Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
-
submitted
30/03/2025, 14:26
General
-
Target
2025-03-30_5adcf9918838e95aa439ddcc4217c8e1_black-basta_cobalt-strike_satacom.exe
-
Size
3.9MB
-
MD5
5adcf9918838e95aa439ddcc4217c8e1
-
SHA1
8ae5c3de8cb1e9788bdd2a09e840b31348cd76c0
-
SHA256
636e55648c9d3fc08bc814e01765f34e71db576aef5397e16e6498d3a7ee7f7e
-
SHA512
cc48b85171edd62861f4eca49980e9353e8f0a65fdcec9f34928ce8f7e1bfbef932c28cdbcf2aa1f0c53490affd6d87c1fb5d7a62cb29e02fd924e797db15352
-
SSDEEP
98304:zziZpcTIjmxUPjRJjPmEriDJbg5ajTd806/x/rMsr:zzqGMfeEmDJM5andZ6J/Asr
Malware Config
Extracted
lumma
https://starjetv.run/GPazo
https://koreheatq.live/gsopp
https://castmaxw.run/ganzde
https://weldorae.digital/geds
https://steelixr.live/aguiz
https://advennture.top/GKsiio
https://targett.top/dsANGt
https://smeltingt.run/giiaus
https://ferromny.digital/gwpd
Extracted
cryptbot
http://home.sixbb6mn.top/jTNyqiIkTqrjLPexvdad174
Signatures
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 19 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 6 IoCs
-
Embeds OpenSSL 2 IoCs
Embeds OpenSSL, may be used to circumvent TLS interception.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 45 IoCs
-
Suspicious use of WriteProcessMemory 57 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-30_5adcf9918838e95aa439ddcc4217c8e1_black-basta_cobalt-strike_satacom.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-30_5adcf9918838e95aa439ddcc4217c8e1_black-basta_cobalt-strike_satacom.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\rarsfx0\1.exec:\users\admin\appdata\local\temp\rarsfx0\1.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe6⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\rarsfx0\2.exec:\users\admin\appdata\local\temp\rarsfx0\2.exe3⤵
- Enumerates VirtualBox registry keys
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe RO1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe RO1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe RO1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe RO1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.6MB
MD5eb502f0caf957979b4e3869af946e28e
SHA1037e9b80fa676e9014b59b718d63e463830748ab
SHA25654ab97093c98aafabba05ea42dfb861c5429570e2d17ffe3af0497dfbc1c6e7d
SHA51213346d638b9c521b6759b7208652f5e40c27285eca45c648077877c64f43db93dcef019c874c543f9446bab7172ac6774266c577e9629da309f2097a24fe513b
-
Filesize
9.5MB
MD59a4946e4e8e43a04b1a274ee46daabfe
SHA14c2f1001cb9618647b5195f84f6b04b476a73d06
SHA25629ff18a22cee6d7d5e5b502f18b525c318722145e099ee69c7e9337b8292b76f
SHA51239ef028c4f3cab001566f23e057ca0812fe232eee7120fc782505eda880fac3700faa6cb9411f0d16bdaba7d53dc52ac5049c261171775ba97461ce2e343303e
-
Filesize
135KB
MD54848a64aa5ba4d6133eac19148e8d9df
SHA141d296670967444974cccc740cf89d6729d58362
SHA256568bf8699197c83ead67ff16eb57ab78de6b61b38cf9d18ef3222880ee23dc67
SHA51276a82777e9b3b6df86127de69e032cec62201cd016b67f05238ee8b158cb2b35028b97da2bb51f17c168cb90bdd376a54b596e9cc45b4679ca3f654d7514cffb
-
Filesize
135KB
MD532934efd882389859edec5ec83e00b77
SHA17b20566031a7226f70f5c40c9168a988a2e86976
SHA256410f8aa97aea1104624e8e312d103087439e3273ae23c934e8132bd3ce16ca83
SHA512adc807ccf6c20d17f73c21d2f32497d65ebf05784f2b64c487695d9b6afbfd3137fbd64ec475c361932eeedb092f91e5a2952cfd83d83f1c55feb8444d400b4c
-
Filesize
135KB
MD5df5e724d42c606ad50b7bf829e67633c
SHA121f195be03e4951c8b2471085a88440378dd4f50
SHA256b624ea5b24c87b1546091a28b13c0b1cb1500e9259edaa9d26721972374c015f
SHA5124711f312cbd21e0f6455d6c68e2c8d320e8f30797bdc162ee51e352b4801d6735e75abe600b34b447aefd98374504302029ebf3780b42d3367f1933525020c1c
-
Filesize
135KB
MD522281d961ad4d58c1f3d1e5a68e79a6f
SHA19dce23c71590f83fa00124053750b09a5cf2447b
SHA256f0f7028b2316959e7f75447184454a072c09efcff12912b095160e1d2c5a223c
SHA512d30513c762b5edbcac5862d8a1cbb15e14dc240ca1d73be2098255f3894bcc5a19684a6a8e6e1b8ebc6b193958f7a5d85bc3d8a28dc75e6aeb1e0744320e37e2
-
Filesize
135KB
MD509f03649c913fc91b3aee8f08cdf8491
SHA109ac0a2f7ac3bbdc5c9353fc321a1791f7e42292
SHA256ac4292061f748386c00f4755ba24c2fc590c760db0350b192ad4a65515d2b882
SHA512515243d34656f4ac80066a9e7230ca87a857e8a7c815530934318299b57f2c5abfa6045ad0dac2e4ac80d5b2129e5dc48dd7e4909642e330e5bc2d93d4c197e2
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
9.5MB
-
Filesize
9.5MB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
272KB
-
Filesize
392KB
-
Filesize
12KB
-
Filesize
272KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB