General

  • Target

    Pyth-external.exe

  • Size

    17.8MB

  • Sample

    240526-a4ef4ahb82

  • MD5

    5427031d5dcefe316e5fbb3abc7473af

  • SHA1

    0e30c82c3e393122b683210a7cdafbad7fb11638

  • SHA256

    cd2d3fafb2711c69fba3e2b3ef02a335eee63fd88f2ec6c3dfdea305d37cfd92

  • SHA512

    ab5dbf4f55967d5bfd8fd90eb923a855db60bf145b05114e77bdd8550c74fa2b3048c53507baa3c244c79d05a58b43d92b54332dead20335aea99306d4235dc3

  • SSDEEP

    393216:4qPnLFXlrPmQ8DOETgsvfGFIgnYJvE56QgUpGq:pPLFXNOQhEJCY+Dgu

Malware Config

Targets

    • Target

      Pyth-external.exe

    • Size

      17.8MB

    • MD5

      5427031d5dcefe316e5fbb3abc7473af

    • SHA1

      0e30c82c3e393122b683210a7cdafbad7fb11638

    • SHA256

      cd2d3fafb2711c69fba3e2b3ef02a335eee63fd88f2ec6c3dfdea305d37cfd92

    • SHA512

      ab5dbf4f55967d5bfd8fd90eb923a855db60bf145b05114e77bdd8550c74fa2b3048c53507baa3c244c79d05a58b43d92b54332dead20335aea99306d4235dc3

    • SSDEEP

      393216:4qPnLFXlrPmQ8DOETgsvfGFIgnYJvE56QgUpGq:pPLFXNOQhEJCY+Dgu

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      main.pyc

    • Size

      7KB

    • MD5

      c563117c587e060a5835e07f13e9b0fc

    • SHA1

      6be41e32365ed3842693b255bb07f42133218493

    • SHA256

      dbc0fb0ba9d48665c089023d7acde68f5bfd8dce4b545b5367e0a1ee581a7d6c

    • SHA512

      7c837fb49486c1f6b3731c948b989123686d70c2b38b636ee19d18aa558d5fe4f8c42626b28dfc88afe5391322160936d26fc9090c2da0feb0e293b63696fcf8

    • SSDEEP

      192:wLPCRSD8wiWdXwQ235JhwaD7884CMdwDTJnw:KPCRvWuT2984CPZw

    Score
    3/10

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Tasks