General

  • Target

    2025-06-04_6b33bc642d24fe996125371994832c47_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_luca-stealer

  • Size

    938KB

  • Sample

    250604-1gplnadp5y

  • MD5

    6b33bc642d24fe996125371994832c47

  • SHA1

    99ee62f4bcda44ebcd950239e03bba3735c1b312

  • SHA256

    cca14067a4f5185e420b24fd7339ff4437ac1a89669d97f1bbbe91b2999289f0

  • SHA512

    f63a419f1aabc7c4985d2439b426cc4075291acf812313307972e7f3f26f33b8efe3febdd08c2bc0e8af623302ae59b73a812d0de6f4b8646776a7b74045c2a0

  • SSDEEP

    24576:+qDEvCTbMWu7rQYlBQcBiT6rprG8awhb:+TvC/MTQYxsWR7awh

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.156.72.2/testmine/random.exe

Extracted

Family

lumma

C2

https://https://t.me/pizdenka202020/api

https://lepidobdkn.digital/taj

https://narrathfpt.top/tekq

https://escczlv.top/bufi

https://localixbiw.top/zlpa

https://korxddl.top/qidz

https://tinklertjp.bet/nzaf

https://diecam.top/laur/api

https://citellcagt.top/gjtu

https://witchdbhy.run/pzal

https://battlefled.top/gaoi

https://https://t.me/vstalnasral555/api

https://runtnwq.run/gajh

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU/sendMessage?chat_id=6299414420

Targets

    • Target

      2025-06-04_6b33bc642d24fe996125371994832c47_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_luca-stealer

    • Size

      938KB

    • MD5

      6b33bc642d24fe996125371994832c47

    • SHA1

      99ee62f4bcda44ebcd950239e03bba3735c1b312

    • SHA256

      cca14067a4f5185e420b24fd7339ff4437ac1a89669d97f1bbbe91b2999289f0

    • SHA512

      f63a419f1aabc7c4985d2439b426cc4075291acf812313307972e7f3f26f33b8efe3febdd08c2bc0e8af623302ae59b73a812d0de6f4b8646776a7b74045c2a0

    • SSDEEP

      24576:+qDEvCTbMWu7rQYlBQcBiT6rprG8awhb:+TvC/MTQYxsWR7awh

    • Gurcu family

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • XMRig Miner payload

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks