Overview

overview

10

Static

static

10

rihuata-ma...sa.exe

windows10-ltsc_2021-x64

10

rihuata-ma...er.exe

windows10-ltsc_2021-x64

10

rihuata-ma...ep.exe

windows10-ltsc_2021-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    rihuata-main.zip

  • Size

    42.4MB

  • Sample

    250405-payp7svzfy

  • MD5

    19ab179a340d2ca155efb4fc6efd95f1

  • SHA1

    d5acebe5e5047b4514d24b2bd586b88453a1400e

  • SHA256

    214082ec55ebca25be21e5b5227ad0e89c08026c55a21fc57dc4bd2764f5d28f

  • SHA512

    e7e4ef683845d643f9aaa8b3e4b2ff88af2e7a4e1ced606dfa0de998e4d81e5adcb62aaae3618f168ca758c87657963692454939b4a4ccac96a8ad2a51aac4d5

  • SSDEEP

    786432:dlhsUS0/sxHUwpoh46w84ubV4BjVzHnOg7G6TWSuzUMKnN:Lhsu/sNUSoh46N4uB4BJz1GAduy

Score
10/10
bitratdcratgurculummapovertystealervidarxmrig23b8a0e48f77dc82cb41b2936121fd07886e3178ef0cef21a6ff7125395660f2b67a308257f21ac98cb4828b3f69a282f8127ecb24efc59dc898cb2fe66fd001credential_accessdefense_evasiondiscoveryexecutionminerpersistenceratspywarestealerupx

Malware Config

Extracted

Family

vidar

Version

13.3

Botnet

23b8a0e48f77dc82cb41b2936121fd07

C2

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361
Attributes
  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Extracted

Family

gurcu

C2

https://api.telegram.org/bot8044316559:AAFBKJlXZImRdKtbDCT2g5_pK-tOr4SgrOo/sendMessage?chat_id=7099179555

http://96.9.124.250:8070

http://209.38.221.184:8080

http://46.235.26.83:8080

http://147.28.185.29:80

http://206.166.251.4:8080

http://51.159.4.50:8080

http://167.235.70.96:8080

http://194.164.198.113:8080

http://132.145.17.167:9090

https://5.196.181.135:443

http://116.202.101.219:8080

https://185.217.98.121:443

http://185.217.98.121:8080

http://159.203.174.113:8090

http://107.161.20.142:8080

https://192.99.196.191:443

http://65.49.205.24:8080

https://154.9.207.142:443

http://67.230.176.97:8080

Extracted

Family

vidar

Version

13.4

Botnet

b67a308257f21ac98cb4828b3f69a282

C2

https://t.me/f07nd

https://steamcommunity.com/profiles/76561199843252735
Attributes
  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Extracted

Family

vidar

Version

13.3

Botnet

886e3178ef0cef21a6ff7125395660f2

C2

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361
Attributes
  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Extracted

Family

bitrat

Version

1.38

C2

31.177.110.225:8080

Attributes
  • communication_password

    81dc9bdb52d04dc20036dbd8313ed055

  • install_dir

    Appdata

  • install_file

    FileManager

  • tor_process

    tor

Extracted

Family

vidar

Version

13.4

Botnet

f8127ecb24efc59dc898cb2fe66fd001

C2

https://t.me/f07nd

https://steamcommunity.com/profiles/76561199843252735
Attributes
  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Extracted

Family

lumma

C2

https://paraperw.live/smphn

https://metalsyo.digital/opsa

https://pironloxp.live/aksdd

https://navstarx.shop/FoaJSi

https://starcloc.bet/GOksAo

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://spacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

Targets

    • Target

      rihuata-main/alopernutsa.exe

    • Size

      1.3MB

    • MD5

      740f90748595efb8d155732d1c4a9f10

    • SHA1

      ddca6847a8092fc19a473d483284fc39291bef4b

    • SHA256

      7a5551bd343f4f626e394df465d366fd7ee6e42cd80c24ddbc95b766d20aa28c

    • SHA512

      a2fcda91c75b17f176968e73f0b5127af3073a19c5fab546dd6134bf4d6d0fba3ff82e908aa45b5e6c3507344b0133b21aace1f367a57cb11b3ec4088d52e226

    • SSDEEP

      24576:fHY1ynXyuZNhKCjlD2EQyjQrKVNi7bxpL7tamKHW90j428Tqhn:/wOoKVNQt3Krj42wqhn

    Score
    10/10
    lummadiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

    • Target

      rihuata-main/ausritter.exe

    • Size

      5.1MB

    • MD5

      cb1ab881df77d5e59c9cd71a042489dd

    • SHA1

      948c65951d6f888dacb567d9938bb21492d82097

    • SHA256

      23fa323eea0a8a6367e810996a54337197c1750a9a0a53c306c8c4022dd94780

    • SHA512

      84a1030a3d2f55ad6fc576bb122d98428485986c1fe4bbd41e13ac1ce588dc3f1034fbe18139f23f9422d520815b4e437b6ac7b78960d0b6c52c56acb87f9c31

    • SSDEEP

      98304:JiGUZDIMGpNQVgB6W9Yj1FbFKGZkZk0a51wYKZpptRA3x9JEY0UiHO5RcrNkjR:KGpNfB8pFbFK1G0a5k7A3LJGUiu5WJkd

    Score
    10/10
    xmrigdefense_evasionexecutionminerpersistenceupx

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Drops file in Drivers directory

    • Stops running service(s)

      defense_evasionexecution

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral2

    • Target

      rihuata-main/bobobopepep.exe

    • Size

      137KB

    • MD5

      eef0cf1e11cb3f28d745ea4147fc6d90

    • SHA1

      da5e2f874cde6c4e8fa39acc0b4006fe97030881

    • SHA256

      a4f6c7683dfaf5495456684359e73c8decdac1435ab742763ad1fe7260f775b9

    • SHA512

      0b79b6cc0bb84011b5d0b80251a83188682e057d58c9c700886eb482d491d4593b1891dcd840f3fefe164adefae9f3641e2f03372390efba926e12581df8789b

    • SSDEEP

      3072:aVvH8RuVrLyEj/S2CUGACcceJd/klDHa/R8mxu3s8Qrqu:KH8RuRLlzgUd6a/Aslrqu

    Score
    8/10
    credential_accessdiscoveryspywarestealer

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Modify Authentication Process

1
T1556

Power Settings

1
T1653

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Modify Authentication Process

1
T1556

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

5
T1552

Credentials In Files

5
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks