General

  • Target

    Grabbers-Deobfuscator-main.zip

  • Size

    13.3MB

  • Sample

    240531-wnsjnsgh28

  • MD5

    6f94633479de9682983cb90551915054

  • SHA1

    2db29d4a3bcdd9adfca22cd9faaf1e8e5437a2fc

  • SHA256

    acaf7a1d32d6bd9e1f34ff6e707710810cc17b0f25c9ec7c329cfdc8ddfc1ed1

  • SHA512

    3db840c386947cdb9e9e1b7444a436faed29f365ef2c4ce94b5bcc687e02b887887509e9b465da1d5158da4879b9d13797605da0c3da8bd185adcd72393a91ab

  • SSDEEP

    393216:CyD5IgIu+U0gRhK4adCsAvKmyRPYxaFB64kSTmVVg1V/g6AE:CS5IlXgR4GoYxa7MVe1K6AE

Malware Config

Targets

    • Target

      Grabbers-Deobfuscator-main/deobf.py

    • Size

      6KB

    • MD5

      6b4b50783ef2c9d21751cd38bd9b3bf0

    • SHA1

      e400e78d11663a368d9852ccf4f1fcfda3296f17

    • SHA256

      46614ff3690379626ab3109954d753d98fd750e4fd1d785172c1a82276ad5f85

    • SHA512

      8d00d3a31534a30b588ca932b89b24d64ec8e6c5d853f6f3dfc3dc39634c507b24411cd870aaf96d2b403f12f72508af587b38560f5745f1f913ca3aefd264e3

    • SSDEEP

      96:MbzxTlCdC+JU8H7s6pd9rng/mpVt/NSMA8RixUb8RisEP5fAoKqRqhp9:MhZ8bvBgmpHTrBsRqRip9

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Registers COM server for autorun

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      Grabbers-Deobfuscator-main/methods/ben.py

    • Size

      647B

    • MD5

      04915dc08e2aa81160cf532b7d3f940b

    • SHA1

      95c0f9a41b48028e8c1f6a10de6805b6829cadcc

    • SHA256

      c28e4ff38d046e64af3d89d8db3eba4823b09b8223208929afae31d8c68dd6ae

    • SHA512

      94ec68fe8b2365443aedcea869d6f059b48b53acd919eca58d1fe5933914112444eb2571adf3bfb1d3f5899d341ea5a7b60531b1c94fc6eef21ac4712e1a1e96

    Score
    3/10
    • Target

      Grabbers-Deobfuscator-main/methods/blank.py

    • Size

      2KB

    • MD5

      a9eec0c273d5c9add43b72745c3bc715

    • SHA1

      0345bf98fdd5282491936d7bcb77e8de890d373d

    • SHA256

      e831ea73ec311352b6ef5a0de295771b2dd84147a450d64f40dcf620fa9386e8

    • SHA512

      3ea5ab3c836eea288e501c09923650ac22b9f8750d674eb6957b52472181f393c5a74eb6ba33fb90aae2f0272fd6a346d68f6904a1c86208605624b2383d91eb

    Score
    3/10
    • Target

      Grabbers-Deobfuscator-main/methods/empyrean.py

    • Size

      969B

    • MD5

      68c486c90545f3d750a6600fca3a9998

    • SHA1

      a09f37c175a5c5a80f0ca7a802d073050666a887

    • SHA256

      ea28f330301a9cbf0742c6aa3abe503d7cf773a073fa8d693b0a390754f0e1b8

    • SHA512

      14dbc5067f7b84a043accba6e152a7ae62cee11e9945687522b008985b464f980619c79f7d184ee317e23bc7ab2ab36748f1abe6d9bf698d9a11d860a2ef1e2c

    Score
    3/10
    • Target

      Grabbers-Deobfuscator-main/methods/luna.py

    • Size

      599B

    • MD5

      dabcbb5288a4cd2e6bd4502149cc47ca

    • SHA1

      b904848c1566d9e129f6eda7bd5860e52e988845

    • SHA256

      99ebd4549a057dc88070579456d1815d7c954cc4a200ed6fd43bff542118981f

    • SHA512

      404528b996d0452738115155332746e6d60860d70e1a2c6262ae4459941c14dd809dc927c30cf520dd5f3c35d3aaad3c058dd6433a4a6ee8e99657e01a80608d

    Score
    3/10
    • Target

      Grabbers-Deobfuscator-main/methods/notobf.py

    • Size

      784B

    • MD5

      2677e35326ef5d285a346c5785b49b85

    • SHA1

      2df409f57f9768f03fdc1f86c23f3466822836ba

    • SHA256

      a054a1a2c2329dfc8078ccae527dbc259396765754b0a09e88cdaff60cb89fba

    • SHA512

      27c2852936c7f1ad81c51db097584effd68a910ecebda5d2e51a2dc947d5c5b650955aaeecc2d35d48083b478de6b3394f830b98e408077b997f06ed9bb0f647

    Score
    3/10
    • Target

      Grabbers-Deobfuscator-main/methods/other.py

    • Size

      3KB

    • MD5

      3c81db58e15d886a0ac087048fd4eafb

    • SHA1

      22194979825e8e97c4daa2f561ca66dfad75d9df

    • SHA256

      3c0f0714975cb012aed71ae396f038f2fa2f4a289825fe5e3c009f7693f01115

    • SHA512

      949b5720fef68dfc90f7cf952252e9f70fe6beab2e0087cbcb41c001c4d09c1a369a157ce8f0ea63f6eff3855b7b325b40e4ca125cc5595df8ef84705842a972

    Score
    3/10
    • Target

      Grabbers-Deobfuscator-main/utils/bin/fernflower.jar

    • Size

      690KB

    • MD5

      be01dbc47a455dddfc724d5efe13b490

    • SHA1

      0d96a3b0cb32a0e70cc563a2dcdcea5ef61d45b5

    • SHA256

      74b609647d74e4ce04e9beef230a7460e74de03bf41703f961bbe704d4938b8f

    • SHA512

      4ee6e1b935bc428e16103485da5440ae5b968334f023c7872247d52f1d0c000f8f49bc9101e955999c0338c88d34392f14eff2143c167675f7f5888a0be91094

    • SSDEEP

      12288:lSBknFucLVNrGJASNYa5k3qIhOhsioN46D2xFGDwHyhfsYFY5D/:lUcLVNEA0N5kaVhBjGDdhkYUD

    Score
    7/10
    • Target

      Grabbers-Deobfuscator-main/utils/bin/pycdas

    • Size

      2.0MB

    • MD5

      d1be2de3bdbb4fdb92e082e08aca4cbe

    • SHA1

      aebe16ddc04bd813a9ab207fb4c03a214cb65bff

    • SHA256

      24d64b99f88ce539ababf41503c33793110eca52d90bb25d5d9f8382fb96f040

    • SHA512

      708266641de9aea2f0f851c1ad94bda18502db6d3eaa2a0831a7a0ad8d9577e1401d16939a7fb1b326b49a32e42d2ecb9722ca797bfe73681a133aff47571d21

    • SSDEEP

      24576:AI3vfom++IihitiE1mPslvOTJPtCcTyxoVU1g+pxtXL:AI3vgwi4E1mUlvOTHCc4oa1j

    Score
    1/10
    • Target

      Grabbers-Deobfuscator-main/utils/bin/pycdas.exe

    • Size

      124KB

    • MD5

      c106613cf4fc594260ced59577936bfa

    • SHA1

      8a16fdacd947e6a8fedebde1c1eaf2ff899c6f37

    • SHA256

      52370a2d59198239421954e1cb46284218d3c8ba70a1c161d2b5ab1cc7ed4d96

    • SHA512

      55d24e2babed9fc81c53ca452d720911628001a9da24b156cc2560b0b8c3461058fd90da5ca0bbfd36c6fb4f985887535aad18a4bf7d9b199b2afdb32ddd4247

    • SSDEEP

      1536:PAXQ0AJO9eYJpPPuPZgkP8MqzjWdwsa8XKIilFRvrfS1l+YlDlT:41B9eYJpHuj8Mqz6dZv6IilFhYl+YD

    Score
    1/10
    • Target

      Grabbers-Deobfuscator-main/utils/bin/pycdc

    • Size

      2.3MB

    • MD5

      dca8a4f7d9a8a1571ff7878e4b7b83fa

    • SHA1

      50d05e2cdaa0acc8cb8639f893e7132c66840d0d

    • SHA256

      f7dbc7f92b2660608e3f75301215148760c8d85669c3b1775a842a32cf35d9f4

    • SHA512

      04cb648807051d336d1c9d31d6cb07d7c9e97ebf6cde5d282db9e4f6ce42c1e78f624e68525159995e6c173f93d80822bd2eef08d383520cb882083ee46f719f

    • SSDEEP

      24576:0L6jwuRE/ASaaVzD9dfAukg1YkH0TAK+w5VT+3MpvMgiKLGvVI:0L6kKOxD9dfNkg1YNTAKx5Va8pvMgc

    Score
    1/10
    • Target

      Grabbers-Deobfuscator-main/utils/bin/pycdc.exe

    • Size

      248KB

    • MD5

      0ad8ae7adb1223e4c02b977cfd024bb1

    • SHA1

      0794e82385e836dab7e16d0f2ca28aafeb489bf6

    • SHA256

      fc5a1007f29b7304e91fce22c036c3dc39134ed3b89ba76e3aaa02bc45beb76c

    • SHA512

      93c3af8c13459e67e1946dff346920916ff200566706b36eb41332125fc0a9454c4175f483683a4b0e99520c294eea6b061eb48e9d31c0870ec65dbeab9b5f07

    • SSDEEP

      6144:qGS8eDxDYUBqfN1l8nRRhJXbnPD+sHlc:qDfDtBqfR8RtbJH

    Score
    1/10
    • Target

      Grabbers-Deobfuscator-main/utils/bin/upx

    • Size

      548KB

    • MD5

      59e0bfa3352db08097a9f62c51934192

    • SHA1

      be017e943ab0bbf4c4e6b655b8648ff124550d44

    • SHA256

      1dbdeb502fc80807af72560b0c361fd073c714fb68d429dfedf83597d36db2f3

    • SHA512

      23c0303a9dd12f0066c13f122760d7495d783690207d14c288f3babbc5670d8d6c3bf1149cd07694e15eb757152ecf9ca152b193832e6427dabb0de65fd76d41

    • SSDEEP

      12288:bkuvAY7aDFiQDq7+EKyxGOxadM/RxyMAYhMOPNMQNYgmiJDlxupZqS/5m:dNa5O7WjkxyMrMO3YgmG0pY/

    Score
    7/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      Grabbers-Deobfuscator-main/utils/bin/upx.exe

    • Size

      551KB

    • MD5

      90391271aa0ca4d340c6c78d5426cea3

    • SHA1

      c6bc571809512e5a9afd909790ec37fb6fc7bc59

    • SHA256

      902e597a5eb89f345901280eb396394146b3937d4c84b880e8ee1300c901ec9b

    • SHA512

      b6599cd7de6e4eb18b724670bd26f1566a52999fe2171224f330512ee8bebcd4d4e74845293f32a22ad998957655a2982b8bae183a8171e77789afce678214ae

    • SSDEEP

      12288:F6sMe2eOno9jftrZ4X52zGt1wnp5/euBAKPLdmDoDnavsu+Xoi5ZW6q:Msie6STtFC8G1wfZBAaLdVavsfXoa

    Score
    7/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      Grabbers-Deobfuscator-main/utils/config.py

    • Size

      835B

    • MD5

      96f8034a7e38860d79c01d7933ee1a87

    • SHA1

      bcaf6f3a8ad007fb11d579e02ffec38e80e364b9

    • SHA256

      ca78c3213eaa61d1a1773428b47ebc753831a61c946356d3ce3b0f3ab02721bd

    • SHA512

      f766869cc75ac6a05c22ec601018af51f93b07b1e82f99e67c7623fe648ad900c539f7204d50a0a815c482657d052d08bb9235a73d71b72a46a39ed0cc2450f0

    Score
    3/10
    • Target

      Grabbers-Deobfuscator-main/utils/decompile.py

    • Size

      1KB

    • MD5

      b1b5f2eb1a2392805b196ce35e178e5a

    • SHA1

      310826373be640f736aa807ee040758cb5a4d40c

    • SHA256

      f198bbeb7807aae1db733ba5ba3b8bc9503843fafba755faf3685b65f9984944

    • SHA512

      4079441e0458c267821af5047532a11f86fc86d26d0d965067ac2a0860ce2f86cce8a37d38c53f4cb39370dd4a6e8f90a3313826751e13794f39406f9d63c039

    Score
    3/10
    • Target

      Grabbers-Deobfuscator-main/utils/deobfuscation.py

    • Size

      2KB

    • MD5

      1c8aa7595dfdeb287c7dd57e7a67b71a

    • SHA1

      f724297b4405e425bbe0888a6ebf3be3b99ded70

    • SHA256

      74db49437d60d5cbb6299c02c42bb496dd65a2b3f0b9fc51c2cebb54d9177ccb

    • SHA512

      8f23e1bb13654f8588b6d3700ef469ea141d4a4abaa76005e941ee1c8dbc75425c7e6880248964b88f3c94d4714f62cf623ca01869d03fcec52b78f3b4ddb67a

    Score
    3/10
    • Target

      Grabbers-Deobfuscator-main/utils/display.py

    • Size

      857B

    • MD5

      395770ff948cf733940f3efc9fbd4c49

    • SHA1

      8abf4551b1775e646bebc39df3ea928af317b590

    • SHA256

      65acca473c564fba4227c60542b2e68f7e2959159b3a1a49297924ad85819b26

    • SHA512

      bf4d6609bce08df6d90c80d3c173d12b09dabc424dd89bbbf464a6e7b3f2737e762711f80fe83e94342bea79e8cdce72379fc704c32b9e45830258904a4fc304

    Score
    3/10
    • Target

      Grabbers-Deobfuscator-main/utils/download.py

    • Size

      1KB

    • MD5

      76119a3eaa53cde358a1b959a59ba9de

    • SHA1

      831383cd63e871bdfa3dccd83b83847087c0868b

    • SHA256

      7e89b18361246e2f94c1e396408ca1ff52d9084249aa99c7f87f4fb7420ca9bc

    • SHA512

      8ab88759bcf611c7f2797997dfb0f3da3793d591d63122a2f069eea82f677b3f4fefa2e3ae2088cf1e30f80007d9d859f4a73b43c3cbf8a62552c2b251090821

    Score
    3/10
    • Target

      Grabbers-Deobfuscator-main/utils/pyaes/__init__.py

    • Size

      2KB

    • MD5

      cb72cd7c418b4b68f8df730511d533a5

    • SHA1

      1a957bc18ca931ae21decb28737d261e8fb21ebd

    • SHA256

      9611b462af27328c438e30fafd41e5495d1d2068ad2f7695c77e036129aa4ce7

    • SHA512

      dba71841bd8f979193a76cfee3793fa5b136613dfdcc9ca6fe8dd34d3958464746ba420547a5a1df226e43255d83490817a4a95cb2650bf934acf1d104ff60c7

    Score
    3/10
    • Target

      Grabbers-Deobfuscator-main/utils/pyaes/aes.py

    • Size

      59KB

    • MD5

      37807d25dc68ee66ca7afdc9415d02be

    • SHA1

      0d927d80e6701a034eca2618d5871292fdee5c89

    • SHA256

      c5bb1897d2a63f726f7b89c584fc7aa0a914445e889d274c8c0b5e2b6630f2bc

    • SHA512

      0a820d2a5ad7c39ccb77e41a9b6be23140010bae72fdc35f5d6b2fa8a5a3d7ad7acb0630a351f4d54f7d3d4344a538650c6e8ba89db5fec2b9f4b0de4f911e52

    • SSDEEP

      1536:4hcZZK94DPuI8Ltsq6LzSJ8Ns56/QFWR3Gz/1P:ecZZK9yPuI8+2JYd/Qj

    Score
    3/10
    • Target

      Grabbers-Deobfuscator-main/utils/pyaes/blockfeeder.py

    • Size

      7KB

    • MD5

      f527c7e232efe70605eacfcf187a1abe

    • SHA1

      04f8d66117f41d63ac53173659a5ceae32e88541

    • SHA256

      34c550f66d284b4c2866f17130d646bf6c3fc2bf2806203268865782e12e0e44

    • SHA512

      81d33f8de1c4d67b909a088ebe29bf9310d1b00b93277ea46e9af6b297e95686ba973c8d416436c74dbf1a8a11c6fedfc354c217203e5cc8ce5d36c96f0b409c

    • SSDEEP

      192:dQHWSmmjOeBQb2++79AAv5ln5hfLmL2DdzAfnrE7g8:djSmm1QbH+79Haq0frE08

    Score
    3/10
    • Target

      Grabbers-Deobfuscator-main/utils/pyaes/util.py

    • Size

      2KB

    • MD5

      a6af659a56f78294f5f663b38bd150ab

    • SHA1

      4cc6c17a12ba13dc1bb1ec3dcf70ef21dfae269e

    • SHA256

      b632d6ad0990972eb0969ec1551e8d302baf241476864f86112e40353f02c52f

    • SHA512

      8b881c16e150b350e8caeb6f0f15656c943fd24ae05c9422dafe2d2c36f40e48be8f55c46f7dd6d7735acc4f80de61716e69ed5c47f0dea63c6d224c23d3a986

    Score
    3/10
    • Target

      Grabbers-Deobfuscator-main/utils/pyinstaller/extractors/pyinstxtractor.py

    • Size

      16KB

    • MD5

      1c921977023de5c687a4bc7e649bb8a5

    • SHA1

      e4d287135531648f8f299cd8fe33358c0049d949

    • SHA256

      964098032616c2927eb1214b08c8c065a947fc44d345de47e27a652ba61a3427

    • SHA512

      cf98e79cf769153fcae513fc549ce8e771f590c483397cb968694465a49bcb4ed75459708dbc3c18bdaf4a302040ae3aef24de31bdd7be881cc5b64e7bb54531

    • SSDEEP

      192:igOmCh5qHR93qLp0N2Vf4bun7juQYMGq9cZXBknkevPSQ541jBFW2lKHh8rzxP:igIjqxELpDVf4bunotQ541nW2KMzR

    Score
    3/10
    • Target

      Grabbers-Deobfuscator-main/utils/pyinstaller/extractors/pyinstxtractorng.py

    • Size

      16KB

    • MD5

      622d98c5ddb8336a860b48d1180abd7c

    • SHA1

      dbec45596ebc6febd70b9ffaf19583ef9e4c66f7

    • SHA256

      dbf0d95d496a49583b54ca76dd45062db8aadee34f196582d6ef25a886eea3d4

    • SHA512

      6549be215fa4395e31115c55592f17e16006610a503ca0b44087daf57c88267c8f56662136f8a3b0a8523e1e118d5f8e0e92164bec5d21b11e92dab08bc87322

    • SSDEEP

      192:cgOsMnz+lVnGQbq7n6bXuQYOA8KDX5GIoCwvPjUsnx1jq1iLlK3QGixBp2WP:cg1Mn4VGQbqWomUEjq12KgxGo

    Score
    3/10
    • Target

      Grabbers-Deobfuscator-main/utils/pyinstaller/pyinstaller.py

    • Size

      901B

    • MD5

      97b8f67fc716e9578ab24fbf58474905

    • SHA1

      980462b702b120233a15d385155d8f8d2e967c95

    • SHA256

      ae66de3c2819e729de248b028e62ab0f9ed5bf0466b683c51b94f55c1d74fd4f

    • SHA512

      329bd9072896bf44a32597abd6716486c18551bc8057079887cd7620bd31a34654f1e86c9892b1deee6161bff42fe0725787ddbe393135023133157a7bce4616

    Score
    3/10
    • Target

      Grabbers-Deobfuscator-main/utils/pyinstaller/pyinstallerExceptions.py

    • Size

      98B

    • MD5

      e73c379c3ed94b367d9514551b7fa4ed

    • SHA1

      69b0ed89af01e3d72f9ccac50a9989939c46aa26

    • SHA256

      619d874c150e9bebcef2edd657f78b7459a79277ce7f37679ccb156f38e5b58b

    • SHA512

      a218db7a1aae9eac6bd6cd3c4afe50bf4a7cb59c7b98fd2218a287068a260ed4e6dbeb4107672a2e252a12c8af7ea696751a4fa1ccfb047ec221282295eae8b4

    Score
    3/10
    • Target

      Grabbers-Deobfuscator-main/utils/telegram.py

    • Size

      1KB

    • MD5

      798c472339a5f076bd4bd8f7ef3ffd17

    • SHA1

      9f367781caa19688b0d0a00fc8adb297522b24dd

    • SHA256

      1b599fc188a0fa7c74f811e2ae726bdd853dfdc35031eef07b5fe4dbc9b0d0e0

    • SHA512

      11a688ec950bdbafe3dcd1ba23b0565bcaf29a88acd6cecd15a14d0208e32fd34c5d23d2ef02a769f64cfcc6d5fcebc2a7a1524669955499547090c2c402e50e

    Score
    3/10
    • Target

      Grabbers-Deobfuscator-main/utils/webhookspammer.py

    • Size

      1KB

    • MD5

      6af4ea75e548347d93ed6cdd31a1cc4e

    • SHA1

      6a76b9a6e37f6109e2d7cbb1e55f59f167fb930a

    • SHA256

      5d5a450a7dd92d10c759b061f71972c36fe0cb7906ce0a473b92562be243b207

    • SHA512

      d2a48700589c63b8bd81a6d72ba5310154faef08e2889f3e3767502f6ed6bf1486ca8e88e60c4fbfe6293bb13bfc5c0ea8916dec7a99fbdfb591246f277dbec7

    Score
    3/10
    • Target

      Zyron.exe

    • Size

      20.1MB

    • MD5

      c93e65b8b3bdf4651aa5f33fbaf6487d

    • SHA1

      fa44cc02066d7e384224ce22ea2c7e37604e6d17

    • SHA256

      a8474496d6a2d25d7e3c34cb41e22417b59ca58f7c94b514492a85bbcb969f30

    • SHA512

      2ab77d13631d77774bafbc9ad70854fd1c31c3ade62e11ec872b6dd05baa9996c5408ddbe822a714f25ba893bc34839d23cc6cb41394d02bfa38f422c06076cd

    • SSDEEP

      196608:Jri7DEziLjv+bhqNVoB8Ck5c7GpNlpq41J29bk9qtlDfqWf:YTL+9qz88Ck+7q3p91JBqfqWf

    • Modifies visiblity of hidden/system files in Explorer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks

static1

upxblankgrabber
Score
10/10

behavioral1

discoverypersistence
Score
8/10

behavioral2

Score
3/10

behavioral3

Score
3/10

behavioral4

Score
3/10

behavioral5

Score
3/10

behavioral6

Score
3/10

behavioral7

Score
3/10

behavioral8

discovery
Score
7/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

upx
Score
7/10

behavioral14

upx
Score
7/10

behavioral15

Score
3/10

behavioral16

Score
3/10

behavioral17

Score
3/10

behavioral18

Score
3/10

behavioral19

Score
3/10

behavioral20

Score
3/10

behavioral21

Score
3/10

behavioral22

Score
3/10

behavioral23

Score
3/10

behavioral24

Score
3/10

behavioral25

Score
3/10

behavioral26

Score
3/10

behavioral27

Score
3/10

behavioral28

Score
3/10

behavioral29

Score
3/10

behavioral30

evasionexecutionpersistencespywarestealerupx
Score
10/10