Overview

overview

10

Static

static

10

source_prepared.pyc

windows10-1703-x64

10

Resubmissions

20/06/2024, 01:16

240620-bm1hnsverk 10

28/05/2024, 01:09

240528-bh2vyaab37 10

Analysis

  • max time kernel
    17s
  • max time network
    18s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    20/06/2024, 01:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    source_prepared.pyc

  • Size

    173KB

  • MD5

    67a356f186468f1d9f5f55e7b36e3aed

  • SHA1

    5c5ddb2fdbcc205e971e5e98bc5af241b23e4a04

  • SHA256

    836669630785dbedfc359d69f9229fef2ef277b675ddfa3ed2af5394fcad77b0

  • SHA512

    f6ebaebd75902ad32de4c5f28b8a4500778847a99a22bfc2be686bc96d868e32d38345abd7f58402726b78e1f7600e251411d164f995d5253366e081206eb43e

  • SSDEEP

    3072:CrbNQ0aOOAYI1PcsEo0PZTJ0pZyScWaQV+kTIvdXzasTWu:CrRQ0aOOAYIlEovpL9EkjsD

Score
10/10
pysilonratstealer

Malware Config

Signatures

  • Detect Pysilon 1 IoCs
  • PySilon

    An open-source RAT written in Python.

    stealerratpysilon
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
    1⤵
    • Modifies registry class
    PID:2280
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3484
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4352
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3640
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3640.0.24781997\429967847" -parentBuildID 20221007134813 -prefsHandle 1672 -prefMapHandle 1684 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {903864bd-c6c5-4502-b671-8496383e3847} 3640 "\\.\pipe\gecko-crash-server-pipe.3640" 1776 20d577f7b58 gpu
          4⤵
            PID:3868
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3640.1.1284123854\2012077015" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {154f7559-5cc2-4fb6-8bc3-42eb2a6f2b3d} 3640 "\\.\pipe\gecko-crash-server-pipe.3640" 2152 20d45271f58 socket
            4⤵
              PID:3664
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3640.2.579259114\1459342079" -childID 1 -isForBrowser -prefsHandle 2904 -prefMapHandle 2820 -prefsLen 21646 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {21c2ea69-5479-4ceb-af86-8ec4b294a110} 3640 "\\.\pipe\gecko-crash-server-pipe.3640" 2672 20d5775d458 tab
              4⤵
                PID:1476
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3640.3.256269518\348090996" -childID 2 -isForBrowser -prefsHandle 3492 -prefMapHandle 3476 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b408d521-90e7-49db-9e5b-e2c3e246a6c4} 3640 "\\.\pipe\gecko-crash-server-pipe.3640" 3516 20d4526a858 tab
                4⤵
                  PID:2200
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3640.4.97977685\735168342" -childID 3 -isForBrowser -prefsHandle 4924 -prefMapHandle 4960 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de9dc971-26fd-4fef-bae8-e35b065426d0} 3640 "\\.\pipe\gecko-crash-server-pipe.3640" 4864 20d4526ca58 tab
                  4⤵
                    PID:4788
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3640.5.995022989\1546833862" -childID 4 -isForBrowser -prefsHandle 5116 -prefMapHandle 4984 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {54a1e2c5-0dfd-463c-b457-7643009bd26e} 3640 "\\.\pipe\gecko-crash-server-pipe.3640" 5104 20d5e1ce958 tab
                    4⤵
                      PID:3088
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3640.6.1181705265\1616181360" -childID 5 -isForBrowser -prefsHandle 5316 -prefMapHandle 5320 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {981d3b93-77ba-4558-8045-2883d07f27ce} 3640 "\\.\pipe\gecko-crash-server-pipe.3640" 4864 20d5f1dd558 tab
                      4⤵
                        PID:4232

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin
                  Filesize

                  9KB

                  MD5

                  ac6c94df1fbd0f1969d151f887fdc167

                  SHA1

                  de51fb9c029b9ffc8087e51ca2cb38f39383243a

                  SHA256

                  ca75e81e39ed27541423d944e2b9776befd2443d77c3df730121e3dba860b1b3

                  SHA512

                  28324242bdb5cc516342ddc6d01f5cae58613fd5464948ad72b8960e9d59f3563915040b3cec557b65881f3422badfff043352096f491299b52b7792bc079dc6

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\f73610ce-0a47-4c46-a808-1a01bc276122
                  Filesize

                  734B

                  MD5

                  af5c252e170fda9dafabff0c1946bc2a

                  SHA1

                  9f1002fd1b51c1597926bdb266e29c85113118e6

                  SHA256

                  11aa1159a6db3f0afaa0bf529dc99bf67218acc331362c269522f49bc6dddb74

                  SHA512

                  c507a641ad680114b60ce4f576e0d64240264d0682e119fc1e3ae39111d88a31d28380b9178abd44ef6e031e144e87540967fdf28665cc989788d2587aa4a2a5

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js
                  Filesize

                  6KB

                  MD5

                  332cdf6d17d115bfd0254a3e10a50782

                  SHA1

                  ac60f62d7540c1c9f53b5a2005231d0a4aad5396

                  SHA256

                  48c8027c9ca762b19c4c44f9ad0a05b706f9bd4d124186f5b7caff40cf612c6a

                  SHA512

                  d46f0d857428188d4bd9bf145cd3234841afefd8334b4358607b825a8b5b7376502ee84a518a5491d1e21d95681ff2dc5ddf9fc3838d3b78ea7a1b5894db58f1

                  Download Submit

                • C:\Users\Admin\Downloads\CMhCzPku.pyc.part
                  Filesize

                  173KB

                  MD5

                  67a356f186468f1d9f5f55e7b36e3aed

                  SHA1

                  5c5ddb2fdbcc205e971e5e98bc5af241b23e4a04

                  SHA256

                  836669630785dbedfc359d69f9229fef2ef277b675ddfa3ed2af5394fcad77b0

                  SHA512

                  f6ebaebd75902ad32de4c5f28b8a4500778847a99a22bfc2be686bc96d868e32d38345abd7f58402726b78e1f7600e251411d164f995d5253366e081206eb43e

                  Download Submit