6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581

General

Target

DevxExecutor.exe
Size

44.1MB
MD5

e4897ef7419e128b1f7473119ce0bd07
SHA1

5aad252412a5923438f30cb9c397731a9b020121
SHA256

6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581
SHA512

db66ea2cb3f5f30934ab071e1dd2e7b41f6dc5c4be125f1d2d6aab627b3be8b6cf8fcbed517a414cdf037a068414b178176edba2e28de6419b65269e0abb162c
SSDEEP

786432:NCZkrrfdktmLX8t8lBBvUPlZIOPuOI64zlNWtVMoOIsuXzfVib4a9BWN:N4GlkcLMtUzilKUINzmtVkMfWo

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2964	cstealer.exe
2544	cstealer.exe
2636	main.exe
2680	main.exe
1084	Process not Found

Loads dropped DLL 9 IoCs

pid	Process
1712	DevxExecutor.exe
2964	cstealer.exe
2544	cstealer.exe
1712	DevxExecutor.exe
2636	main.exe
2680	main.exe
1084	Process not Found
1084	Process not Found
1084	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000016d20-55.dat	upx
behavioral1/memory/2680-57-0x000007FEF02B0000-0x000007FEF0898000-memory.dmp	upx

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000b0000000143e5-5.dat	pyinstaller
behavioral1/files/0x000600000001630a-39.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2680	main.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2964	1712	DevxExecutor.exe	28
PID 1712 wrote to memory of 2964	1712	DevxExecutor.exe	28
PID 1712 wrote to memory of 2964	1712	DevxExecutor.exe	28
PID 2964 wrote to memory of 2544	2964	cstealer.exe	29
PID 2964 wrote to memory of 2544	2964	cstealer.exe	29
PID 2964 wrote to memory of 2544	2964	cstealer.exe	29
PID 1712 wrote to memory of 2636	1712	DevxExecutor.exe	30
PID 1712 wrote to memory of 2636	1712	DevxExecutor.exe	30
PID 1712 wrote to memory of 2636	1712	DevxExecutor.exe	30
PID 2636 wrote to memory of 2680	2636	main.exe	31
PID 2636 wrote to memory of 2680	2636	main.exe	31
PID 2636 wrote to memory of 2680	2636	main.exe	31

C:\Users\Admin\AppData\Local\Temp\DevxExecutor.exe
"C:\Users\Admin\AppData\Local\Temp\DevxExecutor.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\cstealer.exe
  "C:\Users\Admin\AppData\Local\Temp\cstealer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Local\Temp\cstealer.exe
    "C:\Users\Admin\AppData\Local\Temp\cstealer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2544
- C:\Users\Admin\AppData\Local\Temp\main.exe
  "C:\Users\Admin\AppData\Local\Temp\main.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI26362\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29642\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main.exe

Filesize
36.0MB

MD5
1ee0837eedf03e82aa652b1bf157387f

SHA1
9f67248352c6eb3ff5c6c4d5eb05a55eff499cd8

SHA256
545f339c71cac4b4eb0440fed022a51032c208ee1d5cdef050d97b37adf8de4a

SHA512
8bd47bd3ef1f622029cb6ecec02eac62c45f6d788d813eca80c275a4fb4cc35a1c25f869b66551fe57099500587cebc135cbcda0e7a43e70fceb3762185b0c5a

Download Submit
\Users\Admin\AppData\Local\Temp\cstealer.exe

Filesize
8.5MB

MD5
bc2b7de582fb94f0c44855d8fab8c236

SHA1
62e1cfd2d999025930a3dacf6bf71b8f9d166c2b

SHA256
2481caeaa2b5db3c040aab3054fcd0bfd42637a4000c4b676215459d38ca4c3c

SHA512
5cfa22eac5eec79c4f479a3bc54ed31f0a1943ac598954ad05b2f3e6d63ec7abdf496f8926446c08d44685ddcb338018a14fe9d5167dcc16b752d49b661704e9

Download Submit
memory/1712-0-0x000007FEF5823000-0x000007FEF5824000-memory.dmp

Filesize
4KB

Download
memory/1712-1-0x0000000000D00000-0x000000000392A000-memory.dmp

Filesize
44.2MB

Download
memory/1712-3-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/1712-40-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2680-57-0x000007FEF02B0000-0x000007FEF0898000-memory.dmp

Filesize
5.9MB

Download

Analysis

Sharing