ioc[.]one - OSINT Cyber Threat Intelligence Database

Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers | Rapid7 Blog

Tags

cmtmf-attack-pattern:	Code Injection Masquerading Process Injection
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Code Injection - T1540 Dll Search Order Hijacking - T1574.001 Drive-By Compromise - T1456 Exploits - T1587.004 Exploits - T1588.005 Hijack Execution Flow - T1625 Hijack Execution Flow - T1574 Javascript - T1059.007 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Msiexec - T1218.007 Native Api - T1575 Process Doppelgänging - T1055.013 Process Injection - T1631 Python - T1059.006 Server - T1583.004 Server - T1584.004 Software - T1592.002 Virtualization/Sandbox Evasion - T1497 Time Based Evasion - T1497.003 Virtualization/Sandbox Evasion - T1633 Deobfuscate/Decode Files Or Information - T1140 Dll Search Order Hijacking - T1038 Drive-By Compromise - T1189 Execution Through Api - T1106 Masquerading - T1036 Process Doppelgänging - T1186 Process Injection - T1055 Signed Binary Proxy Execution - T1218 User Execution - T1204 Drive-By Compromise Masquerading User Execution

Show in Graph

Common Information

Type	Value
UUID	8ed2f116-679d-40da-a215-3c09345faf15
Fingerprint	e251b59edbc05b3
Analysis status	DONE
Considered CTI value	2
Text language
Published	Aug. 31, 2023, 9:44 p.m.
Added to db	Oct. 24, 2023, 1:13 p.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers
Title	Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers \| Rapid7 Blog
Detected Hints/Tags/Attributes	83/3/59

Source URLs

	Redirection	Url
Details	Source	https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/

URL Provider

Details	Provider	Source level domain
Details	rapid7.com	www.rapid7.com

Attributes

Details	Type	#Events	Value
Details	Domain	5	ocmtancmi2c5t.xyz
Details	Domain	3	lazagrc3cnk.xyz
Details	Domain	3	omdowqind.site
Details	Domain	3	weomfewnfnu.site
Details	Domain	2	winextrabonus.life
Details	Domain	3	bgobgogimrihehmxerreg.site
Details	Domain	1	pshkjg.db.files.1drv.com
Details	Domain	3	ooinonqnbdqnjdnqwqkdn.space
Details	Domain	2	hello-world-broken-dust-1f1c.brewasigfi1978.workers.dev
Details	Domain	5	doorblu.xyz
Details	Domain	4	costexcise.xyz
Details	Domain	3	buyerbrand.xyz
Details	Domain	4	gapi-node.io
Details	Domain	3	gstatic-node.io
Details	Domain	16	zeltser.com
Details	File	18	chromesetup.exe
Details	File	8	vmwarehostopen.exe
Details	File	11	vmtools.dll
Details	File	2	vmo.log
Details	File	27	pythonw.exe
Details	File	6	python311.dll
Details	File	1	pz.log
Details	File	748	kernel32.dll
Details	File	533	ntdll.dll
Details	File	48	mshtml.dll
Details	File	2125	cmd.exe
Details	File	1260	explorer.exe
Details	File	6	update.msi
Details	File	1	instaiier.exe
Details	File	1	mlcrоsоftеdgеsеtuр.exe
Details	File	2	directx12advancedsupport.msi
Details	File	19	mpcopyaccelerator.exe
Details	File	19	mpclient.dll
Details	File	1	malware-analysis-lab.pdf
Details	sha256	4	c9094685ae4851fd5a5b886b73c7b07efd9b47ea0bdae3f823d035cf1b3b9e48
Details	sha256	1	53c3982f452e570db6599e004d196a8a3b8399c9d484f78cdb481c2703138d47
Details	sha256	1	931d78c733c6287cec991659ed16513862bfc6f5e42b74a8a82e4fa6c8a3fe06
Details	sha256	1	51cee2de0ebe01e75afdeffe29d48cb4d413d471766420c8b8f9ab08c59977d7
Details	sha256	1	a0319e612de3b7e6fbb4b71aa7398266791e50da0ae373c5870c3dcaa51abccf
Details	sha256	1	3bf4b365d61c1e9807d20e71375627450b8fea1635cb6ddb85f2956e8f6b3ec3
Details	sha256	1	d19c166d0846ddaf1a6d5dbd62c93acb91956627e47e4e3cbd79f3dfb3e0f002
Details	sha256	1	b287c0bc239b434b90eef01bcbd00ff48192b7cbeb540e568b8cdcdc26f90959
Details	sha256	1	be8eb5359185baa8e456a554a091ec54c8828bb2499fe332e9ecd65639c9a75b
Details	sha256	1	5f57537d18adcc1142294d7c469f565f359d5ff148e93a15ccbceb5ca3390dbd
Details	sha256	1	8ce0901a5cf2d3014aaa89d5b5b68666da0d42d2294a2f2b7e3a275025b35b79
Details	sha256	1	b3d8bc93a96c992099d768beb42202b48a7fe4c9a1e3b391efbeeb1549ef5039
Details	IPv4	2	94.228.169.55
Details	MITRE ATT&CK Techniques	183	T1189
Details	MITRE ATT&CK Techniques	39	T1218.007
Details	MITRE ATT&CK Techniques	365	T1204.002
Details	MITRE ATT&CK Techniques	70	T1574.001
Details	MITRE ATT&CK Techniques	504	T1140
Details	MITRE ATT&CK Techniques	348	T1036
Details	MITRE ATT&CK Techniques	239	T1106
Details	MITRE ATT&CK Techniques	440	T1055
Details	MITRE ATT&CK Techniques	7	T1055.013
Details	MITRE ATT&CK Techniques	57	T1497.003
Details	Url	3	https://ocmtancmi2c5t.xyz/82z2fn2afo/b3/update.msi
Details	Url	2	https://zeltser.com/media/docs/malware-analysis-lab.pdf