General
-
Target
nov31.zip
-
Size
10.1MB
-
Sample
241202-aqjhwszkby
-
MD5
d5fa1f1431d0f94da2a9a15634ea064a
-
SHA1
500c2282eccfe029168c66429ac2ba02f2aceeba
-
SHA256
3b58086288fb427694947353bf1eec10e368bcf98cc3cb4c221e676d47c1d6ca
-
SHA512
92c2d1b6ee5279e30b5a6f270f314fc42b7a41da575e05b644b5339ab8c6906f8c9cd45c282a7c1a53a4a373b76e16c55fdd637b48f6917c030a2d909afc24b6
-
SSDEEP
196608:l+ln85kF5lPm+/qiP5L33bSd3d6XmFW6ioEZNA38WEKFsklY:l+ln85o3PXpTbST5xioie8KsklY
Malware Config
Extracted
stealc
Voov2
http://154.216.17.90
-
url_path
/a48146f6763ef3af.php
Extracted
stealc
QQtalk1
http://154.216.17.90
-
url_path
/a48146f6763ef3af.php
Extracted
lumma
https://ponintnykqwm.shop/api
Targets
-
-
Target
Enigma32g.exe
-
Size
14.2MB
-
MD5
df891f7222feb3d251d3efa6b4c46b06
-
SHA1
af0a3da258ccef826fff4bb766b53cbbff6422d5
-
SHA256
1cfcdce280b81e121d89cc219ecb6f1123089995706f097d4ba717e92f34b992
-
SHA512
7a3049a8ec996e3bf2e33cf9035841b95be107307ce4af434c7d67c69f5ff37c4fb7295bb6b794a2587c9988d3fa517791e42532c48ec42320ace6d0851cf2bf
-
SSDEEP
196608:0e7uMC7O/od6q1AOp2DpEQ5II53dMcalsCKjUvdr6DeL:0FMC7O/od68AOApfQ5iJk
Score3/10 -
-
-
Target
daytjhasdawd.exe
-
Size
239KB
-
MD5
3ba1890c7f004d7699a0822586f396a7
-
SHA1
f33b0cb0b9ad3675928f4b8988672dd25f79b7a8
-
SHA256
5243e946c367c740d571141cdbc008339559c517efaf3061475a1eced7afaed2
-
SHA512
66da498ce0136c20c9a6af10c477d01b2fe4c96fe48bb658996e78c249f3e88dc1fda2f60f78106a0b967de4c95698b2cb9983d1a599e67753223d915116189d
-
SSDEEP
3072:e1yu7KQnXARW09He9XRzD8xkMpC/SjZeEUaHlC8bsuaPJE8:e/Gmd0Z4QJsadeENlCNuKD
Score10/10-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Downloads MZ/PE file
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
ghdtawedtrgh.exe
-
Size
889KB
-
MD5
ef75329efa1fa3cff64a2249e8b59306
-
SHA1
90db5c089347c52e7aeddbe97a652b0dc622b840
-
SHA256
6024771adfff13a50785d4bca819c583db42a5671d86bc6ac517c3620d931259
-
SHA512
73cf385ce56147f4c7862ef90cda59c947408dc0bf82c9d0c4b503bb53266d62763c79759235ee20e07b6e36cb50c123facab185d099e397daf0574eb586302f
-
SSDEEP
12288:kzw1NV5Il51mx6vEiss/VRqyAk9wiXPrQfkXmm1RhdLB9XirkVknCBz9eQFZz//q:kc8Xh/VAyAksEPLZj9H6t1
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
DCRat payload
-
-
-
Target
hsefawdrthg.exe
-
Size
439KB
-
MD5
a06a7af02c4a932448ff3a172d620e13
-
SHA1
82b29b616d9a717b4502d7a849f5c2e3029a2840
-
SHA256
29d3678e7aa0187318bc83bf5e6d9ca06fc0d6a858ce006b05f7f97322051ee7
-
SHA512
6a50a157289b821f5e134d4bff0307b0e11b3a981601363177b5c96d5bff5c0dc72e4f50b8327290a25d623994e5fe4a18f17ad334896c116590b4a412889e20
-
SSDEEP
12288:1O7k28xC7HMDVBjfbL5S6IZ7OGQN/RutyU3ivG/Xt9:+OS6IZ7QN/R8yoaG/d
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
-
-
Target
hyfdaethfhfaed.exe
-
Size
135KB
-
MD5
bc48cb98d8f2dacca97a2eb72f4275cb
-
SHA1
cd3dd263fc37c8c7beb1393a654b400f2f531f1c
-
SHA256
c18fb46afa17ad8578d1edd4aa6a89b42f381ca7998a4e5a096643e0f2721c49
-
SHA512
7db6992278ca008e7aafa07eb198b046a125d23ca524f15d5302b137385dd4e40a4a54ce4dabb28710b71fbcfdd2d3315fb36e591edc2b3e1737b11b9ee45a5c
-
SSDEEP
3072:1TGtOioVUSuLwYMdbQro39gSms+rkNgrQ8WZW:peoVU9JMdbQrbvtG
Score5/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
jdrgsotrti.exe
-
Size
239KB
-
MD5
aeb9f8515554be0c7136e03045ee30ac
-
SHA1
377be750381a4d9bda2208e392c6978ea3baf177
-
SHA256
7f671b0f622d94aebf0c6ab2f021b18e1c60beda819bc48c0b2c6a8f5fdd7e02
-
SHA512
d0cfc09d01bd42e0e42564f99332030ed2ff20624bfd83a3f1bb3682fe004e90d89539f5868bba637287795e2668dd14409e2e0ed2ea1c6982c7ce11db727bb4
-
SSDEEP
3072:CLCrbK4vn4p+U1v+N3Bz1IJ8JEchyka7Z7LU/fQ2e20HMJ08:waGm1U5Y1ICJU117L+DeVqz
Score10/10-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Downloads MZ/PE file
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
jgurtgjasdth.exe
-
Size
1.2MB
-
MD5
c4980749cfdb6b389814d446eb2b601d
-
SHA1
1f2e4fef1888b7aefe1aff728a09943c7e1d804f
-
SHA256
35eeb2b70651a87b22403e74a1ffeb93fda4a91b6b3fa560fa419d0c52b6d42f
-
SHA512
26f32a2c596b0ea5a4788444f7a3e4b325e32d6eaf6b6a7be6f0b6b0faaf0f0c846120fc7a8b8194322eeac19b978a837928cd6b326322db2e4269867a6213e6
-
SSDEEP
24576:5k7tmDNSNAOLZu1FNa1txdwepwVBkCh1qyUrczgXhOxB4dc+gPr:67g8UbWtxdzqVuCCQzgQadc+
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
mfcthased.exe
-
Size
239KB
-
MD5
aeb9f8515554be0c7136e03045ee30ac
-
SHA1
377be750381a4d9bda2208e392c6978ea3baf177
-
SHA256
7f671b0f622d94aebf0c6ab2f021b18e1c60beda819bc48c0b2c6a8f5fdd7e02
-
SHA512
d0cfc09d01bd42e0e42564f99332030ed2ff20624bfd83a3f1bb3682fe004e90d89539f5868bba637287795e2668dd14409e2e0ed2ea1c6982c7ce11db727bb4
-
SSDEEP
3072:CLCrbK4vn4p+U1v+N3Bz1IJ8JEchyka7Z7LU/fQ2e20HMJ08:waGm1U5Y1ICJU117L+DeVqz
Score10/10-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Downloads MZ/PE file
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
mnftyjkrgjsae.exe
-
Size
439KB
-
MD5
a06a7af02c4a932448ff3a172d620e13
-
SHA1
82b29b616d9a717b4502d7a849f5c2e3029a2840
-
SHA256
29d3678e7aa0187318bc83bf5e6d9ca06fc0d6a858ce006b05f7f97322051ee7
-
SHA512
6a50a157289b821f5e134d4bff0307b0e11b3a981601363177b5c96d5bff5c0dc72e4f50b8327290a25d623994e5fe4a18f17ad334896c116590b4a412889e20
-
SSDEEP
12288:1O7k28xC7HMDVBjfbL5S6IZ7OGQN/RutyU3ivG/Xt9:+OS6IZ7QN/R8yoaG/d
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
-
-
Target
mtbkkesfthae.exe
-
Size
409KB
-
MD5
774a8755eccb3ebd8463204e8cd60941
-
SHA1
d8ecf01619f49c805ce41a2317c1a4ca99cfb270
-
SHA256
88200c0685cdb81d2aa94923ffcca110416d4dd9599e00c44635f13c630aa254
-
SHA512
d7a6f5e8259a48e7ca331233289c37f8d9769f31b6e6878f52c1b18d0eceaa4c5dd899562a0abeda29640fa88b76bc7b70a57d3d1752d80b979f617e600f1b0e
-
SSDEEP
6144:zhk7s+AfJjoF3U5w81tLffIru6t1tztD675DoRK3L9YhZmdC/0fNFZH97ndaW9:P+UJjoF3U5w8rk8LeYPR97nQW
Score8/10-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
tyhkamwdmrg.exe
-
Size
1.2MB
-
MD5
949249a7efcd8c6fd21bc9ffe9ecfdbb
-
SHA1
e335b63c7accfd306efb2cd83d3d669b915f6f15
-
SHA256
bfffe1926c7463a2f8dca190e700a5ff390cb028edfe1bb80491aaf706520123
-
SHA512
309e94d267b55bfb58547a021a53bebfed612da42c5c8dfe55063ed40188c0535095c7a19e5c56adeca53b268ddaa7dbac38857abe1dadca146cc7e7c90cf7b6
-
SSDEEP
24576:JjcQicewyhMtgqWxjY5w0u94YFrHzNgV+RoSrzFVdTEjAi7xyfPw:VZizH+OTx4w0erHzNgV+o4z7GB
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
vovdawdrg.exe
-
Size
239KB
-
MD5
3ba1890c7f004d7699a0822586f396a7
-
SHA1
f33b0cb0b9ad3675928f4b8988672dd25f79b7a8
-
SHA256
5243e946c367c740d571141cdbc008339559c517efaf3061475a1eced7afaed2
-
SHA512
66da498ce0136c20c9a6af10c477d01b2fe4c96fe48bb658996e78c249f3e88dc1fda2f60f78106a0b967de4c95698b2cb9983d1a599e67753223d915116189d
-
SSDEEP
3072:e1yu7KQnXARW09He9XRzD8xkMpC/SjZeEUaHlC8bsuaPJE8:e/Gmd0Z4QJsadeENlCNuKD
Score10/10-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Downloads MZ/PE file
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4