General

  • Target

    r12d12.space_b.txt.ps1.ps1

  • Size

    1KB

  • Sample

    241207-a4pxtswqfz

  • MD5

    35c92f4cd446344a166cbf83dbf0ff15

  • SHA1

    e06f98c2f5f82eab44226937d5ce29600f407dcf

  • SHA256

    8bab4ba0004cd3a627a59e3877ec92ebff143a4810667b042e57ce168cf44e39

  • SHA512

    63128bbe01c0123b5131ed863759dfc19f036dfb53f2d62e15b24f5f3c1df2c8391f48881919741e599c4c922e95b9f7395b9da15d40b7e3655358a9832296da

Malware Config

Extracted

Family

lumma

C2

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

Extracted

Family

remcos

Botnet

Crypt04

C2

185.208.158.161:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    crashhandlerinfo

  • mouse_option

    false

  • mutex

    Rmc-F12W9O

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

lumma

C2

https://se-blurry.biz/api

https://zinc-sneark.biz/api

Targets

    • Target

      r12d12.space_b.txt.ps1.ps1

    • Size

      1KB

    • MD5

      35c92f4cd446344a166cbf83dbf0ff15

    • SHA1

      e06f98c2f5f82eab44226937d5ce29600f407dcf

    • SHA256

      8bab4ba0004cd3a627a59e3877ec92ebff143a4810667b042e57ce168cf44e39

    • SHA512

      63128bbe01c0123b5131ed863759dfc19f036dfb53f2d62e15b24f5f3c1df2c8391f48881919741e599c4c922e95b9f7395b9da15d40b7e3655358a9832296da

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Parallax family

    • ParallaxRat

      ParallaxRat is a multipurpose RAT written in MASM.

    • ParallaxRat payload

      Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks