lumma | 2421fc56eee932322e7168ca988c6d63c8bb74440f900661fc859403196e64d2

Sharing

Copy URL

Twitter E-mail

General

Target

piponis-main.zip
Size

20.1MB
Sample

250212-zy471axrhm
MD5

edb7bf0fe43ba408d8a30edc54905d05
SHA1

0db3639ee27556302c52db0d254a31b86750bae9
SHA256

2421fc56eee932322e7168ca988c6d63c8bb74440f900661fc859403196e64d2
SHA512

9ef02207b87ae41eba482ef4aaebc60de201ca988c166c28a9fd3a67cf150f600348f3c1975d4232dda09328eed588bf6e8baaadbfdc949b6c88c0452a595817
SSDEEP

393216:sPZDBS5mfrgeNk/eYSks2L/cLoxh0zb9qX6epIakv+8THdFUH7vF1KzhvvEgLnSU:S1SI0eSe4BL0zxqXrpIaXAHdeH7vmzh1

Malware Config

Extracted

Family

vidar

https://t.me/sok33tn

https://steamcommunity.com/profiles/76561199824159981

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Extracted

Family

xworm

193.233.113.143:7777

Attributes

Install_directory
%AppData%
install_file
NVIDIA Web Helper.exe
telegram
https://api.telegram.org/bot7601194772:AAF0YEs0H7jvhy6INvzsb36sFxrYz96gaLY/sendMessage?chat_id=1919987045

Extracted

Family

quasar

Version

1.4.1

Botnet

githubyt

87.228.57.81:4782

Mutex

cf3988ab-2fd9-4544-a16f-9faa71eb5bac

Attributes

encryption_key
19A0FAF8459F69650B5965C225752D425C429EEC
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchoost.exe
subdirectory
SubDir

Extracted

Family

xworm

Version

5.0

match-os.gl.at.ply.gg:42116

so-pad.gl.at.ply.gg:42116

sony-duties.gl.at.ply.gg:42116

Mutex

SNCqJ3poiGCPQYK0

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Extracted

Family

lumma

https://dgazzlingdecor.cyou/api

https://kitestarepatt.click/api

Targets

- Target
  
  piponis-main/bdorjfusiejf.exe
- Size
  
  1.2MB
- MD5
  
  827b47b504359721ae370087ce106e48
- SHA1
  
  51fe484246dd8e55090e83b050b4590ce32afca1
- SHA256
  
  764aeaf8455c2e540f80ff925378f27b29496ef7f6cdcb33601239d860adf07c
- SHA512
  
  814f2e40da98b9004e8b0b62928be31f8febe2d58f3144386cee0504ac63602b90a88ab6903d710f48a6c5e42f04fb17d62057424db2f5f2f6e6b6e631164e17
- SSDEEP
  
  24576:fBkzrlRdC7MHoy3F1bnirbMIlyhsZC8xXJzd/BWBf4f9GHN:fGz4AHoEvOrbMIPISJzd5AGG
Score

8^/10

discovery
- Downloads MZ/PE file
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1
- Target
  
  piponis-main/bffgjingfr.exe
- Size
  
  1.2MB
- MD5
  
  34f0b37dd6049612720b5c35f6504f7b
- SHA1
  
  ac48624dffc781d53471f100388bea34c9112c43
- SHA256
  
  fc99aed0e4ffc0b3cd6c19d796fdb45323173f92a2561332ad229f2050a6c75e
- SHA512
  
  324ad2105b049c71c6196fa24b856b77f1eefc763b02066db08e8d349c8f490c290c62a55242122f3c230ad68af47a5d25ec7ee3424a6b1f83ca25f200f4dd6c
- SSDEEP
  
  24576:xbPoaRmCfpVA3rZ6fCctBkI/sA2O0YKmF1st07XBfQhQo+2:xbxmCHA3rZ4Cg7iO0o7BfQij
Score

8^/10

defense_evasion discovery persistence spyware stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral2
- Target
  
  piponis-main/bioldgefsawe.exe
- Size
  
  2.8MB
- MD5
  
  64b7d7b5bf9a966e05abf7e854c2de74
- SHA1
  
  fc240bae5ceacd311998a31ed4813c74843e4c3a
- SHA256
  
  6097541bcc818c58c43fe8da4d4fdc0dd08edf2004d577cf675950cb373c590b
- SHA512
  
  4d766b0cc6da9bebdc6a065646bffd34978ed13f3f66df2d07db3bc8b352c223e97c94c09341a86045b6c613cdaea426dfc4941cfe183d51aa5c87c1786f7c15
- SSDEEP
  
  49152:7NbA33U78SQQ5A6+G+IcaZdNVK9xJC+OTQC717ebN2UyJMsxvJ80YCs7DGYp0:7JA33U4SQmvvFcaZdq9CcCcgUhsdJMCv
Score

8^/10

adware defense_evasion discovery execution persistence privilege_escalation stealer
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Stops running service(s)
  defense_evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral3
- Target
  
  piponis-main/cjitigjfktti.exe
- Size
  
  1.2MB
- MD5
  
  9a25f9aa3d34d382fbfe05cef7196267
- SHA1
  
  da9d0b66ee501c0edd8c9b8b6068ac850bfdbc13
- SHA256
  
  87f7f0f88767ea5c3958920bf813536dac8c1ee3cc3afc75674324dc305ceb30
- SHA512
  
  6ffb1a985540b74466d0a97c24ef1c2a7ea55d82f1dabe9c94fe74fc49108a3a2b6b3ed979455292b4a4b8b4af5f385855de7798faa189c90030a7f9ad01017c
- SSDEEP
  
  24576:dQ6GlFOMrb3hUXASW/gFMK9y7g/i/l9dVfD8RaCPEvrcNAUyQhI8Tsm7ZEght7I/:jG+MReW/aMK9Eei/l9DiagvOUyQpwMSb
Score

8^/10

defense_evasion discovery persistence spyware stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral4
- Target
  
  piponis-main/cjrimgid.exe
- Size
  
  120KB
- MD5
  
  807dadd8710a7b570ed237fd7cd1aa4b
- SHA1
  
  d0e3a3a2b73bb2f3374a58914c8e35034ed5744d
- SHA256
  
  7e18ae103ce6fd596459cf0d5fc49832cdbd19a5780b0f2db934c2b649bc2080
- SHA512
  
  2270262a8bfe23ce2fac23e7208113be2fec093c3edd7aec456df6738cb19c02d5955c33d64df766154967d28a32947368bb2efaa6ec742031db07bce470d7f6
- SSDEEP
  
  3072:FEFRh0auCcJVwDjwzTC2SCn/FtVQenIuxIGWsnRR9pLTfKvXFD:W3h0aMJ+Hw3Pgen79/CvV
Score

10^/10

vidar credential_access discovery spyware stealer
- Detect Vidar Stealer
  stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Downloads MZ/PE file
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral5
- Target
  
  piponis-main/dirificoskejcivke.exe
- Size
  
  1.2MB
- MD5
  
  9cae8bd4f5d3ff65e016a29ea4216517
- SHA1
  
  cbea9ce4d90065f040eb24dd0914b703f903c4f4
- SHA256
  
  65babd32307b6ab12ac27ff6355d55d37c059f21df0401f0963a91111ad009b4
- SHA512
  
  1199eec350dd5de6972908e02740748ba58a5136980d2d493ffd084fcea961e47ce9d5ca19cb186934c6ac2db68172b453b0207c1c451bb3df1c028f87b8be45
- SSDEEP
  
  24576:Nm3SRQe6S2faLBphtgrC9KVoYzvjBsVTvJcRVpSHV+Ee7sCE:xQe6S2fyfMrUKVoYz7BsVT0SHVNe7s9
Score

10^/10

lumma discovery spyware stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Downloads MZ/PE file
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral6
- Target
  
  piponis-main/girpwkfuejs.exe
- Size
  
  212KB
- MD5
  
  3bb795264a7175510c8c9ef53ababd30
- SHA1
  
  e940eac94bce50f020ffdfde60db22aff1af430d
- SHA256
  
  64d001c2df7421b40626778242c0e1d9b4da485ad2c6cf5a1bd15ef1efbc7b9d
- SHA512
  
  57afb6b3c0ba1eb76366b92de8407f980ef724ada908eaf2bc7b4c821d30986394f7962b180ad02fbe951d10f2a8ca2f8f544cda824d10cfabb307ee688b57ae
- SSDEEP
  
  3072:v78wc7PUb81Q/H+1HpO0III+tO/HapEMqZ:jW7PUbhewf+8/eEB
Score

10^/10

xworm discovery rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Downloads MZ/PE file
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral7
- Target
  
  piponis-main/heifjejrs.exe
- Size
  
  5.2MB
- MD5
  
  6f163d9cd94d4a58ad722301cf9847d0
- SHA1
  
  ffcf6d1a5956dfb60a0fd7267039e30fbe2fd981
- SHA256
  
  827642649f28e190ac328f026c6c1a332d45b2be4af76bd8f6c8e85838c90b11
- SHA512
  
  5503fefd77a87f8030dbd468168abeb3b778857bd770720942f3f1b41cf498f79a3f9138bb1cb7b24b52f55d67724de31aeb42225ee21c8712719323d45e7d67
- SSDEEP
  
  98304:u2748RDvvoNBl+rDPmV92kxuIW3TnT5ZaJuF4jZ7c5kLctQO74jEr2OPSvayLXZD:r481vvIqO7bwBkJuF4jZ45kL5gKvLJjv
Score

10^/10

xmrig defense_evasion discovery execution miner persistence upx
- Xmrig family
  xmrig
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Stops running service(s)
  defense_evasion execution
- Executes dropped EXE
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral8
- Target
  
  piponis-main/horrxjddub.exe
- Size
  
  107KB
- MD5
  
  9034080ecb301060a2a69519198c3211
- SHA1
  
  6c504419d9f1085aefee87ade0300fdd59e5c66a
- SHA256
  
  4b25fa167392d8e4365d2f3c787db1c974ccb8fd13d2ad1099b69db1f62c03f7
- SHA512
  
  f69967ec3dd0009f5950397a979a2eb4a52a11c62799d89c33abf05c4dfa8542e9c9b3a43a66a631a235f6728522ba373fd15227097d28cc887705474cd75428
- SSDEEP
  
  3072:g+RZk7QEyRiBaIOWQ7sR9bGpxReUbpMD:fRZk7DZ8u9bY
Score

10^/10

stormkitty discovery stealer
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Stormkitty family
  stormkitty
- Downloads MZ/PE file
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral9
- Target
  
  piponis-main/jrirkfiweid.exe
- Size
  
  120KB
- MD5
  
  2049c2a57cf70a27ed25d1a851d55bc3
- SHA1
  
  9c9e8b6de275da500da89ce2fe5e1867b14b22e3
- SHA256
  
  07734e9f8689ed74c903c78daa0c429129e20a11fa72460e558fb94618219bc7
- SHA512
  
  4dafd6ce83eb30b4ae8d91a774a52109e6f869ad98f82ffd30c9368b33fd3cdbad5bbcdbb18078c020b206a654a8d77595cec699d523e5ee7f4f978668563bcf
- SSDEEP
  
  3072:FEFRh0auCcJVwDjwzTC2SCn/FtVQenIuxIGWsnRR9pLTfQvXFD:W3h0aMJ+Hw3Pgen79/YvV
Score

10^/10

vidar credential_access discovery spyware stealer
- Detect Vidar Stealer
  stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Downloads MZ/PE file
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral10
- Target
  
  piponis-main/jtunuhhrr.exe
- Size
  
  29KB
- MD5
  
  3ace4cb9af0f0a2788212b3ec9dd4a4e
- SHA1
  
  2914bd74b5553f5f4dbd5f7b23bc00d04a2c77cb
- SHA256
  
  121bfcb759e561bca3f63777498646c80d030a92dac5a27c7c9cc8f5581e672e
- SHA512
  
  76ecc354b1fb5bf93f18bbe9f85401ef40e0826f7eea73a0cb5afda5d69ec384a459c07b6cc2386176888978d2dbb9bac9360e249114c59799de0984bbba5c56
- SSDEEP
  
  384:EhEy+hzv91UqVY8+JppEhKe+Ej7sI4GSFdX9NAb/QX22r5A/w/o0el7xI:IEy+hT91UqVY8+XpEh6CMs7gx/o17
Score

8^/10

discovery
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
behavioral11
- Target
  
  piponis-main/ltohjksef.exe
- Size
  
  1.2MB
- MD5
  
  d52a100e13740fcba59d39de72dc87b4
- SHA1
  
  9b28120634fe64cc1eaa7e35ace400bf31c8a0cc
- SHA256
  
  e42e988a47f4f684249bc8e1e370a32fc53831929adc86b7b1d45fbd3de7fb9a
- SHA512
  
  b687ef3164366fff6227170ee2a021acc47532dbb7c072000dca579b724dbe34cb6e22cd8d6d7092faf439f4f8b810b306f6710e50f057367b3ae8d88576cdd0
- SSDEEP
  
  24576:+W4KagHjk0jB4GrZ1CcjiFM2m/BBvKBvOrRe3zFuFozqd:+W4KjZjrZgAien/BBvKBvO9kQFo+d
Score

7^/10

discovery spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral12
- Target
  
  piponis-main/mkthooesfja.exe
- Size
  
  1.2MB
- MD5
  
  d934e572b7078873439fc889dc55fd27
- SHA1
  
  5ea76ae117452a0bb48e6f186ecd2f5b0f7ec813
- SHA256
  
  a4ef2b2fb82a9cd793ad679208b1d5c3f174ec798674972372ee894c3f403259
- SHA512
  
  2f64414a8c700acdf260a3a980cf134d38fce1681ff59b240a04a25901676a2e19ed1ce14d50c45d05875327f46abfc977dfeff98b215e73c1a2a7f04828a7ef
- SSDEEP
  
  24576:gvSzZ3KleKNsbw0ScNZLHEb4eCk2pGZuNHgR8eZkds/h16WVJW:gvIZKlT0SKkb4eC/kZAeBZXH
Score

8^/10

discovery spyware stealer
- Downloads MZ/PE file
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral13
- Target
  
  piponis-main/mmytljldrgl.exe
- Size
  
  3.1MB
- MD5
  
  766e053d13e4f6750e8f694efb00fad0
- SHA1
  
  2a0e1ca7711795dfe50231d03ab7d0349014df5e
- SHA256
  
  0502a8da4a9f46a7375766b83d181aa9f38e9969b10801f80736a3598410a281
- SHA512
  
  3de1970fc083d404a28827f25e0ff4f096d6b75a2c2367bff0476857f5e217da3f6c40f531c2b835b31233bde53bc51086c6784985294e97ce21523bbef2bd7f
- SSDEEP
  
  49152:jvyt62XlaSFNWPjljiFa2RoUYIMcOhyvJo3oGdFTHHB72eh2NT:jva62XlaSFNWPjljiFXRoUYIWhR
Score

10^/10

quasar githubyt discovery spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Downloads MZ/PE file
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral14
- Target
  
  piponis-main/mnyksdrfkesa.exe
- Size
  
  1.2MB
- MD5
  
  ac049a7ec076fa12e5a9b043347d710e
- SHA1
  
  b6a268c34df52193ce2210b259874a9d02107ae0
- SHA256
  
  e406e93ec8af26625658a327a03426343273687ad62c219bdc71d21e8ef5882a
- SHA512
  
  1f9f88c92a9332e087e7dac0bb1de2566a9ebced46b714f7a369f3e2c6b38a3ed269a2afe96aecf1bd297fa9ed94d33ba0f97e1ee9d908ebd5f524faf2824f74
- SSDEEP
  
  24576:qasP8TvOTUK4XMGNHuKQmURf9iPMJWvBr:qasPNUzjN/QHWPMU
Score

8^/10

discovery spyware stealer
- Downloads MZ/PE file
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral15
- Target
  
  piponis-main/niyjkdrfseth.exe
- Size
  
  1.2MB
- MD5
  
  dca314b9b8c6107e711ea233d1e78507
- SHA1
  
  f65318efdf56e4bbf8208dd6b6593abb2deba052
- SHA256
  
  719a14f950dbf12b1099c161b0fa33fe283ce27895ccaa114a608f45dfb78f59
- SHA512
  
  84eb8ffdf710a414bbd70650330b26b71bf7e628b8449be3538405f50a6cae2c8909da4c97c9bc936fe20d15601f1bc4e246dccc62fb5ef7053e07473421e37f
- SSDEEP
  
  24576:8Lwl1M/eyyBz4ZG5G2PE/VbVgc3CVBbOldLYRmnA8EMni648YDca0dxyAmHfU:q2fyyBUkGeEHnCV4Tgp8EWS8YDcauWH8
Score

8^/10

discovery spyware stealer
- Downloads MZ/PE file
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral16
- Target
  
  piponis-main/nohtysefhas.exe
- Size
  
  1.2MB
- MD5
  
  ee557313d3e7bfb9e93f44bd539cecfc
- SHA1
  
  36c3b6f82fcbef92cb9756bf63e1a31352d90e0c
- SHA256
  
  9a6c0a1042387f0dee0fca3547edf63970d161cda195af2f93288d0b8798ce26
- SHA512
  
  bcec911b235d35db1f3ca1211a548f75c24738701a6e0056c976c4118926f5e2ef5406a1891e6f06f6a011b0701684d42df15d6293535e5617f171b1312da51f
- SSDEEP
  
  24576:SEhUBATAu7lel/UZPszo5EKhwr+rFzfIhbXegxkSMJA3dDu4:SEhUGSUZUU5EfRugxIJA84
Score

8^/10

discovery spyware stealer
- Downloads MZ/PE file
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral17
- Target
  
  piponis-main/ogprjsirbfuw.exe
- Size
  
  37KB
- MD5
  
  2f0e35af8216efda756f9bd78b83fa9c
- SHA1
  
  13284d7c82ad82a48b287b272c230e42f29ca67b
- SHA256
  
  dbeb81045a194ea8581a7465335899502e134de9c10269c430520387fe4504de
- SHA512
  
  e1fee2e478d9b11f9c338efa50374edc98f982151707e586e6dbb473b931fb1c77994631f64ae55afb13ab09ef852ca70ea0059c8adbb1eb7272d68b97c22864
- SSDEEP
  
  768:mtskca1j+QnknuXU4tXFyS9Oa9kz6COjhNb0gAxy:m1cYvkuXUMFT9HO6COjcgAA
Score

10^/10

xworm discovery rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Downloads MZ/PE file
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral18
- Target
  
  piponis-main/oiuyjikdkjg.exe
- Size
  
  105KB
- MD5
  
  b56db4ebf7110c1083550ed83a03df17
- SHA1
  
  258b171956d961a628efa6433f8cb3f629a346fc
- SHA256
  
  2d6863a49648f59642f53236790f35a63df119facda1d98549025b3a8ddac2fb
- SHA512
  
  f94d231f631a55a14130b7c8d9f5c1fd314b0b07029dc28146677f65aac99055e860b5744231b119fb06d0d582db59d4d73716c79f087d4fa455955a77ba4580
- SSDEEP
  
  3072:Nf8EPS+zRAw/+g1vE6BOC+8kipo4ombLT:KJ+zRAw/tE6BO34v
Score

1^/10
behavioral19
- Target
  
  piponis-main/opyjjsefjk.exe
- Size
  
  1.2MB
- MD5
  
  05aafcdb5abf5cd43a9a6f44ac13e248
- SHA1
  
  e5e95826ae7605d64b6b1eea3634bbe36ee340d8
- SHA256
  
  805a3ab3f08df04143c8e7fdc4dd879064c24b539828d05d72cdb91176fb8d55
- SHA512
  
  b0d12f0b8d39f7c1d610cab987ad117863372292cbe5b8a701135ea37688dc3d361f863a026264ad0904d0c0d1c11c9e3b51e362bd768b5fdd371735ba883b75
- SSDEEP
  
  24576:nxk7ShoY/L5jNEKKYGgTwvxGrjHp/HahxvlAmLxy+f+1IPYuO7qW+v8mNav8+MsW:nxMf68FYGO4UjJ/HajvlJLw2g7qWQ8C1
Score

10^/10

lumma discovery spyware stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Downloads MZ/PE file
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral20
- Target
  
  piponis-main/plrifjidicfid.exe
- Size
  
  105KB
- MD5
  
  b56db4ebf7110c1083550ed83a03df17
- SHA1
  
  258b171956d961a628efa6433f8cb3f629a346fc
- SHA256
  
  2d6863a49648f59642f53236790f35a63df119facda1d98549025b3a8ddac2fb
- SHA512
  
  f94d231f631a55a14130b7c8d9f5c1fd314b0b07029dc28146677f65aac99055e860b5744231b119fb06d0d582db59d4d73716c79f087d4fa455955a77ba4580
- SSDEEP
  
  3072:Nf8EPS+zRAw/+g1vE6BOC+8kipo4ombLT:KJ+zRAw/tE6BO34v
Score

8^/10

discovery
- Downloads MZ/PE file
behavioral21
- Target
  
  piponis-main/pyjhiksfasewf.exe
- Size
  
  29KB
- MD5
  
  3ace4cb9af0f0a2788212b3ec9dd4a4e
- SHA1
  
  2914bd74b5553f5f4dbd5f7b23bc00d04a2c77cb
- SHA256
  
  121bfcb759e561bca3f63777498646c80d030a92dac5a27c7c9cc8f5581e672e
- SHA512
  
  76ecc354b1fb5bf93f18bbe9f85401ef40e0826f7eea73a0cb5afda5d69ec384a459c07b6cc2386176888978d2dbb9bac9360e249114c59799de0984bbba5c56
- SSDEEP
  
  384:EhEy+hzv91UqVY8+JppEhKe+Ej7sI4GSFdX9NAb/QX22r5A/w/o0el7xI:IEy+hT91UqVY8+XpEh6CMs7gx/o17
Score

8^/10

discovery
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
behavioral22
- Target
  
  piponis-main/riroiciend.exe
- Size
  
  28KB
- MD5
  
  753175a2a378c1448b5e6946d2421599
- SHA1
  
  1a856255b7868a050cebc02845e4af6acb3912ef
- SHA256
  
  2a216550fb6ef956beb4029c2c18049a1c66cc271470a09c3b0b6103440e7280
- SHA512
  
  07e2c0c976c288d3ed0ffe370f6b5538df2c89edc52a21f6025996135d8e4143341e8a0322f7acbb83b9a6c7bae7c88a492aa39c73c88b21bcce19404f133fb3
- SSDEEP
  
  384:5R6ZTtyvqNUfWhppEvKevF8j0I4GSFdjUNAb2xaSEdKIT4Iqel7xI:5gxyvqNUufpEvLCshK4WID7
Score

8^/10

discovery
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral23