General
-
Target
2025-05-04_5cd0f5a49ae3e48cc55e9aa52537d963_agent-tesla_black-basta_cobalt-strike_darkgate_elex_luca-stealer
-
Size
938KB
-
Sample
250504-yaa4ksej6s
-
MD5
5cd0f5a49ae3e48cc55e9aa52537d963
-
SHA1
1367f42f88e6a1176385630eea93ec49dd9273dc
-
SHA256
f0ad328b7809f4e123683980468fa6cccb4e32e68451ac9108f66ca26103b18f
-
SHA512
3fbdaf895010a1410d34ae8eca0cb8ed4fc4071074eab27b0bc47d218ce2ef9d722b162ead3bdcb13f4dea7a34ede611c0da46d548b54321d676ebbcdd394a6f
-
SSDEEP
24576:6qDEvCTbMWu7rQYlBQcBiT6rprG8aMOg:6TvC/MTQYxsWR7aMO
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-04_5cd0f5a49ae3e48cc55e9aa52537d963_agent-tesla_black-basta_cobalt-strike_darkgate_elex_luca-stealer.exe
Resource
win10v2004-20250502-en
Malware Config
Extracted
http://80.64.18.219/testmine/random.exe
Extracted
http://80.64.18.219/testmine/random.exe
Extracted
lumma
https://vecturar.top/zsia
https://brandihx.run/lowp
https://viriatoe.live/laopx
https://exitiumt.digital/xane
https://opusculy.top/keaj
https://civitasu.run/werrp
https://scriptao.digital/vpep
https://praetori.live/vepr
https://rdisciplipna.top/eqwu
https://orjinalecza.net/lxaz
https://eczakozmetik.net/qop
https://orijinalecza.org/jub
https://tortoisgfe.top/paxk
https://eczamedikal.org/vax
https://orijinalecza.net/kazd
https://medicalbitkisel.net/juj
https://snakejh.top/adsk
https://baseurzv.run/asuz
Extracted
gcleaner
45.91.200.135
Extracted
vidar
13.6
67fbfb451f5f631daf82f1ea6227222f
https://t.me/m00f3r
https://steamcommunity.com/profiles/76561199851454339
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0
Extracted
phorphiex
http://185.156.72.39
185.156.72.39
Targets
-
-
Target
2025-05-04_5cd0f5a49ae3e48cc55e9aa52537d963_agent-tesla_black-basta_cobalt-strike_darkgate_elex_luca-stealer
-
Size
938KB
-
MD5
5cd0f5a49ae3e48cc55e9aa52537d963
-
SHA1
1367f42f88e6a1176385630eea93ec49dd9273dc
-
SHA256
f0ad328b7809f4e123683980468fa6cccb4e32e68451ac9108f66ca26103b18f
-
SHA512
3fbdaf895010a1410d34ae8eca0cb8ed4fc4071074eab27b0bc47d218ce2ef9d722b162ead3bdcb13f4dea7a34ede611c0da46d548b54321d676ebbcdd394a6f
-
SSDEEP
24576:6qDEvCTbMWu7rQYlBQcBiT6rprG8aMOg:6TvC/MTQYxsWR7aMO
-
Detect Vidar Stealer
-
Detects Healer an antivirus disabler dropper
-
Gcleaner family
-
Healer family
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings
-
Modifies Windows Defender notification settings
-
Phorphiex family
-
Phorphiex payload
-
Vidar family
-
Xmrig family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner payload
-
Blocklisted process makes network request
-
Creates new service(s)
-
Downloads MZ/PE file
-
Stops running service(s)
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Windows security modification
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
6Windows Service
6Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
6Windows Service
6Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
6Disable or Modify Tools
5Modify Authentication Process
1Modify Registry
6Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
2