General
-
Target
rihuata-main.zip
-
Size
42.4MB
-
Sample
250405-pacgzayks6
-
MD5
19ab179a340d2ca155efb4fc6efd95f1
-
SHA1
d5acebe5e5047b4514d24b2bd586b88453a1400e
-
SHA256
214082ec55ebca25be21e5b5227ad0e89c08026c55a21fc57dc4bd2764f5d28f
-
SHA512
e7e4ef683845d643f9aaa8b3e4b2ff88af2e7a4e1ced606dfa0de998e4d81e5adcb62aaae3618f168ca758c87657963692454939b4a4ccac96a8ad2a51aac4d5
-
SSDEEP
786432:dlhsUS0/sxHUwpoh46w84ubV4BjVzHnOg7G6TWSuzUMKnN:Lhsu/sNUSoh46N4uB4BJz1GAduy
Malware Config
Extracted
vidar
13.3
23b8a0e48f77dc82cb41b2936121fd07
https://t.me/lw25chm
https://steamcommunity.com/profiles/76561199839170361
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0
Extracted
gurcu
https://api.telegram.org/bot8044316559:AAFBKJlXZImRdKtbDCT2g5_pK-tOr4SgrOo/sendMessage?chat_id=7099179555
http://96.9.124.250:8070
http://209.38.221.184:8080
http://46.235.26.83:8080
http://147.28.185.29:80
http://206.166.251.4:8080
http://51.159.4.50:8080
http://167.235.70.96:8080
http://194.164.198.113:8080
http://132.145.17.167:9090
https://5.196.181.135:443
http://116.202.101.219:8080
https://185.217.98.121:443
http://185.217.98.121:8080
http://159.203.174.113:8090
http://107.161.20.142:8080
https://192.99.196.191:443
http://65.49.205.24:8080
https://154.9.207.142:443
http://67.230.176.97:8080
Extracted
vidar
13.4
b67a308257f21ac98cb4828b3f69a282
https://t.me/f07nd
https://steamcommunity.com/profiles/76561199843252735
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0
Extracted
vidar
13.3
886e3178ef0cef21a6ff7125395660f2
https://t.me/lw25chm
https://steamcommunity.com/profiles/76561199839170361
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0
Extracted
bitrat
1.38
31.177.110.225:8080
-
communication_password
81dc9bdb52d04dc20036dbd8313ed055
-
install_dir
Appdata
-
install_file
FileManager
-
tor_process
tor
Extracted
vidar
13.4
f8127ecb24efc59dc898cb2fe66fd001
https://t.me/f07nd
https://steamcommunity.com/profiles/76561199843252735
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0
Extracted
lumma
https://sparaperw.live/smphn
https://jrxsafer.top/shpaoz
https://-krxspint.digital/kendwz
https://nrhxhube.run/pogrs
https://grxeasyw.digital/xxepw
https://advennture.top/GKsiio
https://targett.top/dsANGt
https://xrfxcaseq.live/gspaz
https://ywmedici.top/noagis
https://paraperw.live/smphn
https://qplantainklj.run/opafg
https://kpuerrogfh.live/iqwez
https://quavabvc.top/iuzhd
https://5targett.top/dsANGt
https://rambutanvcx.run/adioz
https://darjkafsg.digital/aoiz
https://plantainklj.run/opafg
https://puerrogfh.live/iqwez
https://transfosdrm.live/qwopr
https://krxspint.digital/kendwz
Targets
-
-
Target
rihuata-main/bomepratiaosa.exe
-
Size
1.3MB
-
MD5
6e3c76ae5dc8d3df16faadfefa10745d
-
SHA1
4e7faac22b135da687f2a19825f9bc55e3220ee4
-
SHA256
081d74a8ce956185e5f2cb7a8919503153db8c06d1aa4bf5842d3d49cd6beca3
-
SHA512
7e488437c175004569a436ed8d2474cbd897b39f394d1e7393f5b2b1b06fbb0d365fe79a30621f499514c07ceb8e9dd3ce39d6a09357d0cfa7e6cb8d6a2bec14
-
SSDEEP
24576:i0fPlwqNoV39w9MX6F8p9jxXfXDi4tfQ6GLIMjVsAUUgyPo2Vr9:3fPqYIw9C6y9jNzjNQ5IMjGVtIVr
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
rihuata-main/bvrtiawdktgawdlla.exe
-
Size
1.3MB
-
MD5
c8ffcfe42bd5dac4411350a93bb44931
-
SHA1
c1e12ef1eeceae129a60d2642ea571754b33c74e
-
SHA256
430bd598d5c4f99dc7932e7b1200d9ff2de508890f2418f2451163c2f5ecda14
-
SHA512
af1cedead6166cdc938e377409f5a1d2829db57a93ba7b508e1e6cfc5006489574c3e5031ce7560282a6405d60b016902d83fdb0e0a0f53edfc2fb26da0c033f
-
SSDEEP
24576:pBq76W9sw+OWSLsp60/07vNtxOSIPfMZkoSJyciM/gNYIO0HB:Xq7N5pWPp60svN7zZk2cJ/gNYi
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
rihuata-main/filesaa.pdf
-
Size
24KB
-
MD5
e988f85bcee35cd8a5500bec34b392a1
-
SHA1
c5e38e8f52585184b6bf65d095f3b3b3e84cdaeb
-
SHA256
2de99c1f28162a4e456992e62f4567f18bfcfb6da4baf673f667badf7e56c9dd
-
SHA512
208a01c4b05b03c1106d14e54569088fac1e42b08be353c26e4b04b4ab87523c1294a96f35cd58b9809259aa943dab6118182752502b88d7c804d5a37c81ad0f
-
SSDEEP
768:UM6UJvui+e3tz5OhdxrPukLutj92JbwhQHYKN94/RyPC5M5Etglj:DjNtjcJWQ4c4MCOcE
Score3/10 -
-
-
Target
rihuata-main/gopawdkrjgh.exe
-
Size
154KB
-
MD5
2d75031f20fe869431212b7b3f90fcde
-
SHA1
f2af4a940dfa314bca2d342d939fc32fe7afa6cc
-
SHA256
b7104015108dc762613ef8971ad5526e1ebe18eedffe7dc6e344d639aa57b39c
-
SHA512
b581b971c1cf3d077abfb91f05e2a5224f2748fc5a749ecd644dda3bae3311cff56eb64dc84b3d281578f12024cb4068759e5ef00ffca4a6cfba6af0ebb39342
-
SSDEEP
3072:2734otfn9bTUz9bmGPV5wSlZpF3KdDlQOp:27IotPpTUz9bmkkSlbO
Score10/10-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
rihuata-main/gramiltter.exe
-
Size
27KB
-
MD5
2ff8e057084b5c180e9b447e08d2d747
-
SHA1
92b35c1b8f72c18dd3e945743cb93e8531d73e2b
-
SHA256
accdada8772018e58baa0ecb3e79c507eb09c7d67f22f59e323c74b51eac9072
-
SHA512
7ae542c6ca36e5ed934ca503f3489144e0ec7d81ad246af88bb525cb494f6725df0aa9131c72afe79ff02364dd65ec7a3ffb01846f99836feff06746193af251
-
SSDEEP
384:9XKCifuPVcppE4KeEdAl7H0I4GSFdr0NAbybMAf3L+9tHmXel7xI:96CiWPVypE4QalMZmoZ3Hmw7
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
rihuata-main/huilter.exe
-
Size
137KB
-
MD5
dc823d0f1e80400cd6ac7d8e5f68819e
-
SHA1
5731d56f9bd7caf2a49ede09deab89dad9f6cf4d
-
SHA256
bb0e2fb8ac8b2a967cc699f5483d7b26714d23a0c4e45263afb8973c6d18bcf1
-
SHA512
632388cd83ad40ce342c726fece6c3c423532d837b5743d3452a62beaed1eade4994e809464a018e7303860c751b7a688caea12f7495d4092edf30af654dca8a
-
SSDEEP
3072:aVvH8RuVrLyEj/S2CUGACcceJd/klDHa/R8mxu3s8QsPu:KH8RuRLlzgUd6a/AslsPu
Score8/10-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
rihuata-main/jaconfager.exe
-
Size
29KB
-
MD5
b53fe4fa46ed758b04b4425fa2028882
-
SHA1
c3f4fc1b41df2e77de4cc9c6bb1d7774db4bf2fa
-
SHA256
dd4ed2efdaf0c829b47f10a7b3644bda24a4a72786e6f23ad38657bd4858a539
-
SHA512
91a112448d164347caed679b1fe981b938f1485c37f8ea7c1d658dd0931cd3aa730d703cdc66d6fa268d8b68c50ddee93d4ff81e25096207c9478861ae123fa9
-
SSDEEP
384:piY/4mcwYPSNOjKjg11+rVlOxxtNP97kJkgQ8pwIIumVbgORBprjlJZpTJ3uPbHx:piWWjjKjrOFgwItmVsOlr1B+9F
Score7/10-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
-
-
Target
rihuata-main/kalrtotypadjeee.exe
-
Size
137KB
-
MD5
e08490aaa588933433f6b7d3ffbae613
-
SHA1
2b4d7cf90e3e9b41f070194bc6dd811ef60014d4
-
SHA256
0476c1b47571e408cdaeae24a30e481fc0955989e64791e505f7de6d391c1048
-
SHA512
8c67fd88a91314594137dc50a4e81deb96ffb093469cc6b04ca3c4b7e62e6f41b3dd40c47924937fbca202144958068e6c4d0b258ec4469b7f536bb37142f7c9
-
SSDEEP
3072:aVvH8RuVrLyEj/S2CUGACcceJd/klDHa/R8mxu3s8QZqu:KH8RuRLlzgUd6a/AslZqu
Score8/10-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
rihuata-main/kilapopa.exe
-
Size
1.2MB
-
MD5
306bd18c3cf6ffab70ea2c9a1b4959b9
-
SHA1
87c0daf8b1e9da608c3f571d754b828c51eba575
-
SHA256
306997d2a503d4a9e5848b2a327f7e70533b236b04a85b87632250c60cd19f14
-
SHA512
ea80b51b3a41e972b736658380080875fad7b71b67a7087b7ee690e3a1ccc004fe0984111b982380af4ca7d8115063cdc685ed4786d2742cce70c8a3aeb2e350
-
SSDEEP
24576:foFE068ryTF/r+x30mIOdJuTw5cQwOTwY3GJbczlMs0kZ0GgzBG5MtiD8Z:fo6kQ/r+td2ecrU2JbitZJgzBYIZ
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
rihuata-main/klamingosa.exe
-
Size
1.3MB
-
MD5
7ff623d6cae2bf589ad0c2355837d5b8
-
SHA1
0172e23db07f433ae4aef2209248222caa75eabe
-
SHA256
8890ad3c345d1fd2513fef65c10122b47ed7e72764d6dbfebf36076cef545a7c
-
SHA512
502eb080b47f6e43105afeaa394aef82aaa7ae2a99abe61f10cea6ea16f1c7c630fce95936cceab7ac72050ed5386bbd2726fbe3a8453adfa13113d38d095e68
-
SSDEEP
3:vthltllPllEYZcFTS9gXeF+X32vl/:vtzmVg3F+X32
Score1/10 -
-
-
Target
rihuata-main/kloalersaniii.exe
-
Size
1.3MB
-
MD5
5239c14de150d24fa9c7b67ca39b9f25
-
SHA1
7d9591e956f8b796b4918ecb1f363311a5460b80
-
SHA256
789891cf144aa1c56e80f0774f50a3ea60eacd192c086246e948252b3fe8ff80
-
SHA512
9f951f0991875190cf39756a9dae9e726b16315bdf9bb9f3f3756ebebad52ece7a62e4f25af55682bad1a7c1666bec00e77019810b2fa449d939e433ef8acf48
-
SSDEEP
24576:szoh4RvfXn43zrIihx9bnlpzdz+JDk1h51iaKc53Nl6:szoh4J/mxln76S/bz
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
rihuata-main/kukurumalasa.exe
-
Size
1.3MB
-
MD5
f2f7a6a609b923471e8e1dedabd75ef6
-
SHA1
0b16881c845cd6baa347510b5894da69623e118e
-
SHA256
4d0c8d5868c35db0748d247d2e1156c87436ac108950adeb7a0e66439f07a204
-
SHA512
8a8c80f2888eaa6cf8ea9367d12dcb231538a2dfe84855a058de51b39429a496ee502754672df8423add849b083fe04a96ce46958c0a57f619c48557cae3f9b1
-
SSDEEP
24576:kHVJ9w60hcqKyOuuUOjGjje/9sznLAe5WnlpUa2/+4AXCJtiWhGg7QAnWBluKpn:k707KXPGk9sznL6lp72/PAmtiWhbHOuQ
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
rihuata-main/lotuserkasasa.exe
-
Size
730KB
-
MD5
f7c4921322db3352a828493b924bd1fe
-
SHA1
86c4f35c83332d0832dcb63e331546d37865ff78
-
SHA256
27c77167584ce803317eab2eb5db5963e9dfa86450237195f5723185361510dc
-
SHA512
6456fb2d6ce773cd0899c7dd0d0e2f34577e46ebccc0b753c9acceddd46e9713277e5ec2b687a2b924e5c3d72024e3ff610661fdf44cc3a091ee13aa87aa8394
-
SSDEEP
12288:D78oc9laEnU2j5CHdf3JYzi6GCsfN8nv47wrcxxQe:D78oUFnU2j5CHdfZYeFCsf0v4cx
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
rihuata-main/lukarakalu.exe
-
Size
1.3MB
-
MD5
cf3c413b83529c888a4af04077cf6759
-
SHA1
1be483eea53c55c0a83d470f193f93ccdcb48d5d
-
SHA256
5a49baa36f04f7227a978bd622bfef920455af0ea5521b19679dec3c9fde1e98
-
SHA512
8366762882da4f7156f0ed801c5bc30bfe1fb62af34b303303c9d250a625722034112c9ae48af9bb8ff65059db20e053faa48aea30bdc04ac6224ccc65893f61
-
SSDEEP
24576:rTGSHJXhq9rcIgTQ0Tu5d+QJok77bWLQVcmCfxTo9PC/W:phgyQ0Wd+9kb8rf1bW
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
rihuata-main/mbnorad.exe
-
Size
3.8MB
-
MD5
808005572c1c65a4a6166ed83f7180b4
-
SHA1
0c5818685f1a9bfe42dfad3323e964176d245e1c
-
SHA256
1f0279acdb1535a39a82d8a1baaf10e9dc307c043e38f53752e64408b50c58aa
-
SHA512
73cbcd79dfa5de8576afb4900a0a152329c76ac88e0cb2cc2e1c4ab4bae041b2eb04720490a7509e23fc267fcfa37d8dca6df68bb0ffbbf892bb1e7a887be80c
-
SSDEEP
98304:d77Pmq33rE/JDLPWZADUGer7B6iY74M/PmlwXVZ4FB:5+R/eZADUXR
Score10/10-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
Bitrat family
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
rihuata-main/mimamopetuesa.exe
-
Size
1.3MB
-
MD5
321dd589ce6219ae68c89093fa8f0e8c
-
SHA1
5c9f9d7d9f287624652d6d7598b00a90154ea4cd
-
SHA256
262da6ab14665d13e89a638f8b3dc5699f65f33d203345aa22ee8b920d86d245
-
SHA512
fc5c92f44900f435ee160f9e042808f37f9297bc8b5ffc3be52bef8c34144661462283eb8a403fd2af11960014bf63057575caf45ef51793922abd46d8a6b21e
-
SSDEEP
24576:g59/0fgrSMwH6IVL+Ma9hE4acwwxFY0jtZCHUvWJ11ZXXjXJVC:sb8x+jZacLPxLwJfZXXV
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
rihuata-main/mumirolepawers.exe
-
Size
137KB
-
MD5
a1589065a8e34c3f551031d41860a5fb
-
SHA1
4829223737ff1c274f6a58b0f6be39af12ae9fd0
-
SHA256
fb56c1ac1cc933ab05f02a39937dad20960bf71144358ac3b99262f5c1ab2493
-
SHA512
1e81df29dcc8d09660defea508dfd3cbe954b20238f80e67d0207c5a1cc5318e243daebcdd1c46045ea71e589bc8d2c1ec11beb1ddbdb79917aea2c608c1188d
-
SSDEEP
3072:aVvH8RuVrLyEj/S2CUGACcceJd/klDHa/R8mxu3s8QOPu:KH8RuRLlzgUd6a/AslOPu
Score8/10-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
rihuata-main/nbitoadkrtjkajdwa.exe
-
Size
5.1MB
-
MD5
cb1ab881df77d5e59c9cd71a042489dd
-
SHA1
948c65951d6f888dacb567d9938bb21492d82097
-
SHA256
23fa323eea0a8a6367e810996a54337197c1750a9a0a53c306c8c4022dd94780
-
SHA512
84a1030a3d2f55ad6fc576bb122d98428485986c1fe4bbd41e13ac1ce588dc3f1034fbe18139f23f9422d520815b4e437b6ac7b78960d0b6c52c56acb87f9c31
-
SSDEEP
98304:JiGUZDIMGpNQVgB6W9Yj1FbFKGZkZk0a51wYKZpptRA3x9JEY0UiHO5RcrNkjR:KGpNfB8pFbFK1G0a5k7A3LJGUiu5WJkd
Score10/10-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Drops file in Drivers directory
-
Stops running service(s)
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
rihuata-main/nborepadiktad.exe
-
Size
154KB
-
MD5
45c60c8cd85b2c5bf1e45d9cedffb0f5
-
SHA1
44dcaed457ea5d71bdb8e363cda3571073072066
-
SHA256
f8ca9367e456da03cb05e50cba8f20d36bf59035b0b42e4c149d143a12d9bf0a
-
SHA512
e4833825aba49dd471cdbd912594da200f751837351cb68404867b158e9d078a95196012b1a6cffbe72e835f5a4001f10f969ae68303a2dbb452b08a6569099d
-
SSDEEP
3072:tuBUoLruBEaO77ZKKf9bjPoppy7KQWlKdDsQOv:tuaoLiVO8Kf9bjAry7KQWGO
Score10/10-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
rihuata-main/nenruioepad.exe
-
Size
1.3MB
-
MD5
9c7f9543ee6459b7c73b61c7b239dde8
-
SHA1
f8055bf2f315275b3d6d9ebf1c0d60226e2b2887
-
SHA256
47ae02cfb9fd30728323dfce8b9ba261cfd2a3d08ece15b71af6755c256aea12
-
SHA512
41dcb2c9fe1680a23d0fafc2638c654970984779ffa98876c45085cb7ab97654853d17c1608060603caf3f61916ff48731b03aef686ef7e5157f7a85954c2432
-
SSDEEP
24576:POlhpVWdG7+3J8aifg/NrWiwHXTPY+KL+MVKS2r9GpXt4XULKBAY/:CpK3J8veNoTPY+WsrGpXtbKd
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
rihuata-main/nixmixhix.exe
-
Size
12.5MB
-
MD5
4d9728a6c062cfa93ec0e5b18f67f436
-
SHA1
bcf5dc9253e785c561261ccefd3b0485adaa3748
-
SHA256
77af16a3bb1d762ceee56acc22bdf10d1945c007a4ecf6504e991f8f4e1588e9
-
SHA512
74ea12d3537c4d520296193c9bf481a367fa382ad1d131c9d67b048911f79cfd01325da17a6eb9d88048e63b10b2bb23db98c082a68ad81d3b74576302e92537
-
SSDEEP
393216:FMMj6uIhwiF20XBou0GmG/pUTfNF88FH8vmg2b5:CgbIBF2IaCpUTfNF8qH8vLw5
Score10/10-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Creates new service(s)
-
Stops running service(s)
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
rihuata-main/nopekapeaaa.exe
-
Size
1.3MB
-
MD5
ed974d9ecc80c4e2e6acab6cac07dd77
-
SHA1
7e8248d50ba911a1a54d2cf204715f614bdcac93
-
SHA256
9b23b051c68b7c405836c6c63d7b6b371cce937ba6ddfd9e9d2db96c321c498d
-
SHA512
e06a5bfb84287ff4145bcdb420bfa9c4ff0c125cad9227904704b74e98e878edfaa01d8e6f713a92e0ca686cfe1047e11f07055002115493cf24c939fe56e37b
-
SSDEEP
24576:0rghC1X7KzORwiEnYOi3TAVB498ecEKCq/3GRCKpsPQCphK5voiZaB4A39Mew:97iWnETAVB7/WUKQpphK5QWyC
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
rihuata-main/nvpwadkkthaaaa.exe
-
Size
1.3MB
-
MD5
94188597ed0d1293b0bbd8bd11179e9f
-
SHA1
2714a74ec5b38a5b7027b0ac41681579f7f10e57
-
SHA256
a780b3b4d18253c76f74b6afe10a881d13083e045e30f318ff84fcaec59620c9
-
SHA512
d227f6a0eb38687a9e1fc863d4e3454ab90cda879b18da4ee15b05fd661ea8c53e164f4e77f7d4eebdd213cb041776b020a2ef4e1f8410bd5bfadde0abd5e3ca
-
SSDEEP
24576:CaYpkHc/LVDmDRHb3ISsRMRqguIw6im23Yoa6xu2EkziqZFaDkX8UXsmLk7pg7:hYpDBmDpLGcfuXy23ja6M21iqZwDkX8w
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
rihuata-main/nvtipoawdkthawd.exe
-
Size
1.3MB
-
MD5
282120259a5127ed4945c4d229a0af87
-
SHA1
8e1599d0cb430790cf041b9358b13df93852ffca
-
SHA256
c7846b5ee0fb1b7d28ecfce880bcd873f94173073fbf44805d57ab82589154e4
-
SHA512
9f27faae753cae796f6800a4450f890f21051b7a8887885ff551e488dbf106acf2a80ca81849af83a78a75843facd61ff35d0f54995a21a5d0e978f7069a0016
-
SSDEEP
24576:vYU3pCUAqAiBcVmRhJ3Btxw+UEmlFN/nL0BhxM0NrpJ/Rtl:VpC1iB9LJH9dmX9LYxM0l7Jt
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
rihuata-main/oplaserkanureee.exe
-
Size
1.3MB
-
MD5
48eaa6bb85c5988779942ac7e06d056f
-
SHA1
2fbde7bb45585cfaa3478486720edb86e28c8ae0
-
SHA256
9bcfad0ece96baa9b441d72170d38f2f34da67814d3dbb6ac116f15a1ba18225
-
SHA512
b9888ccf5c504b0e7e61d201edfb84c122bf221e1069dbe6109e022346952f321bb8ccafc5abe5ae3942df5d359695e1f800846d4d6e33b181d817e9480d9670
-
SSDEEP
24576:+9JFyQFTLsLWSGkWMN1n8d+U99COS2rKPpG6W03wU:uFjXKpZNYjvrKPMCj
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
rihuata-main/oprlalalalklaaa.exe
-
Size
1.3MB
-
MD5
f77ccf6a144e4e0d042aac985ba2dc6d
-
SHA1
0de7dcb9329fbf6cb91fb86a43c54514e31f7d3d
-
SHA256
456658948a090e48662b13f2bda5c97ee7acee614a9a027646ff4db77d25704a
-
SHA512
e10be75d9fcd0d8c72e25807372b9fa746c9b32a132babad24ecb0ccff5f65c85941242f6866fe557a76c3e2a3d9a759b06882853b45740f2bc38e326133d64f
-
SSDEEP
24576:D9Z941j6njZDJx1d0s2SpU0+7xLU7jSLglSY2K01ARpZO5P:T941mnFDcSpifLgljv0qR3mP
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
rihuata-main/ripapakalswa.exe
-
Size
1.3MB
-
MD5
ebe68155a91b74264313e5db0c3da137
-
SHA1
26ad1ed1b56f1f4404a213aa1d7ac2053c4451ac
-
SHA256
99ee8244a3fb9287717f77398438ae60f8fe7abf29a36776cc2d76b985b0bb9b
-
SHA512
b7d9807c4098721a345bb94fbcf0c774ee03cf1ab1f44e2f148c17e5fa61c26fe854a4c1288262933eab5cc7df4de905a9a346cb03ab17b0cf56e526fa1c0552
-
SSDEEP
24576:nWbXCAk4+ydf7WS6rMelJg55qcDEO3rh1wMz9Sebuxec5YBz7O8q:OXc+df/IgXqcDEUrnb2eaYHhq
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
rihuata-main/tiawdkthawdaaa.exe
-
Size
1.3MB
-
MD5
c72dac1b126c389a691b79317d9dff7f
-
SHA1
9a197b7d7ba947c8acc2b83886a6fc1ee1a2a50b
-
SHA256
74b4c1f040614105777e67b1ebcfe8a95e835dbdc8408fc75699eed54faabbc7
-
SHA512
e1593783c7553617059dec0690433e01bc9ec83b27a1e5b3f5167d75c4e53fc9e9aa2727cd5a25f0345932592615a4f8516c9677b66a60e1960bdc88d09f10a9
-
SSDEEP
24576:y4BY963TVruybIvvyoDjtmJdX+OxSsr8wdfFhboIDxkK39BH:pWs3oOIvWJdrxS+dzvv3DH
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
rihuata-main/vjtkadkrihgka.exe
-
Size
27KB
-
MD5
2ff8e057084b5c180e9b447e08d2d747
-
SHA1
92b35c1b8f72c18dd3e945743cb93e8531d73e2b
-
SHA256
accdada8772018e58baa0ecb3e79c507eb09c7d67f22f59e323c74b51eac9072
-
SHA512
7ae542c6ca36e5ed934ca503f3489144e0ec7d81ad246af88bb525cb494f6725df0aa9131c72afe79ff02364dd65ec7a3ffb01846f99836feff06746193af251
-
SSDEEP
384:9XKCifuPVcppE4KeEdAl7H0I4GSFdr0NAbybMAf3L+9tHmXel7xI:96CiWPVypE4QalMZmoZ3Hmw7
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
rihuata-main/wkerkadlrgiajda.exe
-
Size
1.3MB
-
MD5
cf6400282fa5a0311240af20c4654584
-
SHA1
8563b439acedf8f4c72fcae9cbd4d64cd6548828
-
SHA256
2237953b9b13a18569f81769755c5f56fca19cdae5c43c14462dc7a83f94ab39
-
SHA512
f3929ba9d4941c841abe1dc6386b37d592471ae901a2e27076f4931972a873bc253129c5904f5f7e7b197379ccd11ac1838f10551722ee41df20de2f6b7b4a2b
-
SSDEEP
24576:b0eMtQr3G1VWuDA6M2MzVFtA+bjKxzQuM9hcQ+0MEJDibqw:bqCr3oMKA6MjzV3AIGQ9DcQFMEd
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
rihuata-main/zuyokhrfhhfde.exe
-
Size
2.3MB
-
MD5
9df7d705ddf9926d2981f7efc5050f9b
-
SHA1
0df97ba0725ad9019a882ff3dd4a4a92089282b1
-
SHA256
8350e523807323dc6b9d60a5ebe411dab4826a4e7584a1fad4583ce71dfac504
-
SHA512
873aa17897827b956021cb4266c33fc44fec658e1c6722f70207a5f91ff5225b0a5f54fceedbced41931dd05f22e189a0bc452a0fdc1aa846259cc435b5f8f07
-
SSDEEP
24576:j4khR33V3uCw7sULd3yUJVdzxlkj/7WUx2VzUN+XpOPwze6t:0khn3I0KcWBAEb
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
rihuata-main/zzzznoawlrgiawdaaa.exe
-
Size
1.3MB
-
MD5
9cd27b18c7c424a42ee2d0187495d131
-
SHA1
6eaf89d5d3ff50603ae600e8cc0811a511fabf18
-
SHA256
d92a22a747916a126b8992c2c538ac3f3c42379f992347a928175d5fca2b3a3f
-
SHA512
d91629d93fd544289a69c8dd27623930d7170b1aae1dfcd496708ee52568211ec86109caf01d2d2c38a36c3efc9e8a37a5e39e47a65391c79e63e329f702126e
-
SSDEEP
24576:GjqRd8e0+uXBgTr4Qp7q82Sh33o6bAbHvzyXqdE9MScyVxC9C:P8e0FRq4QZH733oQAbOMScAx6
Score10/10-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
6Credentials In Files
5Credentials in Registry
1Discovery
Browser Information Discovery
1Query Registry
5Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1