Overview

overview

10

Static

static

3

2025-03-30...om.exe

windows7-x64

7

2025-03-30...om.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2025-03-30_5adcf9918838e95aa439ddcc4217c8e1_black-basta_cobalt-strike_satacom

  • Size

    3.9MB

  • Sample

    250330-rrve8azzg1

  • MD5

    5adcf9918838e95aa439ddcc4217c8e1

  • SHA1

    8ae5c3de8cb1e9788bdd2a09e840b31348cd76c0

  • SHA256

    636e55648c9d3fc08bc814e01765f34e71db576aef5397e16e6498d3a7ee7f7e

  • SHA512

    cc48b85171edd62861f4eca49980e9353e8f0a65fdcec9f34928ce8f7e1bfbef932c28cdbcf2aa1f0c53490affd6d87c1fb5d7a62cb29e02fd924e797db15352

  • SSDEEP

    98304:zziZpcTIjmxUPjRJjPmEriDJbg5ajTd806/x/rMsr:zzqGMfeEmDJM5andZ6J/Asr

Score
10/10
cryptbotlummadefense_evasiondiscoverypersistencespywarestealer

Malware Config

Extracted

Family

lumma

C2

https://starjetv.run/GPazo

https://koreheatq.live/gsopp

https://castmaxw.run/ganzde

https://weldorae.digital/geds

https://steelixr.live/aguiz

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://smeltingt.run/giiaus

https://ferromny.digital/gwpd

Extracted

Family

cryptbot

C2

http://home.sixbb6mn.top/jTNyqiIkTqrjLPexvdad174

Targets

    • Target

      2025-03-30_5adcf9918838e95aa439ddcc4217c8e1_black-basta_cobalt-strike_satacom

    • Size

      3.9MB

    • MD5

      5adcf9918838e95aa439ddcc4217c8e1

    • SHA1

      8ae5c3de8cb1e9788bdd2a09e840b31348cd76c0

    • SHA256

      636e55648c9d3fc08bc814e01765f34e71db576aef5397e16e6498d3a7ee7f7e

    • SHA512

      cc48b85171edd62861f4eca49980e9353e8f0a65fdcec9f34928ce8f7e1bfbef932c28cdbcf2aa1f0c53490affd6d87c1fb5d7a62cb29e02fd924e797db15352

    • SSDEEP

      98304:zziZpcTIjmxUPjRJjPmEriDJbg5ajTd806/x/rMsr:zzqGMfeEmDJM5andZ6J/Asr

    Score
    10/10
    discoverycryptbotlummadefense_evasionpersistencespywarestealer

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • Cryptbot family

      cryptbot

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Modifies visiblity of hidden/system files in Explorer

      defense_evasion

    • Enumerates VirtualBox registry keys

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

2
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks