb1044505b28b54e7f5690e66e7b8

  • SSDEEP

    786432:yf1JKtsiYULst2jeCweXzj4x0kJD04lQsccAp2i8NdgpkEB2MSg7b7nnxzmFlwJn:U7iYULSMeCpzoL7TGpMdguEQW7b7nnx9

Score
10/10
amadeydcratlummameduzaquasarstealcvidar0174ec9d0ab5d3dd4d0bbe7415cfa10c41d35cbb974bc2d1287dcd4381b4a2a8a66537e8c9ceofficevoov1collectioncredential_accessdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

C2

45.136.51.217:2222

45.136.51.217:5173
Mutex

d1mBeqcqGummV1rEKw

Attributes
  • encryption_key

    h9j7M9986eVjQwMbjacZ

  • install_name

    csrss.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    NET framework

  • subdirectory

    SubDir

Extracted

Family

meduza

C2

62.60.217.159

62.60.244.198
Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    xss

  • extensions

    .txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite

  • grabber_max_size

    1.048576e+06

  • port

    15666

  • self_destruct

    true

Extracted

Family

stealc

Botnet

Voov1

C2

http://154.216.17.90

Attributes
  • url_path

    /a48146f6763ef3af.php

Extracted

Family

vidar

Version

11.8

Botnet

0174ec9d0ab5d3dd4d0bbe7415cfa10c

C2

https://t.me/fu4chmo

https://steamcommunity.com/profiles/76561199802540894
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Extracted

Family

amadey

Version

5.04

Botnet

a66537

C2

http://89.110.69.103

http://94.156.177.33
Attributes
  • install_dir

    a121af5f66

  • install_file

    Gxtuum.exe

  • strings_key

    09dbfb77de24d28905cfed05aeef2129

  • url_paths

    /Lv2D7fGdopb/index.php

    /b9kdj3s3C0/index.php

rc4.plain

Extracted

Family

vidar

Version

11.8

Botnet

41d35cbb974bc2d1287dcd4381b4a2a8

C2

https://t.me/fu4chmo

https://steamcommunity.com/profiles/76561199802540894
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Extracted

Family

amadey

Version

5.04

Botnet

e8c9ce

C2

http://89.110.69.103

http://94.156.177.33
Attributes
  • install_dir

    bfe2cd46d6

  • install_file

    Gxtuum.exe

  • strings_key

    0e6c50aa38bbb0a80ecad7e6fa3b2c11

  • url_paths

    /Lv2D7fGdopb/index.php

    /b9kdj3s3C0/index.php

rc4.plain

Extracted

Family

lumma

C2

https://preside-comforter.sbs

https://savvy-steereo.sbs

https://copper-replace.sbs

https://record-envyp.sbs

https://slam-whipp.sbs

https://wrench-creter.sbs

https://looky-marked.sbs

https://plastic-mitten.sbs

https://ponintnykqwm.shop/api

https://powerful-avoids.sbs

https://motion-treesz.sbs

https://disobey-curly.sbs

https://leg-sate-boat.sbs

https://story-tense-faz.sbs

https://blade-govern.sbs

https://occupy-blushi.sbs

https://frogs-severz.sbs

https://aqua-tic-draco.cyou

https://voter-screnn.cyou

https://infect-crackle.cyou

Extracted

Family

lumma

C2

https://voter-screnn.cyou/api

https://infect-crackle.cyou/api

Targets

    • Target

      InstalIŠµr-x86/TTDesktop18.exe

    • Size

      26.0MB

    • MD5

      13eb2bb3303156d695ecf3f2b2c09eb7

    • SHA1

      db1f2877681d02201c6c9d71d8c52a872c3612b9

    • SHA256

      8680e9ff0246c2b7cd4a45a9c6262851ce8d12e4638e48cb1baec267c2b6ea6b

    • SHA512

      6f44a7f1612f0eb4843c1e0de757a03f53d2b14e7aa8b7f983c2ca9baf0701d30f129edeab9c889655840782a1289fb4d0bf0699223e3c584afdaa4ee5172172

    • SSDEEP

      192:0qgaiJUFTQcHVPtAXjJ9vT2O3yP8B50LOZdBcmCEJXVWwTnkVOvQu:57zFEcH769vT2OCkB50LknnVTnkVUQ

    Score
    10/10
    stealcvidar41d35cbb974bc2d1287dcd4381b4a2a8discoveryexecutionstealer

    • Detect Vidar Stealer

      stealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Stealc family

      stealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

    • Target

      TT18.exe

    • Size

      12KB

    • MD5

      ceb5022b92f0429137dc0fb67371e901

    • SHA1

      999932b537591401dfa1a74df00dae99264bd994

    • SHA256

      8d2f2dce701f8dc555e74b53bfaf7a1337027adc7fadc094b2eba3bb5b688f1b

    • SHA512

      a7acdf417ef81f131c050bc8bd364edddf7a2ebc446c69411d549c14ca8967af7b8c8a2d4556018f148d1b57bc985e10104cdc72e2bed518cfe3280b0254a3d8

    • SSDEEP

      192:knUbCDQoJq4Hb0jPuiJddudb7Z+XX1cNIQKXy+AFtaffEOsSRMWSVP1W58:kg3MGWimFNIQKX4Fgf8OxRBSVU

    Score
    10/10
    stealcvidar41d35cbb974bc2d1287dcd4381b4a2a8discoveryexecutionstealer

    • Detect Vidar Stealer

      stealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Stealc family

      stealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral2

    • Target

      TTDesktop18.exe

    • Size

      13KB

    • MD5

      22bded153b8c1ec4b1d1b45e0467f7c6

    • SHA1

      1c8825442a455da9ffa0fd56e0e2848dfa58bf2c

    • SHA256

      f07f39ca504a15d670eecad52c272ed5cdc4025fede61cd910d7da2a55d1d052

    • SHA512

      f6022cbf7120e1771e7ba992bcd59ba5f8f68507d91c10c997a3186766547ea0632347facfdec667c3bde261748eb93ee8df35c71600fd7c459539f629b408bb

    • SSDEEP

      192:0qgaiJUFTQcHVPtAXjJ9vT2O3yP8B50LOZdBcmCEJXVWwTnkVOvQu:57zFEcH769vT2OCkB50LknnVTnkVUQ

    Score
    10/10
    stealcvidar41d35cbb974bc2d1287dcd4381b4a2a8discoveryexecutionstealer

    • Detect Vidar Stealer

      stealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Stealc family

      stealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral3

    • Target

      TikTokDesktop18.exe

    • Size

      17.9MB

    • MD5

      81f6b6fe3201c3941bd49243c5896811

    • SHA1

      8bd0d5bb78255fc9f2dcf70fde14dba16c66551c

    • SHA256

      fa4f1c0b324654420f8758b8ab1d7e0db22f0eacbff0d2e14413ed904ca54aaf

    • SHA512

      f3d22c84fb70a2c851f533037b74c45248b9074aa3042371672c89c3ee5229bbdbbc193e54840adbc5f17672430fbbc0b94dd12c8014f3a3ec93fece24e54d4f

    • SSDEEP

      393216:7bbTRUBXu2+WlsaxtBXu2+WlsaxtBXu2+WlsaxtBXu2+Wlsax:7PKBX4mtfBX4mtfBX4mtfBX4mt

    Score
    10/10
    stealcvidar41d35cbb974bc2d1287dcd4381b4a2a8discoveryexecutionstealer

    • Detect Vidar Stealer

      stealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Stealc family

      stealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral4

    • Target

      adjthjawdth.exe

    • Size

      888KB

    • MD5

      28aaa8f0b29a96138fd597975a16c5d4

    • SHA1

      b0ea5394610d089ab5248631a4c0f6666f79ffcd

    • SHA256

      2516d63aa8aef58d6f0a4e330bd87209872b0ff21a17cff5201a2d4783c5bfab

    • SHA512

      7feafb633d698a96d81fae7069ebc2492caa253ade2106a645353096e7855e9cf33a69307f71f253ebbb5b957abab0de608860cc5efb7a2196720c269f8c231d

    • SSDEEP

      12288:wAl1WPQtkQNQ6yMs/Ua+iXPrQfkXmm1RhdLB9XirkVknCBz9eQFZz//qK4oV4g50:wwFp5yMs/UFEPLZj956t1

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      rat
    behavioral5

    • Target

      bxftjhksaef.exe

    • Size

      1.2MB

    • MD5

      7794f39bc5aea95efa5f31bbfd7ad201

    • SHA1

      c57745b835d4cd92460b5db142b0ad19d81c2e49

    • SHA256

      f025eabd6a3067f32685443139c8cf74a3f51a0b7ab6d50fb83ef8c200bfe418

    • SHA512

      5bbd74f85e0d31a3dfcd0167baf5ed3b384b90f116faae3f4a1fe3e89da86f94db48c0ce27e205e3a9c929087ab090d5042a35ce7bbee82b3effa10ffd47b457

    • SSDEEP

      24576:2+U47TU+cy7heu0luv4xV0dgodqD354a8jMjmPWkty:2+xTU+cy7/Iuv4n1D6j4m3y

    Score
    10/10
    lummadiscoverystealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral6

    • Target

      cli.exe

    • Size

      6KB

    • MD5

      0d575c1cd0678e2263466cccc21d8e24

    • SHA1

      fe81c9e15f89e654bd36a1c9194802621b66b6a9

    • SHA256

      25c9cb817af524069805b3dcedf2df562a232fa54ad925f21863ed6a2d13094c

    • SHA512

      f762a8112b630a8a81f8d9fcc1d279b34ad1a994d3bd7c202b6791a59be769e709ef9d3a7ea2be0de4a6971aa802ed831f07027f8fd1743612227a6617b77e35

    • SSDEEP

      96:cnVYW2fP62ZkorMzivz29ZwhMTNzV1cdbqBzNt:cs62ZkaKW29Zwhu5V1ew

    Score
    3/10
    discovery
    behavioral7

    • Target

      dujkgsf.exe

    • Size

      135KB

    • MD5

      bc48cb98d8f2dacca97a2eb72f4275cb

    • SHA1

      cd3dd263fc37c8c7beb1393a654b400f2f531f1c

    • SHA256

      c18fb46afa17ad8578d1edd4aa6a89b42f381ca7998a4e5a096643e0f2721c49

    • SHA512

      7db6992278ca008e7aafa07eb198b046a125d23ca524f15d5302b137385dd4e40a4a54ce4dabb28710b71fbcfdd2d3315fb36e591edc2b3e1737b11b9ee45a5c

    • SSDEEP

      3072:1TGtOioVUSuLwYMdbQro39gSms+rkNgrQ8WZW:peoVU9JMdbQrbvtG

    Score
    5/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral8

    • Target

      fdaerghawd.exe

    • Size

      29KB

    • MD5

      3ace4cb9af0f0a2788212b3ec9dd4a4e

    • SHA1

      2914bd74b5553f5f4dbd5f7b23bc00d04a2c77cb

    • SHA256

      121bfcb759e561bca3f63777498646c80d030a92dac5a27c7c9cc8f5581e672e

    • SHA512

      76ecc354b1fb5bf93f18bbe9f85401ef40e0826f7eea73a0cb5afda5d69ec384a459c07b6cc2386176888978d2dbb9bac9360e249114c59799de0984bbba5c56

    • SSDEEP

      384:EhEy+hzv91UqVY8+JppEhKe+Ej7sI4GSFdX9NAb/QX22r5A/w/o0el7xI:IEy+hT91UqVY8+XpEh6CMs7gx/o17

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    behavioral9

    • Target

      fkydjyhjadg.exe

    • Size

      1.2MB

    • MD5

      b2c8bf8a5797d9ee73c205e27cfdbbfb

    • SHA1

      da8b2fa38e7c0fef5d13cef94f0028b75e05e8ab

    • SHA256

      784bcd0555e5e1ab25b212f28bd84b64eac99270afb0a73fb4cd92fb737d6c7f

    • SHA512

      aa5d2bdb1d00faf877502c35ef5716c5ccfde18c26deebd7436e246b9a82069fd8834b8b8c24adfdf5bf89385c214b49ec4c5d6021f6ac72b0d8b998ad223ec2

    • SSDEEP

      24576:kMnfGPxgVa9CaVmOqF3x3UtfwDwxOD9xD5CDRQ7jb52OGxu:kMfGPxgOVpo3xcbc9B5CDRQ7jb50u

    Score
    10/10
    lummadiscoverystealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral10

    • Target

      fsyjawdr.exe

    • Size

      1.2MB

    • MD5

      75fd2eb14bbf23564f73e2898036d772

    • SHA1

      e29a3b16797552eda08e4407404754d104a7893d

    • SHA256

      d65c30e0a68cb621e9ee353783c6c5083456fb3b7e632a05fa75921af51a3d2c

    • SHA512

      c0506b3d97f5108435cab7ec731923b1f7fbbde95ec72096a91c6ed1d6123c3708297a885de76b0dcbb4f8b0e1a3bda06b9fbb948f7fa98a1e3318b76851109e

    • SSDEEP

      24576:MDTeKIvhz+9fER1gQjlozUCst7S24bJ+c2QJCnrFJz4RAZ/EDLkKYu4Q1jap4C:wqrv5+6Rrl3Jt7SdD2QJghJzwAZ/eLk7

    Score
    10/10
    lummadiscoverystealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral11

    • Target

      gjawedrtg.exe

    • Size

      1.2MB

    • MD5

      2608d0b5f67ee059ea327017ce8d631e

    • SHA1

      f9721bab8a76eac88792365e964d2fa374d3af33

    • SHA256

      5dc1453281984e87ef8b36a4989f9d4a1780e6b8b55fc9ca874eab8c17102aa6

    • SHA512

      d0a0c15a91eb627d7a9b83e5e7009ca4a3968e669c4b109833fb6282c0d09f993c692a8fd7cb9a2ab6eb968fadce6d9c09d1f0515fd7a691040a7295199c08b0

    • SSDEEP

      24576:zbQDcoV2a2sSRopPPOuOL9rZOVrOS+YMYSJur1opg4AwR:gAk2aJGuOViyzYRrm6d0

    Score
    10/10
    lummadiscoverystealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral12

    • Target

      hfaewdth.exe

    • Size

      439KB

    • MD5

      189d79010a66f95b134f694f5954a13a

    • SHA1

      7ef33639d077373ab4cc73923d705596e1d28af7

    • SHA256

      0909cf95903c9f07651f4361b8e929c53a62162f6eaaeb11b0dd70eaef2c2784

    • SHA512

      243aa57bb92cfeeffc6f645dffb20ff2df04e63d4f9816962cf64ff43e77dec7a50a9952a53b93eaf0f43944434bafb61255d19d67fb29a1012c92dd3692ea3f

    • SSDEEP

      12288:1O7k28xC7HMDVBjfbL5S6IZ7OGQN/RutyU3ivG/Ht9:+OS6IZ7QN/R8yoaG/N

    Score
    10/10
    discovery

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    behavioral13

    • Target

      jgesfyhjsefa.exe

    • Size

      288KB

    • MD5

      26e2495c2fa61cf0dadf028726236ad4

    • SHA1

      de0da2ea7ce65724faedd3f8239c8559000a293f

    • SHA256

      b19963afaca6cfb8252041c70bdeda48b029ac9be3411a61342490c48a472583

    • SHA512

      7e66a4eb948a0f4be858d694a62a215cfe2b3215d6506d816cb8e09895731dd3f80222e030922f73a48b4d86525a4d7b680d40c7023886af3940b9eec07aa0fa

    • SSDEEP

      6144:h7zO0LSclT6FOwEP5Kq+SMv0VGb7bDcllbkHn:xlJtTF9zVGkllbkH

    Score
    10/10
    quasarofficediscoveryspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral14

    • Target

      jhnykawfkth.exe

    • Size

      2.0MB

    • MD5

      d3435ebfc26894fe8b895267ca8712b4

    • SHA1

      60bcea02905c09e691043d05837e4942b8c4ae25

    • SHA256

      9bb3c3efac7be81d22c386057fe49041d7e7ef3da1974ecb987cc83eae8da103

    • SHA512

      8e884c0dcb76ca08c9674fb430b89e1bb9a3f999ac2c0078d2cefedfe72283d3249c5b9851064449294f8e39096f95c760d4c991238ed6338bb9409394872849

    • SSDEEP

      49152:kqKuOKE3tn7J8ZsN0zZQQI0qnX9eztpls0uNYe:k3nX4lnuT

    Score
    10/10
    meduzacollectiondiscoveryspywarestealer

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

      stealermeduza

    • Meduza Stealer payload

    • Meduza family

      meduza

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral15

    • Target

      kfhtksfesek.exe

    • Size

      1.2MB

    • MD5

      690dbcea5902a1613cee46995be65909

    • SHA1

      deda345046ddfc3d93cc15582e509ebb98bc7206

    • SHA256

      7adb9bc755c82a599359ba8c3a61f1dd99d80ae2501b2bc63cbb6f8580cbee11

    • SHA512

      1b9745341570d1fb8d304b5b69f63119c6c6149a06aa30caad4d61b66102ebfc37824c24b7aa0ff057a1c0d725651459fc3487691c46646c555d317a3229057f

    • SSDEEP

      24576:7NxCRFQpyjvMsyQTjZgui2kxa1BSOvyWyIO6TCjoN8R93hI5Q1Ejp5lRrMN:RIFQiRdTjStmcWyIO6+UNKI5Q1EjZRA

    Score
    10/10
    lummadiscoverystealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral16

    • Target

      kohjaekdfth.exe

    • Size

      1.1MB

    • MD5

      4992863093cb396628acfb86b56af1e6

    • SHA1

      4f61861be36c992e420dd387997322130ba2164d

    • SHA256

      c4fcb04af557153060abc9488b017c3875074dcda7a84c59a18cee798e95ef56

    • SHA512

      d6dd52bdd607837ba685ee672410db23d3cc0a1de2a01ef5ad46e55401e205ac14795591fb03e3deb330a93c1a587d6e4d5a065a42d7b2da5ad069ae60cae8fc

    • SSDEEP

      24576:kMcsnSHziAtR/JTSje9XB0Jh0lhSMXl5jRxIKy9a:kM/nSHN7/Aj0XB0QpjfIKy9a

    Score
    7/10
    collectiondiscoveryspywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral17

    • Target

      krgawdtyjawd.exe

    • Size

      239KB

    • MD5

      d4a8ad6479e437edc9771c114a1dc3ac

    • SHA1

      6e6970fdcefd428dfe7fbd08c3923f69e21e7105

    • SHA256

      a018a52ca34bf027ae3ef6b4121ec5d79853f84253e3fad161c36459f566ac2b

    • SHA512

      de181dc79ca4c52ce8de3abc767fbb8b4fd6904d278fa310eee4a66056161c0b9960ef7bebf2ebf6a9d19b653190895e5d1df92c314ca04af748351d6fb53e07

    • SSDEEP

      3072:bLCrbK4vn4p+U1v+N3Bz1IJ8JEchyka7Z7LU/fJdgJMJ08:faGm1U5Y1ICJU117L+JdIqz

    Score
    10/10
    stealcvoov1credential_accessdiscoveryspywarestealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Stealc family

      stealc

    • Downloads MZ/PE file

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral18

    • Target

      kthkksefd.exe

    • Size

      2.0MB

    • MD5

      463c27805e5dd59d239cf448abdb0b1d

    • SHA1

      6a55fc0c6062b77a09826233f6e8eee92685ed88

    • SHA256

      d0299b999009b5700af1cdddb60c7dd59981455b0517be4a173816e0fbc1e88d

    • SHA512

      2ac662b3d398f16ff611b2dc3682c4b0e62936cbe8f3da148e10df4208d692cf2456281c4bc71a7d5683f39a09f55fdbf747258338990647050955b87e5fa884

    • SSDEEP

      49152:eWluOKJkZt0J4Nsf0wZXeFaQ4ELmCdkwVcmqEuuLf5:enELrVcUuy

    Score
    10/10
    meduzacollectiondiscoveryspywarestealer

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

      stealermeduza

    • Meduza Stealer payload

    • Meduza family

      meduza

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral19

    • Target

      kyhjasehs.exe

    • Size

      1.8MB

    • MD5

      4f964ada28fa2dde5c75d3c3682e69c4

    • SHA1

      481a0ddc3dfd39147abf684b60b6a0b1dfbbc341

    • SHA256

      7b0699fb946ce952624a3d5807839fb1a0613993270aca8227f35001b790b945

    • SHA512

      ab07c9602776dc062599a89eed9d38be2c95f563a9ed9c906e6c1066f80e5666f119c5a790a120bf626a73edd3cc178924262d41c0f65eb20fcf3b542a83dc68

    • SSDEEP

      24576:cWrCg/r+6/5OZr1A+KnhQaPNcHxIpjgqJ6t1:XrC7G5g0gq

    Score
    10/10
    dcratinfostealerpersistenceratspywarestealer

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral20

    • Target

      kyjjrfgjjsedf.exe

    • Size

      1.2MB

    • MD5

      1116fff8184babad604586db7f460113

    • SHA1

      8522674ce11b8b8d78e6fd47541e2a357e170bf7

    • SHA256

      31b47f686dea1e9d175d2a868eeab79e9bbd99d97e22b94203451b545f16139e

    • SHA512

      aa9242f78f5f8e2789f679e304e2a7d70f64e795247c1706efafa57e4572e580d593628c48fc04221823b80f95e462bfb9b0d5179f7101233b13d93fbf51d8f8

    • SSDEEP

      24576:i8wnXXnncHLI8JQpn0s9MjemJ5lx1w6Qh0lhSMXl52HTOd:/MXXncHLIJ0s+egDx+6lpSTa

    Score
    7/10
    collectiondiscoveryspywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral21

    • Target

      lfcdgbuksf.exe

    • Size

      1.6MB

    • MD5

      8c6e4c86c216b898f24ff14b417c4369

    • SHA1

      266e7d01ba11cd7914451c798199596f4d2f7b53

    • SHA256

      858fff104da670b640eff2a93b7fa4b794ae554c30a409864d00f3b7ecc1e09f

    • SHA512

      3f6416bf0b7989b522d399e151cc755783b9b7afe9cde559f8207fad6c043e24f85b22c3a583329e1620e862c7824249c536209b6be5e093a2b580c2fc52f660

    • SSDEEP

      24576:o2a0H/WPj+rsO6AOhaDxL/aySUYj79FcPX6t1:va0SKsOP1L/KzEP

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral22

    • Target

      lkyhjksefa.exe

    • Size

      1.2MB

    • MD5

      0844b5ba505c4c86733c017eb2014648

    • SHA1

      1eaa9c33ee8bc1e541a0a2566d6bc990bfbde825

    • SHA256

      c5bba04cd1c49270dff46e068c8cf64e1c87927d3bdb0e40a219d3be28f7538c

    • SHA512

      967dcf26e8a4a8dd20fc33ed4c051a6c514fbbe03c4efd30a381985a1f074b0b71bc8f95bc1f10fa75f46bced9a84ccf40a2b524f91e3a44b84a531be5d475d4

    • SSDEEP

      24576:X5XVS8oyzeho+1BgYOk7I+wiL1amnPB5JZmEpMHfjRp7/QvOlU:plSRyz4p1GWIKLgEPBTYEKH1N/QvIU

    Score
    10/10
    lummadiscoverystealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral23

    • Target

      lyjdfjthawd.exe

    • Size

      275KB

    • MD5

      81a8c700d5bdd648c2848050da4edc4b

    • SHA1

      61e9ee541aac8aea077daedd1f31497b0bec2ab4

    • SHA256

      d7e8ecfbb9b6b70ac2314516226c94a32ccaba6c31aa4da4a52fa07c2cf22cd4

    • SHA512

      473b51e3bf9bb2c787db00b574d28306f209e9f6828b8e36b67b0fea81ec5fe303a4298accff51ee058ea7542049aa33950e9951fa33f248ab3799b826050087

    • SSDEEP

      6144:Ch0ZpFC4sffny7TuLBdZlT4DIJYdy3I8ioyrN:Ch0ZpFCfB3TGyYy3ziBZ

    Score
    10/10
    stealcvidar0174ec9d0ab5d3dd4d0bbe7415cfa10cdiscoverystealer

    • Detect Vidar Stealer

      stealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Stealc family

      stealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral24

    • Target

      nbothjkd.exe

    • Size

      288KB

    • MD5

      42f1ecb6f9e2f73bb66e84e5f8ca4fb4

    • SHA1

      51aa8b14ec657171aab0dd13fb87c8e915073d08

    • SHA256

      2a700406a42a06541dfee93faa1079b51c7a899e3cffcbc31390473852d7e5cc

    • SHA512

      207162c793e58d702f9474cdfbc4738eaec2e23ad66636a706ad7f8de4f82ae136dc884d5c6f9acb35f3370c8402bd9e3d5572063def33d469b2398e0ac4c398

    • SSDEEP

      6144:l7zO0LSclT6FOwEP5Kq+SMv0VGb7bDcllbkFn:9lJtTF9zVGkllbkZ

    Score
    10/10
    quasarofficediscoveryspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar family

      quasar

    • Quasar payload

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral25

    • Target

      nhbjsekfkjtyhja.exe

    • Size

      439KB

    • MD5

      0ac7141c8f11c2b537ec0a4227be8eb4

    • SHA1

      bc0f4aed623106c56e6b1c26863ab7ba4938373e

    • SHA256

      642a7f341146d4b2a5381186ec636a8e0ce7ccc16bb730be331e51d6e65f4db3

    • SHA512

      3a207e91e3b4180c2ef6492b39e303428c8ea1944ceb254eaa76417742b2db64fa51dc9bbcc4bb5337445f1d90fa0c0c13174f84153fdf3e4df916971e1655ba

    • SSDEEP

      12288:1O7k28xC7HMDVBjfbL5S6IZ7OGQN/RutyU3ivG/rt9:+OS6IZ7QN/R8yoaG/Z

    Score
    10/10
    discovery

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    behavioral26

    • Target

      nothjgdwa.exe

    • Size

      429KB

    • MD5

      108530f51d914a0a842bd9dc66838636

    • SHA1

      806ca71de679d73560722f5cb036bd07241660e3

    • SHA256

      20ad93fa1ed6b5a682d8a4c8ba681f566597689d6ea943c2605412b233f0a538

    • SHA512

      8e1cdc49b57715b34642a55ee7a3b0cfa603e9a905d5a2a0108a7b2e3d682faec51c69b844a03088f2f4a50a7bf27feb3aabd9733853d9fb4b2ee4419261d05b

    • SSDEEP

      12288:vjZnv5oukMkCB+N2DLNtFPMGk0Oj74LC:TkMzHBMH0Ob

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral27

    • Target

      nthnaedltg.exe

    • Size

      275KB

    • MD5

      0a7b3454fdad8431bd3523648c915665

    • SHA1

      800a97a7c1a92a92cac76afc1fe5349895ee5287

    • SHA256

      baf217d7bb8f3a86856def6891638318a94ed5d7082149d4dd4cb755d90d86ce

    • SHA512

      020e45eaeee083d6739155d9a821ab54dd07f1320b8efb73871ee5d29188122fdbb7d39b34a8b3694a8b0c08ae1801ec370e40ff8d837c9190a72905f26baff9

    • SSDEEP

      6144:vh0ZpFC4sffny7TuLBdZlT4DIJYdy3g8ioyrN:vh0ZpFCfB3TGyYy3biBZ

    Score
    10/10
    stealcvidar41d35cbb974bc2d1287dcd4381b4a2a8discoverystealer

    • Detect Vidar Stealer

      stealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Stealc family

      stealc

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar family

      vidar

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral28

    • Target

      pghsefyjhsef.exe

    • Size

      429KB

    • MD5

      e21a937337ce24864bb9ca1b866c4b6e

    • SHA1

      3fdfacb32c866f5684bceaab35cea6725f76182f

    • SHA256

      55db20b6ddab0de6b84f4200fbde54b719709d7c50f0bdd808369dbb73deef70

    • SHA512

      9fb59ecc82984dcc854a31ae2e871f88fd679a162ee912eb92879576397fa29eddc2ec2787f7645aa72c4dc641456980f6b897302650f0d10466dea50506f533

    • SSDEEP

      12288:IjZnv5oukMkCB+N2DLNtFPMGk0Oj75LC:ekMzHBMH0OA

    Score
    10/10
    lummadiscoverystealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral29

    • Target

      pyjnkasedf.exe

    • Size

      409KB

    • MD5

      3a94ac80a1bbe958b6544874f311be69

    • SHA1

      bc6352ee84bed107a4b30b545934698c4e664baf

    • SHA256

      1839ee5c3534ad1a6929c9de33bce63cf6f96cce1ae3dc8240f4cf352250db0f

    • SHA512

      f31d93889251ec2c6581107a7a0122be63d5f7b8253403736d38f1d2ffa2cb693e30a205ceb36b823265fd58bb2854cc44064988110daf3fe1c8ea02e7d2227c

    • SSDEEP

      6144:zhk7s+AfJjoF3U5w81tLffIru6t1tztD675DoRK3L9YhZmdC/0fNSZH97ndaW9:P+UJjoF3U5w8rk8LeYcR97nQW

    Score
    8/10
    credential_accessdiscoveryspywarestealer

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral30

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Modify Authentication Process

1
T1556

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Authentication Process

1
T1556

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

5
T1012

Remote System Discovery

1
T1018

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

ratofficevoov1stealer0174ec9d0ab5d3dd4d0bbe7415cfa10ca6653741d35cbb974bc2d1287dcd4381b4a2a8e8c9cedcratquasarmeduzastealcvidaramadey
Score
10/10

behavioral1

stealcvidar41d35cbb974bc2d1287dcd4381b4a2a8discoveryexecutionstealer
Score
10/10

behavioral2

stealcvidar41d35cbb974bc2d1287dcd4381b4a2a8discoveryexecutionstealer
Score
10/10

behavioral3

stealcvidar41d35cbb974bc2d1287dcd4381b4a2a8discoveryexecutionstealer
Score
10/10

behavioral4

stealcvidar41d35cbb974bc2d1287dcd4381b4a2a8discoveryexecutionstealer
Score
10/10

behavioral5

dcratinfostealerrat
Score
10/10

behavioral6

lummadiscoverystealer
Score
10/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
5/10

behavioral9

discovery
Score
7/10

behavioral10

lummadiscoverystealer
Score
10/10

behavioral11

lummadiscoverystealer
Score
10/10

behavioral12

lummadiscoverystealer
Score
10/10

behavioral13

discovery
Score
10/10

behavioral14

quasarofficediscoveryspywaretrojan
Score
10/10

behavioral15

meduzacollectiondiscoveryspywarestealer
Score
10/10

behavioral16

lummadiscoverystealer
Score
10/10

behavioral17

collectiondiscoveryspywarestealer
Score
7/10

behavioral18

stealcvoov1credential_accessdiscoveryspywarestealer
Score
10/10

behavioral19

meduzacollectiondiscoveryspywarestealer
Score
10/10

behavioral20

dcratinfostealerpersistenceratspywarestealer
Score
10/10

behavioral21

collectiondiscoveryspywarestealer
Score
7/10

behavioral22

dcratinfostealerrat
Score
10/10

behavioral23

lummadiscoverystealer
Score
10/10

behavioral24

stealcvidar0174ec9d0ab5d3dd4d0bbe7415cfa10cdiscoverystealer
Score
10/10

behavioral25

quasarofficediscoveryspywaretrojan
Score
10/10

behavioral26

discovery
Score
10/10

behavioral27

discovery
Score
7/10

behavioral28

stealcvidar41d35cbb974bc2d1287dcd4381b4a2a8discoverystealer
Score
10/10

behavioral29

lummadiscoverystealer
Score
10/10

behavioral30

credential_accessdiscoveryspywarestealer
Score
8/10