General
-
Target
b20a88cd5200d6c4c5411a1f9454cf7ac5b1476cd06c7220da1d0aa7892d9a53.bin
-
Size
938KB
-
Sample
250630-yxwc2afp6v
-
MD5
e35bf575acaed04a46be1cabe25605a3
-
SHA1
2da2a01accdcae69fafe0b272d17a7e79acba428
-
SHA256
b20a88cd5200d6c4c5411a1f9454cf7ac5b1476cd06c7220da1d0aa7892d9a53
-
SHA512
7b44b25ecbc9066be289998d891d9e0529d662ae77874533e8a808cec4b8fdc2a21a0f6c5abd68f4a59d27c0296796aff4a6e2ff7ca3c5b52843d7332ddf01c9
-
SSDEEP
24576:wqDEvCTbMWu7rQYlBQcBiT6rprG8ajaA:wTvC/MTQYxsWR7aja
Static task
static1
Behavioral task
behavioral1
Sample
b20a88cd5200d6c4c5411a1f9454cf7ac5b1476cd06c7220da1d0aa7892d9a53.exe
Resource
win10v2004-20250610-en
Malware Config
Extracted
http://185.156.72.2/testmine/random.exe
Extracted
http://185.156.72.2/testmine/random.exe
Extracted
vidar
14.4
5838abba2c7ca0756153b41aab8534b5
https://t.me/q0l0o
https://steamcommunity.com/profiles/76561199872233764
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/137.0.0.0 Safari/537.36 OPR/122.0.0.0
Extracted
lumma
https://t.me/vstalnasral555
https://swenku.xyz/gaok
https://pacwpw.xyz/qwpr
https://comkxjs.xyz/taox
https://unurew.xyz/anhd
https://trsuv.xyz/gait
https://sqgzl.xyz/taoa
https://cexpxg.xyz/airq
https://urarfx.xyz/twox
https://liaxn.xyz/nbzh
https://rbmlh.xyz/lakd
-
build_id
d488cf6547f510dbfa48b6ad20c64a73d20aa588797b747694
Extracted
xworm
xw.lnpntkd9vth0tup2.rest:8080
-
Install_directory
%Temp%
-
install_file
tmp7RhMxl.exe
Targets
-
-
Target
b20a88cd5200d6c4c5411a1f9454cf7ac5b1476cd06c7220da1d0aa7892d9a53.bin
-
Size
938KB
-
MD5
e35bf575acaed04a46be1cabe25605a3
-
SHA1
2da2a01accdcae69fafe0b272d17a7e79acba428
-
SHA256
b20a88cd5200d6c4c5411a1f9454cf7ac5b1476cd06c7220da1d0aa7892d9a53
-
SHA512
7b44b25ecbc9066be289998d891d9e0529d662ae77874533e8a808cec4b8fdc2a21a0f6c5abd68f4a59d27c0296796aff4a6e2ff7ca3c5b52843d7332ddf01c9
-
SSDEEP
24576:wqDEvCTbMWu7rQYlBQcBiT6rprG8ajaA:wTvC/MTQYxsWR7aja
-
Detect Vidar Stealer
-
Detect Xworm Payload
-
Lumma family
-
Vidar family
-
Xworm family
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Stops running service(s)
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Modify Authentication Process
1Modify Registry
2Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1