Malware Analysis Report

2025-05-05 21:17

Sample ID 240510-1k1hbsbc6y
Target diabolic.exe
SHA256 b20f4ee8eb36c3ab08e9be6201f151253eb782ab4a6eea5a22f6d5e685339618
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b20f4ee8eb36c3ab08e9be6201f151253eb782ab4a6eea5a22f6d5e685339618

Threat Level: Shows suspicious behavior

The file diabolic.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Loads dropped DLL

Unsigned PE

Detects Pyinstaller

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-10 21:43

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 21:43

Reported

2024-05-10 21:43

Platform

win7-20240221-en

Max time kernel

3s

Max time network

6s

Command Line

"C:\Users\Admin\AppData\Local\Temp\diabolic.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\diabolic.exe

"C:\Users\Admin\AppData\Local\Temp\diabolic.exe"

C:\Users\Admin\AppData\Local\Temp\diabolic.exe

"C:\Users\Admin\AppData\Local\Temp\diabolic.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI17042\python38.dll

MD5 eec355a6e9586f823a4f12bed11e6c80
SHA1 33627398cb32f4fbb162f38f7c277ad5b13a99ba
SHA256 560a6a5f8b7afa99600cc47da26a802c342d7f50ffe23850372f2fcf536cd26f
SHA512 7b4b3c13383de62a17aa1aafabce657ea5f4aadd716430fcd6e0f3125b773ae1589b3eaa050ccd87b37f6fae2391c5e7a8a229c0b0fa135de8d0269e9752bea0

C:\Users\Admin\AppData\Local\Temp\_MEI17042\VCRUNTIME140.dll

MD5 7942be5474a095f673582997ae3054f1
SHA1 e982f6ebc74d31153ba9738741a7eec03a9fa5e8
SHA256 8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c
SHA512 49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039

C:\Users\Admin\AppData\Local\Temp\_MEI17042\base_library.zip

MD5 877f89f4a141da5810ae8df658dae577
SHA1 df17d4bf2fa8bc3ce9a85f635ee8cfe640cdd3d2
SHA256 f009edc33aea2ee2dc1e9ed32e27ddda6204c45c87a6f722b883c76eb394555f
SHA512 988a3daf5df93fe509886c4af86039493667ba83957d41a48615101d3bbcd8b2c319ae59e59cc83a6765f33558e396294f8e9e349f8c21131c0f10a2bad6f212

\Users\Admin\AppData\Local\Temp\_MEI17042\_ctypes.pyd

MD5 4786508ffadc542bd677f45af820fdb9
SHA1 fc0f7dae6e0d093594e4ff1c293ce004dbd16fd7
SHA256 64f5072cd9536418ec0fd4b5c30c13b03cdddced1f9332d4d721c4b37ae3883e
SHA512 ad4b0e6883c2f0c003c46b1b85f5fbc2c1f8366a212695b9e47664c8735a30d4c8a3c645b324d3d059582096a1fe78ac1043ba8a639ced0665ef8c5cc33d0b80

\Users\Admin\AppData\Local\Temp\_MEI17042\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI17042\_socket.pyd

MD5 bc7b1b0112427976b83911e607213c37
SHA1 f4c7eb5b46ebe015a13de59f17ca158c01a377f4
SHA256 85f200cb9adf0ef97d40b897868f6ad564211d3529f0b6dfe8e04c56a7b832bc
SHA512 18bc94c917ee894121241dcf65fab370a344caaf1120162fcb0966503c502b3e990a79553d2e4e1e3403e35d2b5e00cb365254c08f99c93c178e2e1fd7b2a040

C:\Users\Admin\AppData\Local\Temp\_MEI17042\select.pyd

MD5 bb6e9825bd4a98e0700d96b59ec64f68
SHA1 afd51547dad9cd7fac0efbda76b5e2388a027681
SHA256 bb81d220db83d5276fccda137d430160b8eafd40f4d92d86ebc718b4dfd555ac
SHA512 2380a0a2bd625ff79b04bb9d4f6611150512d72f719a3cc73806ea979c29b01fc3d947fb2998e308796a32061e0f2d34d158876924c71350c759e2a841abf964

C:\Users\Admin\AppData\Local\Temp\_MEI17042\_lzma.pyd

MD5 fea0e77f594207b8af1d240a16c6650e
SHA1 dd48f108074eade8c0f84916d619bce4a97c07bb
SHA256 d7acc95049c07298af56a316419e6548f3e6b56fb22dfb3382607a803dddb5e0
SHA512 3b06abcf29bd93232afd6ae0b8fbded6cc75c5a5cdbd5b410d16e6f19e034d4f903252eda243f670173cc05e78e36e767553e065648ce7c3af330d10922d51ff

\Users\Admin\AppData\Local\Temp\_MEI17042\_bz2.pyd

MD5 712a8dba2916f0261a1290a8e3d85ebf
SHA1 27dbfa5de547c30c457855594272545dafaeb39d
SHA256 d6e5763cecd267be0ff5355ff53e93428f3dd7ab20458fb1e7432dffa060cf82
SHA512 662664189f3a426a2042c998a5396fcb660f1ec123fe8089ec740ae414e0da9173d2e1abb6a231b3271bba9c4cb2a3a0a6ea45c475531bb986a4d085e74de1d9

C:\Users\Admin\AppData\Local\Temp\_MEI17042\PIL\_imaging.cp38-win_amd64.pyd

MD5 4bdf10382db4369c5f779bdf68d203ff
SHA1 5297002ae657d981c1dc9c67231da8371c6e4d6c
SHA256 334375da85840776cb4f663b6cd09297a6e3281ef43b1186bc61058e7699122a
SHA512 84afaae2eace1ec6fb50887495e7a08772bf54ca1453f15aa414c67ee94285b339d4e7da348faf5dee9e9a24b4371a9f65f1e5323cf5332c7e50274d4b4c1f58

\Users\Admin\AppData\Local\Temp\_MEI17042\MSVCP140.dll

MD5 c1b066f9e3e2f3a6785161a8c7e0346a
SHA1 8b3b943e79c40bc81fdac1e038a276d034bbe812
SHA256 99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd
SHA512 36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

C:\Users\Admin\AppData\Local\Temp\_MEI17042\PIL\_imagingft.cp38-win_amd64.pyd

MD5 b45db71a9739ea4f9de8fc5b1d7eac57
SHA1 d0e31e671a181f4409644f421679626074580274
SHA256 d545aad2f89e1748a5178876ce1f058595ebb53694ba375fee9cf2ad2cbf2a88
SHA512 3d4eec4befe319ea8245286f992b3a1f79fa67d04d1f5a1bf94bf45e93ef591b878e4188e54cba98c1b32ea96afb33c5b37e5e44543950edab93c80d02995715

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 21:43

Reported

2024-05-10 21:43

Platform

win10v2004-20240426-en

Max time kernel

9s

Max time network

13s

Command Line

"C:\Users\Admin\AppData\Local\Temp\diabolic.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\diabolic.exe

"C:\Users\Admin\AppData\Local\Temp\diabolic.exe"

C:\Users\Admin\AppData\Local\Temp\diabolic.exe

"C:\Users\Admin\AppData\Local\Temp\diabolic.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI45802\python38.dll

MD5 eec355a6e9586f823a4f12bed11e6c80
SHA1 33627398cb32f4fbb162f38f7c277ad5b13a99ba
SHA256 560a6a5f8b7afa99600cc47da26a802c342d7f50ffe23850372f2fcf536cd26f
SHA512 7b4b3c13383de62a17aa1aafabce657ea5f4aadd716430fcd6e0f3125b773ae1589b3eaa050ccd87b37f6fae2391c5e7a8a229c0b0fa135de8d0269e9752bea0

C:\Users\Admin\AppData\Local\Temp\_MEI45802\base_library.zip

MD5 877f89f4a141da5810ae8df658dae577
SHA1 df17d4bf2fa8bc3ce9a85f635ee8cfe640cdd3d2
SHA256 f009edc33aea2ee2dc1e9ed32e27ddda6204c45c87a6f722b883c76eb394555f
SHA512 988a3daf5df93fe509886c4af86039493667ba83957d41a48615101d3bbcd8b2c319ae59e59cc83a6765f33558e396294f8e9e349f8c21131c0f10a2bad6f212

C:\Users\Admin\AppData\Local\Temp\_MEI45802\VCRUNTIME140.dll

MD5 7942be5474a095f673582997ae3054f1
SHA1 e982f6ebc74d31153ba9738741a7eec03a9fa5e8
SHA256 8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c
SHA512 49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039

C:\Users\Admin\AppData\Local\Temp\_MEI45802\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI45802\_ctypes.pyd

MD5 4786508ffadc542bd677f45af820fdb9
SHA1 fc0f7dae6e0d093594e4ff1c293ce004dbd16fd7
SHA256 64f5072cd9536418ec0fd4b5c30c13b03cdddced1f9332d4d721c4b37ae3883e
SHA512 ad4b0e6883c2f0c003c46b1b85f5fbc2c1f8366a212695b9e47664c8735a30d4c8a3c645b324d3d059582096a1fe78ac1043ba8a639ced0665ef8c5cc33d0b80

C:\Users\Admin\AppData\Local\Temp\_MEI45802\select.pyd

MD5 bb6e9825bd4a98e0700d96b59ec64f68
SHA1 afd51547dad9cd7fac0efbda76b5e2388a027681
SHA256 bb81d220db83d5276fccda137d430160b8eafd40f4d92d86ebc718b4dfd555ac
SHA512 2380a0a2bd625ff79b04bb9d4f6611150512d72f719a3cc73806ea979c29b01fc3d947fb2998e308796a32061e0f2d34d158876924c71350c759e2a841abf964

C:\Users\Admin\AppData\Local\Temp\_MEI45802\_lzma.pyd

MD5 fea0e77f594207b8af1d240a16c6650e
SHA1 dd48f108074eade8c0f84916d619bce4a97c07bb
SHA256 d7acc95049c07298af56a316419e6548f3e6b56fb22dfb3382607a803dddb5e0
SHA512 3b06abcf29bd93232afd6ae0b8fbded6cc75c5a5cdbd5b410d16e6f19e034d4f903252eda243f670173cc05e78e36e767553e065648ce7c3af330d10922d51ff

C:\Users\Admin\AppData\Local\Temp\_MEI45802\PIL\_imaging.cp38-win_amd64.pyd

MD5 4bdf10382db4369c5f779bdf68d203ff
SHA1 5297002ae657d981c1dc9c67231da8371c6e4d6c
SHA256 334375da85840776cb4f663b6cd09297a6e3281ef43b1186bc61058e7699122a
SHA512 84afaae2eace1ec6fb50887495e7a08772bf54ca1453f15aa414c67ee94285b339d4e7da348faf5dee9e9a24b4371a9f65f1e5323cf5332c7e50274d4b4c1f58

C:\Users\Admin\AppData\Local\Temp\_MEI45802\_bz2.pyd

MD5 712a8dba2916f0261a1290a8e3d85ebf
SHA1 27dbfa5de547c30c457855594272545dafaeb39d
SHA256 d6e5763cecd267be0ff5355ff53e93428f3dd7ab20458fb1e7432dffa060cf82
SHA512 662664189f3a426a2042c998a5396fcb660f1ec123fe8089ec740ae414e0da9173d2e1abb6a231b3271bba9c4cb2a3a0a6ea45c475531bb986a4d085e74de1d9

C:\Users\Admin\AppData\Local\Temp\_MEI45802\_socket.pyd

MD5 bc7b1b0112427976b83911e607213c37
SHA1 f4c7eb5b46ebe015a13de59f17ca158c01a377f4
SHA256 85f200cb9adf0ef97d40b897868f6ad564211d3529f0b6dfe8e04c56a7b832bc
SHA512 18bc94c917ee894121241dcf65fab370a344caaf1120162fcb0966503c502b3e990a79553d2e4e1e3403e35d2b5e00cb365254c08f99c93c178e2e1fd7b2a040

C:\Users\Admin\AppData\Local\Temp\_MEI45802\MSVCP140.dll

MD5 c1b066f9e3e2f3a6785161a8c7e0346a
SHA1 8b3b943e79c40bc81fdac1e038a276d034bbe812
SHA256 99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd
SHA512 36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

C:\Users\Admin\AppData\Local\Temp\_MEI45802\PIL\_imagingft.cp38-win_amd64.pyd

MD5 b45db71a9739ea4f9de8fc5b1d7eac57
SHA1 d0e31e671a181f4409644f421679626074580274
SHA256 d545aad2f89e1748a5178876ce1f058595ebb53694ba375fee9cf2ad2cbf2a88
SHA512 3d4eec4befe319ea8245286f992b3a1f79fa67d04d1f5a1bf94bf45e93ef591b878e4188e54cba98c1b32ea96afb33c5b37e5e44543950edab93c80d02995715