General
-
Target
2025-06-04_c68a0e0fa5c26947223f03501412ba23_amadey_black-basta_elex_hellokitty_luca-stealer
-
Size
1.9MB
-
Sample
250604-t2yxhafr71
-
MD5
c68a0e0fa5c26947223f03501412ba23
-
SHA1
684e1addbb3e6aaba9303f2ea9715c4c19f0b0fd
-
SHA256
8eaf2715a147bfb209e3183d6257f9697f12d5530dd4dbcd0df2d99bf62d5c2d
-
SHA512
591e1fd43bf77659e5e6e372d2747ea02634ef35a42dfb4534ec3c8e171739da527e340b739d6eff3572664e2af724591735735310f7a7fb38f8aa08be0c2162
-
SSDEEP
49152:cYWSi3tFzuCX3QGHn2L30FGcqKJTeUBfSp:ZWSQQGH24FGcpReCap
Static task
static1
Behavioral task
behavioral1
Sample
2025-06-04_c68a0e0fa5c26947223f03501412ba23_amadey_black-basta_elex_hellokitty_luca-stealer.exe
Resource
win10v2004-20250502-en
Malware Config
Targets
-
-
Target
2025-06-04_c68a0e0fa5c26947223f03501412ba23_amadey_black-basta_elex_hellokitty_luca-stealer
-
Size
1.9MB
-
MD5
c68a0e0fa5c26947223f03501412ba23
-
SHA1
684e1addbb3e6aaba9303f2ea9715c4c19f0b0fd
-
SHA256
8eaf2715a147bfb209e3183d6257f9697f12d5530dd4dbcd0df2d99bf62d5c2d
-
SHA512
591e1fd43bf77659e5e6e372d2747ea02634ef35a42dfb4534ec3c8e171739da527e340b739d6eff3572664e2af724591735735310f7a7fb38f8aa08be0c2162
-
SSDEEP
49152:cYWSi3tFzuCX3QGHn2L30FGcqKJTeUBfSp:ZWSQQGH24FGcpReCap
-
Detects Mofksys worm
-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
Mofksys family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Browser Extensions
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
7Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1