Overview

overview

10

Static

static

1

UpdateClean.js

windows7-x64

10

UpdateClean.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    UpdateClean.js

  • Size

    5KB

  • Sample

    240425-1vdfjsff4x

  • MD5

    d6942e22893e95deea7bbe9d9f9e2a94

  • SHA1

    4d002c2b134d52d0ce8a6715e1ab75b4dd36d4d9

  • SHA256

    b3bdd33dcaf6d7453e5aca839f814ba5754b7b4f5b119890c8f4a16bf149c9ad

  • SHA512

    b1969093839283c68928bd38f8ee0788d85ce71272e18e59316897b223b6d94178464360d7d0e204bd78ea315bfc452607f22a4fbc30686c8439f125124d3b80

  • SSDEEP

    96:rBup4W/ul47KmtSzemZYSBTJABlaxVRo/JR3Ui7RDqG1+qnA++B+k+++8H+e7it5:rBu6W/N+qS1ZjJAixVRo/JR3N7RLr+ru

Score
10/10
bitratlummapersistencestealertrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://77.221.151.31/a/z.png

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://77.221.151.31/a/s.png

Extracted

Family

bitrat

Version

1.38

C2

77.221.151.31:4444

Attributes
  • communication_password

    7b13ff385b95cf25d53088d6b7c5d890

  • tor_process

    tor

Extracted

Family

lumma

C2

https://strollheavengwu.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Targets

    • Target

      UpdateClean.js

    • Size

      5KB

    • MD5

      d6942e22893e95deea7bbe9d9f9e2a94

    • SHA1

      4d002c2b134d52d0ce8a6715e1ab75b4dd36d4d9

    • SHA256

      b3bdd33dcaf6d7453e5aca839f814ba5754b7b4f5b119890c8f4a16bf149c9ad

    • SHA512

      b1969093839283c68928bd38f8ee0788d85ce71272e18e59316897b223b6d94178464360d7d0e204bd78ea315bfc452607f22a4fbc30686c8439f125124d3b80

    • SSDEEP

      96:rBup4W/ul47KmtSzemZYSBTJABlaxVRo/JR3Ui7RDqG1+qnA++B+k+++8H+e7it5:rBu6W/N+qS1ZjJAixVRo/JR3N7RLr+ru

    Score
    10/10
    bitratlummapersistencestealertrojanupx

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks