General

  • Target

    bca5ec22f6d485bee681dc4257d0fe88e085017a984d35e0618730b5e413958a.bin

  • Size

    938KB

  • Sample

    250701-jqlspa1zgy

  • MD5

    e592539dd8aebbd1a37f08f716387615

  • SHA1

    5bbd6b6d843ff467cc6fdecf20243fc2428a64f3

  • SHA256

    bca5ec22f6d485bee681dc4257d0fe88e085017a984d35e0618730b5e413958a

  • SHA512

    399d1d7c1e91e7719870a81cb631c596542a3ab158e4b7babbfc706b1539fa19f06c831c66fd350544752286651437b36c81933b7222d01c3f7c8cea46357603

  • SSDEEP

    24576:DqDEvCTbMWu7rQYlBQcBiT6rprG8aHuB:DTvC/MTQYxsWR7aHu

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.156.72.2/testmine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.156.72.2/testmine/random.exe

Extracted

Family

gcleaner

C2

45.91.200.135

Extracted

Family

lumma

C2

https://rbmlh.xyz/lakd

https://pacwpw.xyz/qwpr

https://comkxjs.xyz/taox

https://unurew.xyz/anhd

https://trsuv.xyz/gait

https://sqgzl.xyz/taoa

https://cexpxg.xyz/airq

https://urarfx.xyz/twox

https://liaxn.xyz/nbzh

Attributes
  • build_id

    e3f28ba146ffcdaf867dab6c13fae9d3414e4138ab

Extracted

Family

vidar

Version

14.4

Botnet

5838abba2c7ca0756153b41aab8534b5

C2

https://t.me/q0l0o

https://steamcommunity.com/profiles/76561199872233764

Attributes
  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/137.0.0.0 Safari/537.36 OPR/122.0.0.0

Extracted

Family

vidar

Version

14.3

Botnet

0563f7b7ace99077cac73375f6f7cbf9

C2

https://t.me/l07tp

https://steamcommunity.com/profiles/76561199869630181

Attributes
  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/137.0.0.0 Safari/537.36 OPR/122.0.0.0

Targets

    • Target

      bca5ec22f6d485bee681dc4257d0fe88e085017a984d35e0618730b5e413958a.bin

    • Size

      938KB

    • MD5

      e592539dd8aebbd1a37f08f716387615

    • SHA1

      5bbd6b6d843ff467cc6fdecf20243fc2428a64f3

    • SHA256

      bca5ec22f6d485bee681dc4257d0fe88e085017a984d35e0618730b5e413958a

    • SHA512

      399d1d7c1e91e7719870a81cb631c596542a3ab158e4b7babbfc706b1539fa19f06c831c66fd350544752286651437b36c81933b7222d01c3f7c8cea46357603

    • SSDEEP

      24576:DqDEvCTbMWu7rQYlBQcBiT6rprG8aHuB:DTvC/MTQYxsWR7aHu

    • Detect Vidar Stealer

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Gcleaner family

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Contacts a large (572) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Enumerates processes with tasklist

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks