General

  • Target

    ByGay.exe

  • Size

    20.8MB

  • Sample

    231120-3d1kvsbe2v

  • MD5

    6f54b4191ac9d44e27ab567bf26e4768

  • SHA1

    244de438e62d815483561b99550a8b02a2a7625c

  • SHA256

    da2ecdafa3fbcc59f30fed701e9c3529432bcc479fc18ffe575310601d8e4576

  • SHA512

    284b786e1772db32718b11d0cf2cc65e51259648c16f130ac31b353e3b421e762e2ee5869540d161bd8d7535e06da9bc984cdf3bf6982c15d9a4dab3b5491081

  • SSDEEP

    393216:PUdMOZ0JTQDXYCxnOshouIkPUktRL5okJb8LgSUu16RCOdi99AC:PUdMOZ0JTQ7YCxOwouYktRLSaLSqIrj

Malware Config

Targets

    • Target

      discord_token_grabber.pyc

    • Size

      17KB

    • MD5

      e523026b612006e580e96bd9e2a8882c

    • SHA1

      03b9938701f7eff11a0c3632ed805e8188598c88

    • SHA256

      8ae6baddc552f9a47c488760a3d3b04f217f7c999dbffc1a548bb09532e6bf77

    • SHA512

      a0f15f5edecbab4894aa3b85092fc2bde34b76f6048b198ce387d59a56d6c74969201cc43d19cd27a9ff0a6ab72268884a90ef206f0be34a5707a7f6ea24a853

    • SSDEEP

      384:cGllyAavwS9F0RW807PPQviowoYbCj+Mo8WWIc02a8:cIlytvX9iRW8inQ6owoYOyM0d2a8

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Registers COM server for autorun

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks