Pulse Detail — Threat Intelligence

PULSE NAME

CoinLurker: The Stealer Powering the Next Generation of Fake Updates

WHITE CoinLurker AlienVault 2024-12-17 Modified: 2024-12-17

IOCs

HIGH VOLUME

CoinLurker is a sophisticated stealer designed to exfiltrate data while evading detection. Written in Go, it employs advanced obfuscation and anti-analysis techniques, making it highly effective in modern cyberattacks. The malware is delivered through fake update campaigns, leveraging deceptive entry points that exploit user trust. It uses Microsoft Edge Webview2 as a stager and employs a multi-stage chain involving Binance Smart Contracts and Bitbucket repositories to conceal its payload. CoinLurker targets cryptocurrency wallets and financial applications, systematically enumerating directories to access sensitive user data. Its layered injection tactics and obfuscated functions make it challenging for analysts to reverse-engineer its logic.

cryptocurrency coinlurker

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1547 T1553.002 T1071 T1140 T1036 T1055 T1059 T1083 T1102 T1204 T1027 T1573 T1056 T1012

MALWARE FAMILIES

CoinLurker

Indicators of Compromise (62)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	0a0fe5b8b0df295f8ecbf32355ea846d	—	2024-12-17
FileHash-MD5	55dfa074a62def3eb4733078ad504845	—	2024-12-17
FileHash-MD5	601c10036f779d66d51d041db843527f	—	2024-12-17
FileHash-MD5	6079d484d0636beb2d413932ac5a1bec	—	2024-12-17
FileHash-MD5	9f73132fee32e4e0b0f4ef0843abffaa	—	2024-12-17
FileHash-MD5	da881ee6a5018f2c97290440f9c537b4	—	2024-12-17
FileHash-SHA1	5231f97233076af0846590d7d0386bf78797bd22	—	2024-12-17
FileHash-SHA1	5db82ea4080c2ed5a647f6d293b8b8663e77f421	—	2024-12-17
FileHash-SHA1	81c1f12a9f1d817b8f73549c7b5397d82181c413	—	2024-12-17
FileHash-SHA1	a38196d2ddf819920372759cad512434440fc4b1	—	2024-12-17
FileHash-SHA1	deea47ac9a0d58170451691634dd67447d1483fc	—	2024-12-17
FileHash-SHA1	e766d6750f7ca24295dfe985916fa76940a5decd	—	2024-12-17
FileHash-SHA256	0b420a565e5e6f6899ebcb1da2fc162b05f5a8b7bfe0f56f52a085f17abb253d	—	2024-12-17
FileHash-SHA256	0b5fe211d558daa7d54207d2869f53d0a91ae16397343fd2605fd3a0f292dd21	—	2024-12-17
FileHash-SHA256	11cefe96966858c237a3aff132e5c54d0d1bcd343a23b23fcc24735bcefc811c	—	2024-12-17
FileHash-SHA256	15be79b09fa5efe3ca3440a94e436124d97232436af91f64917b7095b559a210	—	2024-12-17
FileHash-SHA256	162e4277a4cb2e3703df74529d83d47b66a5b46b0a93b3ac902b56da3e588fe9	—	2024-12-17
FileHash-SHA256	18f882b6c16641be3899f4e5123d10bb5c448ac7b7dafe7adb6144176acae304	—	2024-12-17
FileHash-SHA256	1f4624c44288f77327ec2e8d260399559b81c7cae442c31311736c2a2ec5f399	—	2024-12-17
FileHash-SHA256	2181c60e8727d5cfe7e713aa9731018168660ad2c96f31b08a729d1503dfc19a	—	2024-12-17
FileHash-SHA256	2198912e1a1f4a5b5f0dfe237b75d264c9be0b5b6f98f83a999117dd194e842c	—	2024-12-17
FileHash-SHA256	269c3b26b215d397f012a20e241c54b2c693667d4f64243ebf8dba1a5872c02d	—	2024-12-17
FileHash-SHA256	2c8f611b0f2c157f010c20379d4fcd725a8c462a8d226ae0095e3e0fb110ddbe	—	2024-12-17
FileHash-SHA256	3048030c0e3ff5e6e45bbb37e75d6e55fde8d77a928958dc34497177e077b69a	—	2024-12-17
FileHash-SHA256	324e1bf24f13d5a8f45cc5ee25d3dfe330a7e755b19901549976f2db02ca4fa4	—	2024-12-17
FileHash-SHA256	397a0f6515a81f307b5289ff3e939a0e01a6c1a0f0515be9844ddc9c6031ad97	—	2024-12-17
FileHash-SHA256	44521e1af289aa3473d7445d097766f1c3f3d8721d14b14ed6d5404994a03eb2	—	2024-12-17
FileHash-SHA256	487156ae20cc6d8e7d922cebe35b197c28ae43134f7e04c5f6bd0f3e164a7120	—	2024-12-17
FileHash-SHA256	6976c3e0ffbbbbb310995e70f24bf9501d017279d865ac4536aee25b316a92de	—	2024-12-17
FileHash-SHA256	7eede0e13ed9990afb465c2f612d85bc10c946dd2419323528a58707cef62899	—	2024-12-17
FileHash-SHA256	80b2950f1249d439105eac421660ddd15caab6de6afce3511f945deef1c0dd21	—	2024-12-17
FileHash-SHA256	8119a59487c6ffe5382c03e3de8c70b2c2e26899b51dcc4794066a8e1f358bcb	—	2024-12-17
FileHash-SHA256	82cc0f3f4aa70a8215b62db7ee9deac1c3d4dd27cde25cf56ec2f82ca7d146a9	—	2024-12-17
FileHash-SHA256	8d61f5b56f05daeef394dbc434abb96c1388aca8406e02445a72db1a65b9da3d	—	2024-12-17
FileHash-SHA256	9116c7878f51e6d8173d41a5a0e63ca16105dac954afedeaf1d5e06594cc4d41	—	2024-12-17
FileHash-SHA256	9374e1561a87a23b12ec586859661241b2eb5da822c0b4b874cdf9eda480363f	—	2024-12-17
FileHash-SHA256	93cc9759d86f8b087b71583f577a5534e975ce9ac19ec3ec140efa6bbfad6bd0	—	2024-12-17
FileHash-SHA256	9a036f20d758107d9434bd3bed682ff7d81393dc9d49fd6fe70d4b549045eaa2	—	2024-12-17
FileHash-SHA256	9c0c9945f81977269542f941c10fa28dbefe91078b6df68e97d61b58318cac9a	—	2024-12-17
FileHash-SHA256	9ea70e081c13c4b0e30b43dd68a6a0e0cfb6926c990bbe8ddedd8d9693c953d6	—	2024-12-17
FileHash-SHA256	a12809c76461d00760bef767c98baf5909a4aed48f2256d3c42eb1ca62835c14	—	2024-12-17
FileHash-SHA256	a3c7b289054635f5239d453fb4be718298037ea6c1f4bf16954af1e9da2a53e2	—	2024-12-17
FileHash-SHA256	a612bca9b5cbda864f4b808992de3d616c67b9120d8b24cbfa8a836ccdde9142	—	2024-12-17
FileHash-SHA256	a7eca930c2aa851cae3475cb4f5d599058816d51e1cc55a82ae976a030794aac	—	2024-12-17
FileHash-SHA256	b761e91e77b67661db51d6b498ea39ccb6f143e51eeee18925a2dc4aab20adfa	—	2024-12-17
FileHash-SHA256	be5e250168d37e7a9a4999d41a77cde19a6ac376a391f602b3496ace307ad0e8	—	2024-12-17
FileHash-SHA256	c643c087c68e51dfe422ddb48614675ab8e6aaecbe5704759c9978ac22b15f83	—	2024-12-17
FileHash-SHA256	c8adb9bf6997a9fa2738a09600a60abc4fb6334aa54b24166cf042afdc5a1064	—	2024-12-17
FileHash-SHA256	cc2f65faf61154815b4fa151d9a27c01a160d7d46398c7e44169949a61c63c2b	—	2024-12-17
FileHash-SHA256	f79c62b820420bda78252197db842eabe63261a4e80fbdcec8d671ce3d0a43ef	—	2024-12-17
FileHash-SHA256	fff7637514c6238443100fbc4d1fef626cebf043eef1aefa3a0f5ab6d0103bf6	—	2024-12-17
URL	http://ajsdiaolke.shop/endpoint	—	2024-12-17
URL	http://dais7nsa.shop/endpoint	—	2024-12-17
URL	http://md928zs.shop/endpoint	—	2024-12-17
URL	http://ndas8m92.shop/endpoint	—	2024-12-17
URL	http://peskpdfgif.shop/endpoint	—	2024-12-17
URL	http://smkn1leuwimunding.com/Updating.zip	—	2024-12-17
URL	http://smolcatkgi.shop/endpoint	—	2024-12-17
URL	http://test-1627838.shop/endpoint	—	2024-12-17
domain	analfucker.lol	—	2024-12-17
domain	paveldurov.sbs	—	2024-12-17
domain	zovik.info	—	2024-12-17

References (1)

↗ https://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates