General

  • Target

    2025-06-03_101d05775b0f52a29f756c84a6923359_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_luca-stealer

  • Size

    938KB

  • Sample

    250604-16pb7axkt4

  • MD5

    101d05775b0f52a29f756c84a6923359

  • SHA1

    29c20a6f001088f457065259d052853faedb053b

  • SHA256

    b13e7a198e3ed94269f35d7546aaa844fb95e6d5b339c103cf45baca3babff71

  • SHA512

    1513ba68fd155a184a79036993d768a85050c0697e02b45386c285fd05612a1896b8b5e3c7169244f02eade622216f571eb49d389305bd3d65924494406b3587

  • SSDEEP

    24576:xqDEvCTbMWu7rQYlBQcBiT6rprG8aMOb:xTvC/MTQYxsWR7aMO

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.156.72.2/testmine/random.exe

Extracted

Family

lumma

C2

https://battlefled.top/gaoi

https://narrathfpt.top/tekq

https://escczlv.top/bufi

https://localixbiw.top/zlpa

https://korxddl.top/qidz

https://tinklertjp.bet/nzaf

https://diecam.top/laur/api

https://citellcagt.top/gjtu

https://witchdbhy.run/pzal

https://https://t.me/stfmms/api

https://heartokait.digital/gai

https://https://t.me/vstalnasral555/api

https://runtnwq.run/gajh

https://https://t.me/pizdenka202020/api

https://lepidobdkn.digital/taj

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU/sendMessage?chat_id=6299414420

Targets

    • Target

      2025-06-03_101d05775b0f52a29f756c84a6923359_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_luca-stealer

    • Size

      938KB

    • MD5

      101d05775b0f52a29f756c84a6923359

    • SHA1

      29c20a6f001088f457065259d052853faedb053b

    • SHA256

      b13e7a198e3ed94269f35d7546aaa844fb95e6d5b339c103cf45baca3babff71

    • SHA512

      1513ba68fd155a184a79036993d768a85050c0697e02b45386c285fd05612a1896b8b5e3c7169244f02eade622216f571eb49d389305bd3d65924494406b3587

    • SSDEEP

      24576:xqDEvCTbMWu7rQYlBQcBiT6rprG8aMOb:xTvC/MTQYxsWR7aMO

    • Gurcu family

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • XMRig Miner payload

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v16

Tasks