Overview

overview

10

Static

static

1

8bab4ba000...39.ps1

windows7-x64

8

8bab4ba000...39.ps1

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8bab4ba0004cd3a627a59e3877ec92ebff143a4810667b042e57ce168cf44e39.zip

  • Size

    1KB

  • Sample

    241220-d6schsykdy

  • MD5

    35c92f4cd446344a166cbf83dbf0ff15

  • SHA1

    e06f98c2f5f82eab44226937d5ce29600f407dcf

  • SHA256

    8bab4ba0004cd3a627a59e3877ec92ebff143a4810667b042e57ce168cf44e39

  • SHA512

    63128bbe01c0123b5131ed863759dfc19f036dfb53f2d62e15b24f5f3c1df2c8391f48881919741e599c4c922e95b9f7395b9da15d40b7e3655358a9832296da

Score
10/10
lummaparallaxremcoscrypt04discoveryexecutionratspywarestealer

Malware Config

Extracted

Family

lumma

C2

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

Extracted

Family

remcos

Botnet

Crypt04

C2

185.208.158.161:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    crashhandlerinfo

  • mouse_option

    false

  • mutex

    Rmc-F12W9O

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      8bab4ba0004cd3a627a59e3877ec92ebff143a4810667b042e57ce168cf44e39.zip

    • Size

      1KB

    • MD5

      35c92f4cd446344a166cbf83dbf0ff15

    • SHA1

      e06f98c2f5f82eab44226937d5ce29600f407dcf

    • SHA256

      8bab4ba0004cd3a627a59e3877ec92ebff143a4810667b042e57ce168cf44e39

    • SHA512

      63128bbe01c0123b5131ed863759dfc19f036dfb53f2d62e15b24f5f3c1df2c8391f48881919741e599c4c922e95b9f7395b9da15d40b7e3655358a9832296da

    Score
    10/10
    executionlummaparallaxremcoscrypt04discoveryratspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Parallax family

      parallax

    • ParallaxRat

      ParallaxRat is a multipurpose RAT written in MASM.

      ratparallax

    • ParallaxRat payload

      Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks