Overview

overview

9

Static

static

7

projectoyster.exe

windows7-x64

9

projectoyster.exe

windows10-2004-x64

9

cstealer.pyc

windows7-x64

3

cstealer.pyc

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    projectoyster.exe

  • Size

    17.6MB

  • Sample

    240619-rqq2easbkd

  • MD5

    c2f6ec069ca587f732ee9107d9541ff4

  • SHA1

    10a8985cc2f249ce143f97b26471426a95625ba2

  • SHA256

    7fe09e5889787ae38ef8f5242811a60ebe1526314eb08cc184b7e47051815e2b

  • SHA512

    b8c07ca5ece52fd6acc9a43d88216e6b57c0af908027099f0e2d3e48fcd19cbf4bde266c0cd3414233d0df2b7314fe801b12ee72804b31c5a7467f769f21e4d2

  • SSDEEP

    393216:V5RM0d0EpEk/+4u8mwW+eGQRJ9jo7BGIGg3zOY:hMoDp3+RBwW+e5RJ9MnOY

Score
9/10
evasionspywarestealerthemidatrojan

Malware Config

Targets

    • Target

      projectoyster.exe

    • Size

      17.6MB

    • MD5

      c2f6ec069ca587f732ee9107d9541ff4

    • SHA1

      10a8985cc2f249ce143f97b26471426a95625ba2

    • SHA256

      7fe09e5889787ae38ef8f5242811a60ebe1526314eb08cc184b7e47051815e2b

    • SHA512

      b8c07ca5ece52fd6acc9a43d88216e6b57c0af908027099f0e2d3e48fcd19cbf4bde266c0cd3414233d0df2b7314fe801b12ee72804b31c5a7467f769f21e4d2

    • SSDEEP

      393216:V5RM0d0EpEk/+4u8mwW+eGQRJ9jo7BGIGg3zOY:hMoDp3+RBwW+e5RJ9MnOY

    Score
    9/10
    evasionthemidatrojanspywarestealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      cstealer.pyc

    • Size

      67KB

    • MD5

      380fb181fbfee35d71f14e2d1a1df1c7

    • SHA1

      f991d3803a6ac70bd017175e289c95d52a3808ca

    • SHA256

      62efea82da680bd54e4917cca7553c9bf1ce6a7290df986d612115dd9df683b7

    • SHA512

      393c1b167eeaa3007282f78744dc197fab35cd0502ebd9de171e9006dae92f61a6001ae53ff62e135480fc689ea3427928cba559bdd0291cf20c311a05d44572

    • SSDEEP

      1536:l0xqOgPtxpqBJlMstbo88jLQQcXf9qS0Vr+LRheF:lqQt/+bo88PiXX0r+LRA

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks