General

  • Target

    b0cce111400d44468c36721e44d0bd661b795d49d017e1b4dbe0b4d0d79669a0.zip

  • Size

    130KB

  • Sample

    241222-grhrbawqax

  • MD5

    7341d5f29f668cee8b576b2ce60fdf68

  • SHA1

    922be2df23f9c2133a575a4d4ccd86223883ade5

  • SHA256

    b0cce111400d44468c36721e44d0bd661b795d49d017e1b4dbe0b4d0d79669a0

  • SHA512

    708b5378a49f73602a10e7f2084b6edea4327f76e6b11649e4a11e4dd29743b852b0b8deef9d0d8d8a0a962c463e813f30bf22a81ffc510c3955cdf3fb1df676

  • SSDEEP

    3072:Df1BDZ0kVB67Duw9AMcbbBBFAjrYEOnEjbWicBGIgPjzgw0XIu0I/2jAT:D9X0G3yjrkJiUgPH/ubXT

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    193.149.189.199
  • Port:
    21
  • Username:
    LUM
  • Password:
    159753

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    193.149.189.199
  • Port:
    21
  • Username:
    ins
  • Password:
    installer

Extracted

Family

lumma

Extracted

Family

darkcomet

Botnet

Guest1690

C2

65.38.120.136:1690

Mutex

DC_MUTEX-F54S21D

Attributes
  • gencode

    U2oxviM8ZSYf

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Targets

    • Target

      b0cce111400d44468c36721e44d0bd661b795d49d017e1b4dbe0b4d0d79669a0.zip

    • Size

      130KB

    • MD5

      7341d5f29f668cee8b576b2ce60fdf68

    • SHA1

      922be2df23f9c2133a575a4d4ccd86223883ade5

    • SHA256

      b0cce111400d44468c36721e44d0bd661b795d49d017e1b4dbe0b4d0d79669a0

    • SHA512

      708b5378a49f73602a10e7f2084b6edea4327f76e6b11649e4a11e4dd29743b852b0b8deef9d0d8d8a0a962c463e813f30bf22a81ffc510c3955cdf3fb1df676

    • SSDEEP

      3072:Df1BDZ0kVB67Duw9AMcbbBBFAjrYEOnEjbWicBGIgPjzgw0XIu0I/2jAT:D9X0G3yjrkJiUgPH/ubXT

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Detect Vidar Stealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Executes dropped EXE

    • Loads dropped DLL

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/InetLoad.dll

    • Size

      18KB

    • MD5

      994669c5737b25c26642c94180e92fa2

    • SHA1

      d8a1836914a446b0e06881ce1be8631554adafde

    • SHA256

      bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

    • SHA512

      d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

    • SSDEEP

      384:nUOPTbiJmdztwwKq8W1cyMjPzV0Ac9k+LMkIX1+Gn+XHdjf:nTikliwKq8W1rMjPzz+f

    Score
    3/10
    • Target

      $PLUGINSDIR/ZipDLL.dll

    • Size

      163KB

    • MD5

      2dc35ddcabcb2b24919b9afae4ec3091

    • SHA1

      9eeed33c3abc656353a7ebd1c66af38cccadd939

    • SHA256

      6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

    • SHA512

      0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

    • SSDEEP

      3072:8CkSJJ30k1pn2T4ISnUGN+E8KnCOxA17jxLmRtWHyPDQFllOdJiSg:tkSJy+c30UxbKnA1hLKWSVdk

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.