General

  • Target

    2025-05-04_1b035d98cc6e7bfda375161695f664db_agent-tesla_black-basta_cobalt-strike_darkgate_elex_luca-stealer

  • Size

    938KB

  • Sample

    250504-xv7slsdm9w

  • MD5

    1b035d98cc6e7bfda375161695f664db

  • SHA1

    177ce6d70a44065ca7b95a852adf92818e5fc012

  • SHA256

    aba6db25034de9339210c104e69e3adb8c3823326d84ea9b2e4f546578a9b9c6

  • SHA512

    accd6b9c9c2372ecb7b3a39bcd72ba988d8f246875e538c4bad022958a8a12060057692979ef77e58414d3532956a1730c7489d3525707e042956004005079ea

  • SSDEEP

    24576:MqDEvCTbMWu7rQYlBQcBiT6rprG8aMrg:MTvC/MTQYxsWR7aMr

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://80.64.18.219/testmine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://80.64.18.219/testmine/random.exe

Extracted

Family

vidar

Version

13.6

Botnet

67fbfb451f5f631daf82f1ea6227222f

C2

https://t.me/m00f3r

https://steamcommunity.com/profiles/76561199851454339

Attributes
  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Extracted

Family

lumma

C2

https://orjinalecza.net/lxaz

https://eczakozmetik.net/qop

https://orijinalecza.org/jub

https://tortoisgfe.top/paxk

https://eczamedikal.org/vax

https://orijinalecza.net/kazd

https://medicalbitkisel.net/juj

https://snakejh.top/adsk

https://vecturar.top/zsia

Targets

    • Target

      2025-05-04_1b035d98cc6e7bfda375161695f664db_agent-tesla_black-basta_cobalt-strike_darkgate_elex_luca-stealer

    • Size

      938KB

    • MD5

      1b035d98cc6e7bfda375161695f664db

    • SHA1

      177ce6d70a44065ca7b95a852adf92818e5fc012

    • SHA256

      aba6db25034de9339210c104e69e3adb8c3823326d84ea9b2e4f546578a9b9c6

    • SHA512

      accd6b9c9c2372ecb7b3a39bcd72ba988d8f246875e538c4bad022958a8a12060057692979ef77e58414d3532956a1730c7489d3525707e042956004005079ea

    • SSDEEP

      24576:MqDEvCTbMWu7rQYlBQcBiT6rprG8aMrg:MTvC/MTQYxsWR7aMr

    • Detect Vidar Stealer

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Healer family

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Phorphiex family

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Downloads MZ/PE file

    • Stops running service(s)

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Enumerates processes with tasklist

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks