Overview

overview

10

Static

static

10

deljack-ma...wr.exe

windows10-ltsc_2021-x64

10

deljack-ma...oo.exe

windows10-ltsc_2021-x64

10

deljack-ma...dd.exe

windows10-ltsc_2021-x64

10

deljack-ma...df.exe

windows10-ltsc_2021-x64

10

deljack-ma...da.exe

windows10-ltsc_2021-x64

10

deljack-ma...pp.exe

windows10-ltsc_2021-x64

8

deljack-ma...aa.exe

windows10-ltsc_2021-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    deljack-main.zip

  • Size

    9.1MB

  • Sample

    250328-rv1fmsxtds

  • MD5

    fb613cf4f7bfe72be993178d4ac119d2

  • SHA1

    08a71bef9fe9b789b0c91390935ee02eae5d4467

  • SHA256

    cc74a3ab905dae3a6be45c73f5691de1ccd8237a3e103b16dfd24227a9a8f8ba

  • SHA512

    09fbcbf2cdee7c1e0f67595928fc947a037a2dcce64bdb94621fb1bd0e6042d68f8eaae8b4b896e1e991958ea611db2647ba9cd0119b2d9de7c6c98a32835027

  • SSDEEP

    196608:TD54pMVe+fK1OVha7yCpuk1nsiRIEON2fjJ23H3N9AqsTno:v5Pe+fZ+ukxBlg39+TTo

Score
10/10
lummavidarxmrig886e3178ef0cef21a6ff7125395660f2credential_accessdefense_evasiondiscoveryexecutionminerpersistencespywarestealerupx

Malware Config

Extracted

Family

vidar

Version

13.3

Botnet

886e3178ef0cef21a6ff7125395660f2

C2

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361
Attributes
  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Extracted

Family

lumma

C2

https://advennture.top/GKsiio

https://oreheatq.live/gsopp

https://castmaxw.run/ganzde

https://weldorae.digital/geds

https://steelixr.live/aguiz

https://targett.top/dsANGt

https://8smeltingt.run/giiaus

https://ferromny.digital/gwpd

https://tripperxe.live/LSLkao

https://aoreheatq.live/gsopp

https://smeltingt.run/giiaus

https://xzaxistechw.live/GOaOAp

https://ftargett.top/dsANGt

https://axistechw.live/GOaOAp

https://eoreheatq.live/gsopp

https://m9advennture.top/GKsiio

https://-targett.top/dsANGt

Targets

    • Target

      deljack-main/brityjaldjthjawr.exe

    • Size

      1.3MB

    • MD5

      76cda2fc84b8ef590b020fffb3c3c8b4

    • SHA1

      56e0056893aef76fedf37440b22da5a156fda426

    • SHA256

      6b1d1a19c6c43e2a3fd4fd9ea74edf7f57b889ddf70d66ab8bb028af33f14bfa

    • SHA512

      4a1804b7cafbe6334a31c2bf1024fe3505f7f6c96ac5a0a21c48715f7597dd78ad4b7d4baf8afbef5597988fd6b72f91e24b3482672a57c3c58fdfb2f6f81a1d

    • SSDEEP

      24576:0iqxfRCNMIAMb4W9Gdz5drGMR03gGM4xsWjADUgjcQXWm8:jfJABW9GdVlGMogwMXjDXl8

    Score
    10/10
    lummadiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

    • Target

      deljack-main/bvnrfiseooo.exe

    • Size

      1.3MB

    • MD5

      6c0a58860101f0fe49d2cebbb48b4a2d

    • SHA1

      abd205c27b8826c1b0465d0253b3cddc7f44f848

    • SHA256

      6a4188c8517890210a357a427264d5f451f416150e2c9a772e5884709fcd1bdf

    • SHA512

      b36696bb36394ec869c26d2a537b262001ce0fc6b71dc9dc19bf96566e24f3abd5a33351eadd2711b09013a176f3c564080f269a9da05bbc2f7d6e40edf5bc78

    • SSDEEP

      24576:KbGt6QOlobhDf0JmHcaKAoMIDF160mZTbwcVyIfgAWW9:7trOGloinoMsF160mZrVDfd

    Score
    10/10
    lummadiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral2

    • Target

      deljack-main/gfdthawdddd.exe

    • Size

      5.1MB

    • MD5

      cb1ab881df77d5e59c9cd71a042489dd

    • SHA1

      948c65951d6f888dacb567d9938bb21492d82097

    • SHA256

      23fa323eea0a8a6367e810996a54337197c1750a9a0a53c306c8c4022dd94780

    • SHA512

      84a1030a3d2f55ad6fc576bb122d98428485986c1fe4bbd41e13ac1ce588dc3f1034fbe18139f23f9422d520815b4e437b6ac7b78960d0b6c52c56acb87f9c31

    • SSDEEP

      98304:JiGUZDIMGpNQVgB6W9Yj1FbFKGZkZk0a51wYKZpptRA3x9JEY0UiHO5RcrNkjR:KGpNfB8pFbFK1G0a5k7A3LJGUiu5WJkd

    Score
    10/10
    xmrigdefense_evasionexecutionminerpersistenceupx

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Drops file in Drivers directory

    • Stops running service(s)

      defense_evasionexecution

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral3

    • Target

      deljack-main/lcnbktiaiortaaewdf.exe

    • Size

      1.2MB

    • MD5

      08e5b38dd017597e0d3ad36366d60c91

    • SHA1

      e0a89d3f785e858348c17c7d12cb4e0a0de8e1b4

    • SHA256

      8ad7d3398953f2badce1a7bc40900e18303f0e42f43c543355caead37aeaa930

    • SHA512

      a153aa4c35d0c7660874063cd87b7adbbf307018b23e1772889056e14402354f9082b6b29c469de9c640bcdc7588f7e1cf0f2e365e09a7ec482741be85273c6e

    • SSDEEP

      24576:fgUHYbdZjayfYBvx4lgr8dzINVEkg5ozw1nPum6qtzLr7xkoVKZyFlJwZ:fgU4bdVPYNmqr6zGEkMzhu3q5LrW34Fr

    Score
    10/10
    lummadiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral4

    • Target

      deljack-main/mnboeplalda.exe

    • Size

      1.2MB

    • MD5

      39e60bb5a88e48e64f5be20f42a67f3c

    • SHA1

      6bb7001491c140f7635b1a42b6e4c90a06fd7290

    • SHA256

      b4d67fe310716191996f65c78eff2594c23dd1bbb076ad22be9c3513179c78a6

    • SHA512

      246211d42b96f236be4a114873f539a6d0f663bbfae2638516104e8ad05b0fb0bbfb1a849f5670a18932652320e36a7eba445e88d150ddb4a1c53f9078e9ab21

    • SSDEEP

      24576:kfqSVbjBtN5U6qxs5Hm2I0wVzFHsH3YQFBTjymQEVVMwkR9q9S:kd1BtGIHm2I0KFYY4I909S

    Score
    10/10
    lummadiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral5

    • Target

      deljack-main/nbotpasppp.exe

    • Size

      137KB

    • MD5

      e08490aaa588933433f6b7d3ffbae613

    • SHA1

      2b4d7cf90e3e9b41f070194bc6dd811ef60014d4

    • SHA256

      0476c1b47571e408cdaeae24a30e481fc0955989e64791e505f7de6d391c1048

    • SHA512

      8c67fd88a91314594137dc50a4e81deb96ffb093469cc6b04ca3c4b7e62e6f41b3dd40c47924937fbca202144958068e6c4d0b258ec4469b7f536bb37142f7c9

    • SSDEEP

      3072:aVvH8RuVrLyEj/S2CUGACcceJd/klDHa/R8mxu3s8QZqu:KH8RuRLlzgUd6a/AslZqu

    Score
    8/10
    credential_accessdiscoveryspywarestealer

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral6

    • Target

      deljack-main/tkskfaaa.exe

    • Size

      27KB

    • MD5

      2ff8e057084b5c180e9b447e08d2d747

    • SHA1

      92b35c1b8f72c18dd3e945743cb93e8531d73e2b

    • SHA256

      accdada8772018e58baa0ecb3e79c507eb09c7d67f22f59e323c74b51eac9072

    • SHA512

      7ae542c6ca36e5ed934ca503f3489144e0ec7d81ad246af88bb525cb494f6725df0aa9131c72afe79ff02364dd65ec7a3ffb01846f99836feff06746193af251

    • SSDEEP

      384:9XKCifuPVcppE4KeEdAl7H0I4GSFdr0NAbybMAf3L+9tHmXel7xI:96CiWPVypE4QalMZmoZ3Hmw7

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral7

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Modify Authentication Process

1
T1556

Power Settings

1
T1653

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Modify Authentication Process

1
T1556

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

5
T1552

Credentials In Files

5
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks