General

  • Target

    FRASKEY BYFRON BYPASS.zip

  • Size

    158.1MB

  • Sample

    231101-dex4pabe45

  • MD5

    be2405cb198d7705b390ba45d3e373c3

  • SHA1

    29557e9362baf0543cccbdac0f3e95e261634fc2

  • SHA256

    796c19c8a7db21c52c9fc97dcbeee2fa9167b60b009558f8ba2d87208780e348

  • SHA512

    4e0dcaf6a77c97d7e7f9d3e59cf86c640d064520c059753f080f16485b80402cd7d1c4c6844e7b13b7f7ad425f2d690cf00bc4aecfd10ebec7e0c35d062beec2

  • SSDEEP

    3145728:gNkbJ+X1nufS3s0ZtlOu6qf2MswPKEiQwJraPRVLNkbJ+X1nufS3s0ZtlOu6qf2r:3J+FufS3PLZ6qpswPIFmTmJ+FufS3PLO

Malware Config

Targets

    • Target

      FRASKEY BYFRON BYPASS/FRASKEY BYFRON BYPASS/library/pycache/cached/cache.py

    • Size

      2KB

    • MD5

      7519218777c60df0ffc3e4ab964d56c6

    • SHA1

      008d2e071a1f0c5634e8772efdd3033ab3396e71

    • SHA256

      71074cab1ee11f6460ce09c5a4240df3e2e42c1169ab5b368f9adf010e3a15cf

    • SHA512

      81ab7b7f54f1e47a63391a3ee4ba978807a54c43830f65e42409aff95a738bde502591e54b8da29d59e0cf735a5a043a893da1ff7b4e9a78ab2050b5063bdc12

    Score
    3/10
    • Target

      FRASKEY BYFRON BYPASS/FRASKEY BYFRON BYPASS/library/pycache/cached/dist/cache.py

    • Size

      2KB

    • MD5

      d9656d0f040ca522a6097eb1856e075b

    • SHA1

      7fe80c0a8389f7315ad3e05f7f2e97cc96f0135c

    • SHA256

      755ad113350ee4a379d29ccea1df35376ec6c5700ba01298b8914f69fd7a6c30

    • SHA512

      2dae5611fd1647dcaf225a47932e6c3cfa95b65caec5cb59fd2af172d6670924079391a313960e9312c6b83e9e80939d907a2f0101be7115642ed7fad48e6342

    Score
    3/10
    • Target

      FRASKEY BYFRON BYPASS/FRASKEY BYFRON BYPASS/library/pycache/cached/dist/pyarmor_runtime_000000/__init__.py

    • Size

      103B

    • MD5

      9b4c436b17f43581e431200474d1f2f2

    • SHA1

      efca249c0614300ad6dfac40444f7617086c4ead

    • SHA256

      02b2adbb908ec88b554d8177070a1dab8032eb2f727307ad45365f5992ac2e2c

    • SHA512

      91d0648777af8537e13926563cbdc520c0cf4a13cdd4b8e5adc576d545013acaaaf37dc0a00f3e0c306f2f6813a2bc5faeabaf3da81ffaadb6b1823c670ac68d

    Score
    3/10
    • Target

      FRASKEY BYFRON BYPASS/FRASKEY BYFRON BYPASS/library/pycache/cached/dist/pyarmor_runtime_000000/__pycache__/__init__.cpython-311.pyc

    • Size

      247B

    • MD5

      018b8c21f66d8a2ebb99eddb6f5103be

    • SHA1

      78b29b7d8c3f392738ead764f826ee6863334f54

    • SHA256

      e7b72629c0f7b9fa9615d1237240b491842318d1ac9f78b0c1d51f205d8bf3c7

    • SHA512

      88e3c506be1a5d39126bed3c0b5c972d7a8935a1236e5ce57988f916533e60ec2b90841f816972572ebdf7ae5fc2d0ac5e3316b662e19708dc95b6e00082abea

    Score
    3/10
    • Target

      FRASKEY BYFRON BYPASS/FRASKEY BYFRON BYPASS/library/pycache/cached/dist/pyarmor_runtime_000000/pyarmor_runtime.pyd

    • Size

      600KB

    • MD5

      67f4b04512bb06cd50af541cd3e07ad0

    • SHA1

      a4913e74341253971fcdd131c252290bcb408ff5

    • SHA256

      26b332a94abb30b455884aa9205cabc8a1078d2b486af5f0095c875ff46ee3be

    • SHA512

      13d99b3d23d1072884242980406a4b2657ba1ccb7fdad868ebdb264398852f10c99324dabf18d50be2dc5a300dc27124c46416deae6fdbc6b24e41497710e732

    • SSDEEP

      12288:3QlwFgoOcOwdc+7fUoPkjUOWgnE7v61s:30cOwdc+7fUoPkjUOWgnqy

    Score
    1/10
    • Target

      FRASKEY BYFRON BYPASS/FRASKEY BYFRON BYPASS/library/pycache/cached/dist/updater.exe

    • Size

      61.7MB

    • MD5

      ffbd03c3d389925d608907b7fddbc8df

    • SHA1

      23aa84e94fb35c25cf7e394eb83d3a2c12b56e5b

    • SHA256

      e58ad920ddc9b68470893f629f60edaaf8abedaa72df10671745eb0d092f84de

    • SHA512

      bcc2bef5f8d0edc6017f361712595b9ed0805464ac66a7114078b8c40e8b3fa852abec0db6cbf58eb1edf8ae32e802f431fb62aecf23ec0857ff427c788a07c6

    • SSDEEP

      1572864:ym6EHMiXIHPxnRF+R49qYwemWbkSSBuCy3Dm45N6aToJQERJ:x6EHcHPBCR49QedbLCuCgDmqIaTCQERJ

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      FRASKEY BYFRON BYPASS/FRASKEY BYFRON BYPASS/main.exe

    • Size

      17.6MB

    • MD5

      b934ee8c62d7bdb865794adfdd929856

    • SHA1

      4b585e41ae72ecdff7ad017e35052ae28330bd39

    • SHA256

      6cc4bb09ba75d84498fb4b8197a5e2ec4e3c6ac4a19bc6d6a114ff8e38116ce9

    • SHA512

      d8d21c162646e12700385620a02dad3a85e9a9349f0315222f4b9b394d7494544b963369248087c31f69ed27090fd777216aad8fc633ffc4eed8be13ce1ee5ca

    • SSDEEP

      393216:PqPnLFXlr7gQpDOETgsvfGOg+nU4FxvEMAAdjdLW:iPLFXNEQoE55U4FG0jB

    Score
    7/10
    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      FRASKEY BYFRON BYPASS/library/pycache/cached/cache.py

    • Size

      2KB

    • MD5

      7519218777c60df0ffc3e4ab964d56c6

    • SHA1

      008d2e071a1f0c5634e8772efdd3033ab3396e71

    • SHA256

      71074cab1ee11f6460ce09c5a4240df3e2e42c1169ab5b368f9adf010e3a15cf

    • SHA512

      81ab7b7f54f1e47a63391a3ee4ba978807a54c43830f65e42409aff95a738bde502591e54b8da29d59e0cf735a5a043a893da1ff7b4e9a78ab2050b5063bdc12

    Score
    3/10
    • Target

      FRASKEY BYFRON BYPASS/library/pycache/cached/dist/cache.py

    • Size

      2KB

    • MD5

      d9656d0f040ca522a6097eb1856e075b

    • SHA1

      7fe80c0a8389f7315ad3e05f7f2e97cc96f0135c

    • SHA256

      755ad113350ee4a379d29ccea1df35376ec6c5700ba01298b8914f69fd7a6c30

    • SHA512

      2dae5611fd1647dcaf225a47932e6c3cfa95b65caec5cb59fd2af172d6670924079391a313960e9312c6b83e9e80939d907a2f0101be7115642ed7fad48e6342

    Score
    3/10
    • Target

      FRASKEY BYFRON BYPASS/library/pycache/cached/dist/pyarmor_runtime_000000/__init__.py

    • Size

      103B

    • MD5

      9b4c436b17f43581e431200474d1f2f2

    • SHA1

      efca249c0614300ad6dfac40444f7617086c4ead

    • SHA256

      02b2adbb908ec88b554d8177070a1dab8032eb2f727307ad45365f5992ac2e2c

    • SHA512

      91d0648777af8537e13926563cbdc520c0cf4a13cdd4b8e5adc576d545013acaaaf37dc0a00f3e0c306f2f6813a2bc5faeabaf3da81ffaadb6b1823c670ac68d

    Score
    3/10
    • Target

      FRASKEY BYFRON BYPASS/library/pycache/cached/dist/pyarmor_runtime_000000/__pycache__/__init__.cpython-311.pyc

    • Size

      247B

    • MD5

      018b8c21f66d8a2ebb99eddb6f5103be

    • SHA1

      78b29b7d8c3f392738ead764f826ee6863334f54

    • SHA256

      e7b72629c0f7b9fa9615d1237240b491842318d1ac9f78b0c1d51f205d8bf3c7

    • SHA512

      88e3c506be1a5d39126bed3c0b5c972d7a8935a1236e5ce57988f916533e60ec2b90841f816972572ebdf7ae5fc2d0ac5e3316b662e19708dc95b6e00082abea

    Score
    3/10
    • Target

      FRASKEY BYFRON BYPASS/library/pycache/cached/dist/pyarmor_runtime_000000/pyarmor_runtime.pyd

    • Size

      600KB

    • MD5

      67f4b04512bb06cd50af541cd3e07ad0

    • SHA1

      a4913e74341253971fcdd131c252290bcb408ff5

    • SHA256

      26b332a94abb30b455884aa9205cabc8a1078d2b486af5f0095c875ff46ee3be

    • SHA512

      13d99b3d23d1072884242980406a4b2657ba1ccb7fdad868ebdb264398852f10c99324dabf18d50be2dc5a300dc27124c46416deae6fdbc6b24e41497710e732

    • SSDEEP

      12288:3QlwFgoOcOwdc+7fUoPkjUOWgnE7v61s:30cOwdc+7fUoPkjUOWgnqy

    Score
    1/10
    • Target

      FRASKEY BYFRON BYPASS/library/pycache/cached/dist/updater.exe

    • Size

      61.7MB

    • MD5

      ffbd03c3d389925d608907b7fddbc8df

    • SHA1

      23aa84e94fb35c25cf7e394eb83d3a2c12b56e5b

    • SHA256

      e58ad920ddc9b68470893f629f60edaaf8abedaa72df10671745eb0d092f84de

    • SHA512

      bcc2bef5f8d0edc6017f361712595b9ed0805464ac66a7114078b8c40e8b3fa852abec0db6cbf58eb1edf8ae32e802f431fb62aecf23ec0857ff427c788a07c6

    • SSDEEP

      1572864:ym6EHMiXIHPxnRF+R49qYwemWbkSSBuCy3Dm45N6aToJQERJ:x6EHcHPBCR49QedbLCuCgDmqIaTCQERJ

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      FRASKEY BYFRON BYPASS/main.exe

    • Size

      17.6MB

    • MD5

      b934ee8c62d7bdb865794adfdd929856

    • SHA1

      4b585e41ae72ecdff7ad017e35052ae28330bd39

    • SHA256

      6cc4bb09ba75d84498fb4b8197a5e2ec4e3c6ac4a19bc6d6a114ff8e38116ce9

    • SHA512

      d8d21c162646e12700385620a02dad3a85e9a9349f0315222f4b9b394d7494544b963369248087c31f69ed27090fd777216aad8fc633ffc4eed8be13ce1ee5ca

    • SSDEEP

      393216:PqPnLFXlr7gQpDOETgsvfGOg+nU4FxvEMAAdjdLW:iPLFXNEQoE55U4FG0jB

    Score
    7/10
    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks