General

  • Target

    quarantine.rar

  • Size

    139.6MB

  • Sample

    250803-1cjjvafk5x

  • MD5

    c17908fb9afbb5e88acb348e20d81499

  • SHA1

    ef357a12b0146907a3a719f3ecec83a86d47906a

  • SHA256

    7093bbe38a03cddeea9caf9dfc49943b6c2f1799963ee99a274d406c6f49ab82

  • SHA512

    27dce60ad1657b02cdfb78c0b2f3a32c6b375db35f6a906cce590ea864f0334c398b9a59caecd873aa47bf36abb34cf77152058510b33c8e5f7df87a770d9707

  • SSDEEP

    3145728:CoC+Zu2wf0QfoMpCeg3+ZbaAQPuQ9hqiEtKITPK:CM+Ri+ZbaAUnVEtTPK

Malware Config

Extracted

Family

stealc

Botnet

system

C2

http://141.98.6.181

Attributes
  • url_path

    /4c8837c73f7c4af9.php

rc4.plain

Extracted

Family

lumma

C2

https://t.me/sadv1323v13q4as

https://conaqr.click/qokl

https://mastwin.in/qsaz/api

https://precisionbiomeds.com/ikg

https://physicianusepeptides.com/opu

https://vishneviyjazz.ru/neco/api

https://htsfhtdrjbyy1bgxbv.cfd/vcd

https://xurekodip.com/qpdl

https://utvp1.net/zkaj

https://orienderi.com/xori

https://t.me/RONALDOORMESSSSI

https://dravq.asia/wixj/api

https://t.me/reusmey

https://nucleji.my/ituw/api

https://mocadia.com/iuew

Attributes
  • build_id

    b755bfa47c1ee0187853f050cdc56231c69ef2

Extracted

Family

vidar

Version

14.8

Botnet

048c07efd6c91e25316360e4af132958

C2

https://t.me/dz25gz

https://steamcommunity.com/profiles/76561199880530249

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Extracted

Family

cyber_stealer

C2

https://paxrobot.digital/webpanel/

Attributes
  • pastebin

    https://pastebin.com/raw/6K66Aeyr

Extracted

Family

vidar

Version

14.8

Botnet

c0aea96f5dc5ea23da54dbccbac6de78

C2

https://t.me/dz25gz

https://steamcommunity.com/profiles/76561199880530249

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Extracted

Family

xworm

Version

5.0

C2

hexa.dnsframe.com:66

Mutex

FzSIsfqlHwWWhS56

Attributes
  • Install_directory

    %AppData%

  • install_file

    inj.exe

aes.plain

Extracted

Family

stealc

Botnet

LogsDillerCloud

C2

http://weathersouth.shop

Attributes
  • url_path

    /45cc90de006049c9.php

rc4.plain

Targets

    • Target

      1wbVZkk.exe

    • Size

      1.5MB

    • MD5

      2916e444c84a309f1c6242e8c8804dcb

    • SHA1

      dce5636b3532798b72601b1dda64b0d05644f573

    • SHA256

      39f9313b61a51d858cd6c87914ab9750133d81901595ee83d8f722bf21bf16eb

    • SHA512

      e8314df963191cba948b0ccb4732f5fc9a3a7aaee5f1094e970d1cb467ed1bffdfdc6746b283cf37aae0ab44e3ce1a912f61cf6343bd17e1c64b06ec8f4691dc

    • SSDEEP

      24576:NesrWUQrhUwjfSl37m9HH+/O2aAB7gj21vs86zQf7auWNjG6MbxEzfLXww7NmXR:HarhUwl9H8Hkwt6zQGuWZG6MlczAwReR

    Score
    10/10
    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates processes with tasklist

    • Target

      4774321123565.msi

    • Size

      65.5MB

    • MD5

      4731557680c16f596a82754f4eb4d089

    • SHA1

      3c0ffb29d6354f97642adf3f830f49edbc77b55c

    • SHA256

      c6f46fe74cafd8f5e1d06ac29e8bd2245f2fd5b529cd0205bfa7b7f94c48ee9c

    • SHA512

      cfd55f1c782f1fdd79b2932b703d405dc787f8b96f2c6988bc81f92d0c9198e37aff68f890a3e0a0528adc07bc1bbfdefd33337bdd36e014aa590ffd4f02409d

    • SSDEEP

      1572864:zhTkzFjmr10gAp5b9SDCqubL6frD0wsZ3O2QnywKte:z65j9vvb91o30wsZ3wnyBe

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      66OZJb9.exe

    • Size

      2.6MB

    • MD5

      8abb917fb086213581c20a177115ca6d

    • SHA1

      2fca5d9d27f619eb347d90f41db85573be2b23cd

    • SHA256

      83b0358b39a8feb433b10a23a24dc8357aeaa82c02410ab3c736f329b26eed75

    • SHA512

      ab37ebb60f9181a3a74df490a0e8c0d42272605b26baf22f01e93ed33369312400d02703d44204a58ee694f89b877348a0136569e1bb8035b53b439322c45bc1

    • SSDEEP

      49152:ART8xrC4yovNCG/D0A/qkz+5v/kQ8htSEY:mT8xHYGl+5Eg

    Score
    1/10
    • Target

      7822801754009107.exe

    • Size

      825KB

    • MD5

      5ea006803bba64c15fe68791a8db5005

    • SHA1

      f10dd374c76e194c8b7e0381a80db57281a1e77b

    • SHA256

      7b232254d4b4be67111e92f5c2e34bc331403393c2d019b31e256ca7d798cd08

    • SHA512

      abb8a1832786925e65fb51560b0c37eaca550b76208d72d7830e0ecf467d4e601b8259deee443bc55c992736d47afddb9f2aaf20b72ea8e52173fc3e2f17481a

    • SSDEEP

      24576:R3pUDihK+O9H9d7TW9qJuoj3wwU7FuGOeYt4xzz:J2iKZnd7TWsJVjA1FuDcz

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates processes with tasklist

    • Target

      ANgR9rR.exe

    • Size

      9.1MB

    • MD5

      cdb8c182b9ea3f50bbcb2466a1ab8fca

    • SHA1

      4059d1cf3c4c4f19e2ff91e9f8eb9d4d24ca37cb

    • SHA256

      804a1ffd65f960a6496e7bddece38105885b49cdebab4cfe42a4e0e1ac2d3c45

    • SHA512

      511db6f1502fd599052e760fe5049c89e9a223f6ec58e63a608b3722a6e0c4c2514766820b65d50fbded9bf4b3305a2e990c56576546fbcde7e45c4223823ff5

    • SSDEEP

      98304:2+y1oeWpK+1u48LY6sf4mn6za9GQv3LdDBpqYWV/VVYQHmvjxsKZStlio02:2+y1oeWk+YdsaDc/5KlTt

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Executes dropped EXE

    • Adds Run key to start application

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Suspicious use of SetThreadContext

    • Target

      BLMI6Vt.exe

    • Size

      5.9MB

    • MD5

      18f61fb41cb22c02901f8da15b337530

    • SHA1

      5fe5ff8914689b57485c83393d001e6958e4df96

    • SHA256

      565ba37db962f10ea77fab2be20b5d65672a72c7bbda35cf5538a236a3f63337

    • SHA512

      ec3b688d9c93a571401b813ab4bcfab399f551194f3a339c7f6b4da25e4c5e73334034b23398a9922e2564d3fdd56576a77883f4e58a68a2de250a44faf26678

    • SSDEEP

      98304:KkUgq9FJJbgkI4UtB10wkUgq9FJJbgkI4UtB10H66pmTrXxXStZOruS70bnII:Kz3gkOt3z3gkOtC660rzuS7eII

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      ByndWFN.exe

    • Size

      3.6MB

    • MD5

      f009ae83feb420c47ef346008b3ca475

    • SHA1

      6ed0172df9dcb7e583499fddcfe046527265c049

    • SHA256

      921815985f45f0e1fde6f90d6d192311791d97c2fc646d1e713e1d1cb2591415

    • SHA512

      d98959627e690ba91afbc9a712e71287703c1b08cc160a949465fec4b867509b85e727099a2225770bc9016b543794c0b5eb213ba9936bd523ebc1392d6fda12

    • SSDEEP

      98304:MJ174y1k/idOS+ckqU6hK3e3/rqZ24bPCNlAiGzZ7:G1vk/zTck361vu0NqiGzZ7

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Stormkitty family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates processes with tasklist

    • Target

      E8L2DeA.exe

    • Size

      2.0MB

    • MD5

      60d848309aaa2d6d9e4db4c7ec962e96

    • SHA1

      fdd6360afe6fc42db6511c249dc41b7772d1803f

    • SHA256

      64de8a72d2466f2dd7111fed4668e6a0f6eaf075b744f07b68be78324aedada7

    • SHA512

      fa4ddeb0a4d9664b141d6467701efdda3eb70f736ed6004017e7c51c705144a3f15b2ff196495b2620550007dad3c5063dd302d637bfa72d34ff3f7c9ffb31ff

    • SSDEEP

      49152:UhTCFkGtB8C7FbIWAxsbSF9qCvnsAoG4AagsUcr:Uh0rBTsF9zvnNffcr

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

    • Target

      G4gtDRI.exe

    • Size

      2.2MB

    • MD5

      a534782b2e6a654da9790ef8a4424f99

    • SHA1

      acfd307e57ddf260c2ddcdc90f1cc814190b1018

    • SHA256

      524a74f9c7e94b4a2b944a09493e31c2824bb2918a8b1ebfa2a760e3fdf1dfd6

    • SHA512

      c86b98ff416eb06e59797758548b39863f5a4c4ef687966f7ac0271348d874157e8d3775d6ec1825c572363413638e2a157044ef2c191e43e567187d8ba977f9

    • SSDEEP

      49152:1hTCFkGtB8C7FbIWAxsbSF9qCvnsAMOmqNpeU:1h0rBTsF9zvnNMOmqn

    • Stealc

      Stealc is an infostealer written in C++.

    • Stealc family

    • Suspicious use of SetThreadContext

    • Target

      LXkGFUT.exe

    • Size

      2.4MB

    • MD5

      d24ede505e02ad770880e44224fe5f47

    • SHA1

      6691d03c2d30b7fd3213f2f15f361efa02d1ef46

    • SHA256

      1ff9694c0c8b60ff6bef904d9f002b7ce4a27563be57b550a6acaca5f83f9dc3

    • SHA512

      6d2d6111e147ab49ec603a71fd717dd79fd4eae1b2a6178359aa6a71191ce2319e060a69f43188116be54d04d1dab71302278c689b2abd341f492c452a50956a

    • SSDEEP

      49152:OhTCFkGtB8C7FbIWAxsbSF9qCvnsAPoO5tF3S5brxn:Oh0rBTsF9zvnNbrF3Sj

    Score
    10/10
    • Stealc

      Stealc is an infostealer written in C++.

    • Stealc family

    • Suspicious use of SetThreadContext

    • Target

      MissedScreens.exe

    • Size

      1.0MB

    • MD5

      fb21a54676498cc1dc015087115f4b19

    • SHA1

      bab68f7addef92be0246fbd71bf19342cdeb8215

    • SHA256

      4c7ca365cc180460ba51c1b7bb5e9a990b5b80e8151090be1f916b973178e956

    • SHA512

      3154a9d9e2b759888b3249073c8b663203884803cc263ae77e407b88e1addb0cb10544be1e66d2922880c390bf40595dcae58ebbe16686b328c85ad62f4bd75b

    • SSDEEP

      24576:ItY3pa6IBfWbdaQ3V2MjXqSqSke3OC1EADrTJGXqePaOicGNamGa1JP:5phMWRaejXnrj6ADJCqeinOpq

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates processes with tasklist

    • Target

      NylfeKX.exe

    • Size

      2.5MB

    • MD5

      e2a7e0f883399b10afffc3154222e940

    • SHA1

      d7e8c9744adab158a2923e268fb24454c36983f6

    • SHA256

      5ec6b3c4729d44eb7e7efc05f66bc5f465a91c954e19cb9e144b5476c1cdbd95

    • SHA512

      8242329516c2c609c0754e1da3dfe6bb0b3d37472d7fdbd0f5ce61edd7e2c120b9424e435023db0be91a5f62eb0a13b1ddb208b09f08aac9c4062d264982df4d

    • SSDEEP

      49152:nMaQs3+eyx0gnhdNBBqVpzZOBVon/FdM7OViNvVxxx+d+S8BQOkHD3+tl:7seyrd0qJ

    • Detect Vidar Stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Suspicious use of SetThreadContext

    • Target

      OTIWCUm.exe

    • Size

      653KB

    • MD5

      cba69e9fc5ae9a6504d2be6836e79d6e

    • SHA1

      6c934508963c665e9d1a7d582e8e16088d90ef0d

    • SHA256

      c5dd750bd4bbbad2ad935ee7533bbf369da0ca85fc72af62d1e4639134fbd47e

    • SHA512

      95663768273d3cafeb8f89fef701f57a933df9d2bb038179aebf649d8f15beffe262fe5665cc76ec64ac244147fbba5caa3be87eb5c8de12fa8e1c568e01d9bb

    • SSDEEP

      12288:iRAcrxjPCr1lhEIAgLMhsFA6IW3UEGdNEqmlrC95ztq:imcrgrXhEIA1QACUVdCqmFMtq

    • Detects DonutLoader

    • DonutLoader

      DonutLoader is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies.

    • Donutloader family

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Target

      RenT7Wg.exe

    • Size

      2.9MB

    • MD5

      6324d8dbdd20dfaf29eec1bb89ac24ce

    • SHA1

      bea0c0e65d5ab280f808cdce41c357cc5d63b270

    • SHA256

      9403483ce844b8392bc6e3251c206a23b08c107692e2a9e6639fb2c4aac9d818

    • SHA512

      1a1ee55ebc94191e55609dc7c94764a1c70b86629257ac31891035731c3711f4a209d174e0167d1892524c0ca5ceef360e86de32aedf839099548e9b654415b6

    • SSDEEP

      49152:If1nWgHSrSE3Vgyd01IK1qcMoE8HPBlmBXd8EMKlfiEMKlfM:I1n2rSEFgU01IU3PBlmdRMKlfFMKlfM

    Score
    10/10
    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Suspicious use of SetThreadContext

    • Target

      XWTpdSO.exe

    • Size

      14.4MB

    • MD5

      9150bde0969203f935c2ae81135e4764

    • SHA1

      4c3abf891dcb065037fa9a6efb4967edf64196c4

    • SHA256

      18cdd5c10e889950e068591e866b80a28a3fef7e0b97274220bd4d481cf08842

    • SHA512

      3facbdd89e6a88e4cc21ce28abd13e82a7218df82320ede8d0531045a1ea074ef31c03620e70e714502a7165a0c7ec33b67848c35409ed5b5a620ec51e8fe6ac

    • SSDEEP

      196608:mEsdHcCi/UR4JITS+NBVucIfq123b8geEoo3YNr2VbQGmvYs5gtT:m18p/URdNaVfqb4bIJ2VbQGLs5gt

    Score
    6/10
    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      YT1For2.exe

    • Size

      2.9MB

    • MD5

      e5ce3951f82531943d68b4eb1a8e13c2

    • SHA1

      c761a375ba038cc5e59874a0039cd9fa3c92f522

    • SHA256

      01cb5a170ccb486184841f7adf57026bf18fdd25d71824ebe40161256a3f1f9b

    • SHA512

      3b920601e61b9860ba80d98bc2f5ace2a2ed0be0c8f361c323c9494c965ce908f5699e1e2ffb3e0b34aed399bee074f9bd0c23ed62bce86fae6c5a3a86a705cc

    • SSDEEP

      49152:rd7H1c8dtr3HCxuZ4zNXfbLLZULEPSP3TGZL:rd7Vc8dtr3HCsENXfbmPD+

    • CyberStealer

      CyberStealer is an infostealer written in C#.

    • Cyber_stealer family

    • Detects CyberStealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      addon.exe

    • Size

      5.0MB

    • MD5

      dfebae0723785e459af1b215894f9cad

    • SHA1

      bfb0d7379fb582e9ca9d0561988f085f884b1878

    • SHA256

      75bdf61a7b2f8e0a5d8c19a9444fc28c4b6a622c284dba09ecc4a12fe3add107

    • SHA512

      bd85b7e008074799753646366da4b4f6ec82534c21bc077eee8f26bc29c534871e7a3fb4f8312f5040c1545110ab8312edbe1bb3e6ed49effa740d63b3656632

    • SSDEEP

      98304:sfMG2apJ57gyfIcGaz74lSptB2EH/GWboelM9ENwjUP5+fedH:s6OQcGazKSJ2EH/pdieiRmdH

    • Disables service(s)

    • Modifies Windows Defender notification settings

    • Xmrig family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • XMRig Miner payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Possible privilege escalation attempt

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Modifies file permissions

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

    • Target

      addon2.exe

    • Size

      88KB

    • MD5

      40367f463be9d1f23dd8911416501c07

    • SHA1

      45961dc939761bcfe691c8a1d8ae8f25b45f2414

    • SHA256

      d5ef6d909de11f6551bdb6dcc9dcaec52052ecbeb74306090976764a19a005b8

    • SHA512

      3c2ef5b2dd3264c5778ed188d4fecfd6a129b15d2bb13020f7f77d3f7e585e7570deec6236fb0f3c17f5c3bef0e81defc26ccd9ac3249047510aa3b17b2d9893

    • SSDEEP

      1536:/jgXAXCl8L9DJ1qRbhYJPVe0EP5zN/80XhP9V:/jgXkC4d1wbhYJPVe0EP5zN/80Xh3

    • Executes dropped EXE

    • ConfuserEx .NET packer

      Detects ConfuserEx .NET packer.

    • Target

      asdf23.exe

    • Size

      2.9MB

    • MD5

      bbd4e99043070958d60ad5a420784340

    • SHA1

      b08212ac93b791f3b36d14d1e26a1a524c45f8fb

    • SHA256

      6c3d08160b73465975aa415810a8bb73584eefa335e9828a380f63120e33732d

    • SHA512

      57c64fe80d547c2052dc705f001a8311d1fdbf13b4eb664cda631df6146fe1c17ca44d00075deb0859435a3ec66565dba4d67ae208636a8d3ccdafbc990b2d8c

    • SSDEEP

      49152:Sf1nWgHSrSE3Vgyd01IK1qcMoE8HPBlmBXdFj3VPLIpGK7j3VPLIpGK8:u1n2rSEFgU01IU3PBlmdB8pnl8pn8

    Score
    10/10
    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Suspicious use of SetThreadContext

    • Target

      beenofav.exe

    • Size

      5.1MB

    • MD5

      a6c4d382d5770baee2a38856e23f009d

    • SHA1

      602df9a98bec13b264e304fc385195c049f7ff1b

    • SHA256

      559a02d646440f445d294b92135b1c5f2679fdfdea393a546daef48da74778c6

    • SHA512

      214a2645422beb8cafe055561bbbfd19c2003888a5054cabe154b42aa01c61358e0b5fcebb43dfdeab28406c23f90b63fb4af9850fdfe24e2b7e095856adac23

    • SSDEEP

      49152:KFFz8dc2C+OWckHl7+S/ZM82pZmNbbF8C9rXnJZowVEFXi3dX7OIyEH7gzN8WKmq:KfaKDZmU8SFKH7gzNbc07vTupv

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads ssh keys stored on the system

      Tries to access SSH used by SSH programs.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Enumerates processes with tasklist

    • Target

      download.exe

    • Size

      3.1MB

    • MD5

      f4be2c32460d8da27064d9248a43f8ef

    • SHA1

      bac01a3083b51acfa6ce2c3ed465899ece4c8ab5

    • SHA256

      61ac11057cea39a92465c3cb3ed7aa1e73a396d16b546b1e1a7f7a9fa0672f5a

    • SHA512

      09f5e52f75d16ace52b2c61c1c7e27c562af3c3443e6e4bb3439e1b718d7258e3cce563bb712e56b375a44468f7144a99ea373d651ce1e178026dd6db5e4aaaf

    • SSDEEP

      98304:cJ3La1r2yp6SGDUEr675PAFNiNvCgpzmIQH/GmejtcHj:iKrMht8PAFcNKhIQTe5c

    • Detect SalatStealer payload

    • Salatstealer family

    • salatstealer

      SalatStealer is a stealer that takes sceenshot written in Golang.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      it4pKAE.exe

    • Size

      1.8MB

    • MD5

      9f3099886dbae9aed0f97a4c158a9ae2

    • SHA1

      28988a0ffd7aee2f2d65e6b568b9a91e3554326e

    • SHA256

      0bfdfa05249c3c0e41ee54ebfc41b2b1937fc70c6a5afac39f880a9f27f948e6

    • SHA512

      e89b42b16520b30f4c29cda53f34692acba42d4738ed08be10ca4d28876778ac2261f4b8ce4401524c301eda986073fd8e348364d1e49fba2487bfe1f375a82c

    • SSDEEP

      49152:MVZ2FTvoqTUbGz9GbI32k0wZs0d6FkVnNJTNg3rbRbP:M20N06FkVnXxA

    Score
    6/10
    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      max.exe

    • Size

      3.4MB

    • MD5

      6e39393234411caaad0534ba8f6bb442

    • SHA1

      eff8b625e0af1723d384b976d527f26ae7308736

    • SHA256

      c028368451eaf98221b52f208b14b779834286c186f0e161c0987f035089737a

    • SHA512

      380e7eca35346b7af4b8729d3db8910150ef210c90cc09d89656a06a25ad727dfdeb0b7b4f1254d8b3b88a0918313002fa91a5eb59bff079868d0070c41940c0

    • SSDEEP

      98304:I0QhdHodJ0/o7Uc28hbOCFHlt7M0q9C+uSNpGQ:xKNSi/9c2Kq0gN8Q

    • Detect Socks5Systemz Payload

    • Socks5Systemz

      Socks5Systemz is a botnet written in C++.

    • Socks5systemz family

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      nIh80ko.exe

    • Size

      3.1MB

    • MD5

      fd5fb0f0bbaf8fa2428fd448d548cc8e

    • SHA1

      ebc7d6dbb1f5b6b2145b9f09b59935ef5b29ebab

    • SHA256

      d8c3a11c8dcf88acb82fc8b5f115a58c5c2506a82c0c23223f3b8fd26387db7f

    • SHA512

      789bee8f2ba2c4e0225f84d5b123b710f182b439ab3af88d398dfd4cc43f1968b87e0d82b0ae9d045c4ce17a4a2ed346c23576d34a93ec976fa123f71a3f9487

    • SSDEEP

      98304:lk6Usu3jXx+e/3F4VpaNHOIfAEiCY8DQ5aH:WLsuTUuqVoygQEH

    • Detect SalatStealer payload

    • Salatstealer family

    • salatstealer

      SalatStealer is a stealer that takes sceenshot written in Golang.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      not.exe

    • Size

      21KB

    • MD5

      927a612a91e7584987585deb6c1b149b

    • SHA1

      3e018f009f560736aa39a95f32411526ca3b453b

    • SHA256

      85aca151f0faf9b0ccb54a242b6fa4587ad4706d67121aec520a7e445226f31d

    • SHA512

      d382b4f71ccd196f0cab74fd9506a4060092cf9625e09f0f1b07bed12374594121eb13dcfee5fe2ccd46e6e257820e5beedc1c23666f10386ebbfc1f28a62e71

    • SSDEEP

      384:S7XYDA6KmxcV6lp4fcV2o3Y4bjbEohGkSPwAeje1eOLR57zQccp04yvfVT:e6KccVsp40p9jnEkkkqR5gpq7VT

    Score
    3/10
    • Target

      photo_2024-10-04_01-02-07.exe

    • Size

      12.3MB

    • MD5

      e9f9d21c885fbd6fd1b505bb5a29fc94

    • SHA1

      565d12f0f271221bf4d588a5404919045eb231cf

    • SHA256

      78e22d9b8b259b67bff21d4bf23ad13c5956b7ccba1da8bc7c7de99d46d5945a

    • SHA512

      64700afa4ceb9bd8dbe3ddd846ce7a691e91c5d5277e3d815008b58eb6ae2043377b110960a460f670baba248f426a51c1a3a0ace9cf0c2ab7b984d6061bbafb

    • SSDEEP

      393216:Ki/z1LF9dM/ISGL2Vmd6my0Gzaj1raxbWO4SsuP:Ki/RpT6ISGyVmdaE1raxbW6s

    Score
    7/10
    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      pic19.jpg

    • Size

      5.4MB

    • MD5

      d9986ca8fe6b3d6518cd2b73480c7135

    • SHA1

      125f612be0e3e2897fb9a39de1cac079c2f7d2cb

    • SHA256

      07be062cb448e8b62a8c424fc9c744d066f561e3873610f0ce9ebf5b87af912d

    • SHA512

      4375c0ca44f062030d5a24b8f9225a8ca97b8bb0ffa48fdb4af0c61af792c27fa21ee59539458402b95d5120f045f29815a82b432e437b50b57ee479cd1a5d65

    • SSDEEP

      49152:vSF80cJ9COm5F1xNrXVKLnrHzUNy6IXdaIwQDOcLfj+urDmXL3ZB0SdT4J5Yx1NH:mxh8nrNNXjLAbT4DNXrhTbK

    Score
    6/10
    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      promotion.exe

    • Size

      189B

    • MD5

      c9f6f82c0b1e2d6eb40294f876eac55e

    • SHA1

      abe89f9bfb756bbdfb2f535420e10bb5625eb4e2

    • SHA256

      9dcc361cf979ea9471e1076ab30724c665229614d2d7432dfe9127c8b6d3a443

    • SHA512

      c9ad3aa05ef29513c47732c46f626674f9b55d9b3b8bd8ce2699b17e4ab02d07a2549505024e1031feb286d92ac4affbdbf8fad07a4b849757c0a62efb535b93

    Score
    4/10
    • Target

      random.exe

    • Size

      2.1MB

    • MD5

      f0fc10f1f4491b858f6ddfdd774d1ce4

    • SHA1

      480bbb2601dce53b73d6aed030290c1263246b36

    • SHA256

      bd6203904057f6b8148fb59d539acd100ef914bda8f15423a8d69634d03312fe

    • SHA512

      12815064fd800e2e86045b8a13700321abb80adf284af00c6117b7992a380f0d3bbf3105552c83cb9515222bf61f6aaf533e9f0c4683f11f24c9062b60eebc41

    • SSDEEP

      49152:IBJaTpc8iYMUCYcY2NcZYJS+d1VP/S+Yn9WRGsX7Ib/mlk:y8TFMUbcH6Gfd1pUn9WRGXb/n

    • Target

      tnhNZxh.exe

    • Size

      2.0MB

    • MD5

      3551e6c1d65234ce52618b886e116606

    • SHA1

      ce52244ff3ca7ca8b4cc93fa2513bdba2631afad

    • SHA256

      61f37ca7debfeee417ebb8dedcae63e5eff966d216dd8c670e7e605c2caf2713

    • SHA512

      020be19bb78389dccf6226116203e0c00160690475407b179e2c75af4d4360679bfc703259f35cfbc4dc2911b882b161428d991dc4d8170aca9f4c6ff6976ff1

    • SSDEEP

      49152:UhTCFkGtB8C7FbIWAxsbSF9qCvnsAoG4Aagstr:Uh0rBTsF9zvnNfWr

    Score
    10/10
    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Suspicious use of SetThreadContext

    • Target

      yzymFGo.exe

    • Size

      1.4MB

    • MD5

      1a80d9a4f3d4e50bca7ef1db2941a889

    • SHA1

      12f5c46fbfca23c37e97fff028aa4d0cd1ee2fe6

    • SHA256

      f1d54cac98e1453caa61f3584d125756238f57a8945149006684dca0a704aeed

    • SHA512

      773471e5da84098a94c4e2c1fc7959e5a463833740b56f198486c584db455aff3ee373086a6086f35af23b68a12305b9646caba78e8ef536bb4f506e018bd64c

    • SSDEEP

      12288:2IbroRBKgWOLHmffUyl+dZbHa5Sh1jBCgnh0nKWxD56:29R3WOLUf6dZ/jBCgnhzWt56

    • Detect Vidar Stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar family

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Suspicious use of SetThreadContext

    • Target

      zu3sNjZ.exe

    • Size

      1.7MB

    • MD5

      e1e5ab289f986ffcb864fb862511077e

    • SHA1

      63deb7e6e981c5aa44d09de1cf25697ed6ed2ff8

    • SHA256

      08ffac6df72f6f321867bdc670ae336023402db74a327bd82bfb0e1012f7c571

    • SHA512

      34153c98bdbadf9e6b576d08474b2b18e99f7f17b3e0d62fe36b90111fe624783accf28be2b743912a2c3e1c7cf29339aa23fe4986c1f2560d1b7d95f5013596

    • SSDEEP

      49152:ElFF7anP/6ctv7iZWaCRsUeR2uhS9dRwPL:ElTm/VtDOIGUbISXOP

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v16

Tasks

static1

themidaupxpyinstaller
Score
7/10

behavioral1

discovery
Score
10/10

behavioral2

persistenceprivilege_escalationransomware
Score
6/10

behavioral3

Score
1/10

behavioral4

xwormdiscoveryexecutionpersistencerattrojan
Score
10/10

behavioral5

xmrigexecutionminerpersistence
Score
10/10

behavioral6

discoveryexecutionpersistence
Score
7/10

behavioral7

asyncratstormkittydiscoveryexecutionpersistenceratstealer
Score
10/10

behavioral8

lummadiscoveryspywarestealer
Score
10/10

behavioral9

stealclogsdillerclouddiscoverystealer
Score
10/10

behavioral10

stealcsystemstealer
Score
10/10

behavioral11

lummadefense_evasiondiscoveryspywarestealertrojan
Score
10/10

behavioral12

vidar048c07efd6c91e25316360e4af132958credential_accessdefense_evasiondiscoveryspywarestealer
Score
10/10

behavioral13

donutloadercollectiondiscoveryloaderspywarestealer
Score
10/10

behavioral14

lummadiscoverystealer
Score
10/10

behavioral15

Score
6/10

behavioral16

cyber_stealerdefense_evasiondiscoveryexecutionspywarestealer
Score
10/10

behavioral17

xmrigdefense_evasiondiscoveryexecutionexploitimpactminerpersistenceransomwarethemidatrojan
Score
10/10

behavioral18

defense_evasionexecutionpersistence
Score
7/10

behavioral19

lummadiscoverystealer
Score
10/10

behavioral20

credential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealer
Score
8/10

behavioral21

salatstealerdefense_evasiondiscoverystealertrojanupx
Score
10/10

behavioral22

Score
6/10

behavioral23

socks5systemzbotnetdiscovery
Score
10/10

behavioral24

salatstealerdiscoverystealerupx
Score
10/10

behavioral25

discovery
Score
3/10

behavioral26

persistence
Score
7/10

behavioral27

Score
6/10

behavioral28

discovery
Score
4/10

behavioral29

defense_evasiondiscoveryexecutionpersistence
Score
10/10

behavioral30

lummadiscoverystealer
Score
10/10

behavioral31

vidarc0aea96f5dc5ea23da54dbccbac6de78credential_accessdefense_evasiondiscoveryspywarestealer
Score
10/10

behavioral32

lummadefense_evasiondiscoveryspywarestealer
Score
10/10