{ "name": "MintsLoader: StealC and BOINC Delivery", "slug": "mintsloader-stealc-and-boinc-delivery", "description": "The eSentire Threat Response Unit identified a campaign involving MintsLoader, a PowerShell-based malware loader, delivering payloads like Stealc and BOINC client. MintsLoader uses a Domain Generation Algorithm and anti-VM techniques to evade detection. The infection process begins with a spam email link downloading a JScript file, which then executes PowerShell commands to retrieve and execute the malware stages. StealC, an information stealer, is delivered as the final payload, targeting sensitive data from browsers, applications, and crypto-wallets. The campaign affected organizations in the US and Europe, primarily in the Electricity, Oil & Gas, and Legal Services industries.", "published": "2025-01-20T10:09:04+00:00", "created_at": "2025-01-20T10:09:04+00:00", "modified_at": "2025-01-20T10:47:17+00:00", "created_at_opencti": "2025-01-20T10:09:04+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-01-20", "boinc", "information stealer", "mintsloader", "stealc" ], "related_entities": { "observables": [ { "id": "", "name": "67.217.228.118" }, { "id": "", "name": "145.223.100.233" }, { "id": "", "name": "62.204.41.177" }, { "id": "", "name": "45.61.136.138" }, { "id": "", "name": "https://t1jm05fdu6748emu5oon8nix1uk2ogyn.lovesnextmeeting.com/Uswl5JAnXI" }, { "id": "", "name": "http://mubuzb3vvv.top/1.php?s=527" }, { "id": "", "name": "http://62.204.41.177/edd20096ecef326d.php" }, { "id": "", "name": "t1jm05fdu6748emu5oon8nix1uk2ogyn.lovesnextmeeting.com" }, { "id": "", "name": "xaides.com" }, { "id": "", "name": "usbkits.com" }, { "id": "", "name": "tubnzy3uvz.top" }, { "id": "", "name": "shd9inbjz4.top" }, { "id": "", "name": "sdubvlbbuz3vzzz.top" }, { "id": "", "name": "rosettahome.top" }, { "id": "", "name": "poubnxu3jubz.top" }, { "id": "", "name": "poeiughybzu222.top" }, { "id": "", "name": "ohunhebzhbu3.top" }, { "id": "", "name": "nuvye89bjz4.top" }, { "id": "", "name": "nubxz4ubhxz9i.top" }, { "id": "", "name": "nlafhhiffkceadc.top" }, { "id": "", "name": "ngub8zb38ib.top" }, { "id": "", "name": "nfuvueibzi4.top" }, { "id": "", "name": "mubuzb3vvv.top" }, { "id": "", "name": "mnvuz3gvy3.top" }, { "id": "", "name": "mnudybh4unh.top" }, { "id": "", "name": "mbuz73hb7z3.top" }, { "id": "", "name": "lggknhaffleahbh.top" }, { "id": "", "name": "lgbibzuehbz.top" }, { "id": "", "name": "lalclenfjhkinbn.top" }, { "id": "", "name": "kmaealcfcalhcac.top" }, { "id": "", "name": "kcehmenjdibnmni.top" }, { "id": "", "name": "jhubzgv3.top" }, { "id": "", "name": "jgeeifjnhbledmg.top" }, { "id": "", "name": "immmjjkndeekmma.top" }, { "id": "", "name": "idhglmmnaimdhlj.top" }, { "id": "", "name": "iblaehgffmflamn.top" }, { "id": "", "name": "hkinuxb3bz.top" }, { "id": "", "name": "hjbamcnnkmfjbld.top" }, { "id": "", "name": "gkn33hxueub.top" }, { "id": "", "name": "hhgiflifcbmdjmh.top" }, { "id": "", "name": "ghecbjcmdfghfkg.top" }, { "id": "", "name": "gbkiafbmhbmbkkl.top" }, { "id": "", "name": "diebinjmajbkhhg.top" }, { "id": "", "name": "ckahaebgighbngc.top" }, { "id": "", "name": "ccibchdgfjbhhfk.top" }, { "id": "", "name": "bnbuzu49ibz4.top" }, { "id": "", "name": "blclmjamegjaffd.top" }, { "id": "", "name": "bidjdlegcnincee.top" }, { "id": "", "name": "anldfaggmdbglen.top" }, { "id": "", "name": "afglgehgjgjmgdh.top" }, { "id": "", "name": "adkfnnbmakcgael.top" }, { "id": "", "name": "midhkalfmddcece.top" }, { "id": "", "name": "mdinjlkfcajkjck.top" }, { "id": "", "name": "kdemjgebjimkanl.top" }, { "id": "", "name": "jjdgdeffjimfgne.top" }, { "id": "", "name": "jejmbadfmeenlnk.top" }, { "id": "", "name": "gajaechkfhfghal.top" }, { "id": "", "name": "feheecfmkmhfiij.top" }, { "id": "", "name": "fnnkcnemajnnaja.top" }, { "id": "", "name": "ekbnfghmhcaldid.top" }, { "id": "", "name": "dckhgjimeghemhl.top" }, { "id": "", "name": "cmacnnkfbhlcncm.top" }, { "id": "", "name": "canjjclmlnicbga.top" }, { "id": "", "name": "bfhdkgmmhdbikgj.top" }, { "id": "", "name": "afnfdijahijefmh.top" }, { "id": "", "name": "b8804a7ef09a9c1e8ede3a86a087b754b42f5b37c6de1e82c86f38d01c297ee2" }, { "id": "", "name": "138d2a62b73e89fc4d09416bcefed27e139ae90016ba4493efc5fbf43b66acfa" }, { "id": "", "name": "91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3" } ], "malware": [ { "id": "legacy:malware:db4273693f5fd65a", "name": "BOINC", "slug": "boinc" }, { "id": "038e063c-cead-4de8-902e-d6fabcd78a08", "name": "MintsLoader", "slug": "mintsloader" }, { "id": "legacy:malware:bd5e900cb57b2f39", "name": "StealC", "slug": "stealc" } ], "attack_patterns": [ { "id": "e615d5ec-8d67-4048-b21d-a5fb09925bb9", "name": "T1552.001" }, { "id": "a58c2bff-7d90-4816-93fd-aa0b6beca12e", "name": "T1124" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "93b2c4dd-5523-4464-8976-78754ee372fd", "name": "T1012" }, { "id": "32817170-4c07-427e-b8a5-80a733ae2550", "name": "T1497" }, { "id": "667462db-9031-48eb-893a-05d35f9330a7", "name": "T1056.001" }, { "id": "a72b6e11-a5d5-4f5a-8f0d-8861e90c34f7", "name": "T1555" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74", "name": "T1005" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7", "name": "T1016" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1", "name": "T1057" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b", "name": "T1033" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" } ], "others": [ { "id": "", "name": "United States of America" }, { "id": "", "name": "Energy" }, { "id": "", "name": "Legal" } ] }, "external_refs": [ "https://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery", "https://otx.alienvault.com/pulse/678e2ed0691dbaf790bf355c" ] }