Overview

overview

10

Static

static

10

source_prepared.pyc

windows10-1703-x64

10

Resubmissions

20-06-2024 01:19

240620-bprzba1blf 10

26-05-2024 08:27

240526-kclffacd3v 10

Analysis

  • max time kernel
    15s
  • max time network
    16s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    20-06-2024 01:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    source_prepared.pyc

  • Size

    185KB

  • MD5

    60204318ffa2f037879356afb4b03881

  • SHA1

    f64af513c6fb98d060dad38995fa210ae1d5a5f5

  • SHA256

    94ad449f7a7b065e6ce3a45dff4a47bb3b97ff4e7951b82319e792b5555b1aee

  • SHA512

    c04a8a4b6dcff1c740f04d34fabb552084c5426eb8438ffc271a2725e7f84d5fcffcde23ebd1e6e4a78c4851e73e458a2a3d3960c053d61f4efd982981af68f8

  • SSDEEP

    3072:wTAkLaiI6A9MmlbJo2PEtelZN+tVZa/zqge6/qcCkn0:wTvWiILHJo28cN+7Za/zqgeqPCh

Score
10/10
pysilonratstealer

Malware Config

Signatures

  • Detect Pysilon 1 IoCs
  • PySilon

    An open-source RAT written in Python.

    stealerratpysilon
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
    1⤵
    • Modifies registry class
    PID:5036
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:792
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4328
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4216
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4216.0.1454151957\70564657" -parentBuildID 20221007134813 -prefsHandle 1728 -prefMapHandle 1720 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebb60a28-0448-4219-9647-745ebbe286c4} 4216 "\\.\pipe\gecko-crash-server-pipe.4216" 1812 26b105d8058 gpu
          4⤵
            PID:972
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4216.1.103419030\1478478308" -parentBuildID 20221007134813 -prefsHandle 2176 -prefMapHandle 2172 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d1d7b84-8f79-454b-9480-8fcfa00eeb9b} 4216 "\\.\pipe\gecko-crash-server-pipe.4216" 2188 26b05572858 socket
            4⤵
              PID:840
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4216.2.1861963538\1454279137" -childID 1 -isForBrowser -prefsHandle 2840 -prefMapHandle 2940 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {df84b660-5d77-4dd1-9988-30c614a5875f} 4216 "\\.\pipe\gecko-crash-server-pipe.4216" 2744 26b145cce58 tab
              4⤵
                PID:5028
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4216.3.231819983\1193935614" -childID 2 -isForBrowser -prefsHandle 3476 -prefMapHandle 3472 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58c46a95-2e41-4db9-9a6e-30af3ceee4df} 4216 "\\.\pipe\gecko-crash-server-pipe.4216" 3488 26b0555b558 tab
                4⤵
                  PID:2284
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4216.4.1079523129\767342322" -childID 3 -isForBrowser -prefsHandle 4888 -prefMapHandle 4804 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f7aea62-8a57-489a-85aa-ff0941053a20} 4216 "\\.\pipe\gecko-crash-server-pipe.4216" 4900 26b170bcd58 tab
                  4⤵
                    PID:3936
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4216.5.1275371048\1481571705" -childID 4 -isForBrowser -prefsHandle 5036 -prefMapHandle 5040 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {09a5b7a1-721c-488f-97d0-8ced8cdc357a} 4216 "\\.\pipe\gecko-crash-server-pipe.4216" 5028 26b18c32558 tab
                    4⤵
                      PID:2180
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4216.6.1881361636\1440168924" -childID 5 -isForBrowser -prefsHandle 5236 -prefMapHandle 5240 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca35d925-1363-4275-84f6-3231e6e02bae} 4216 "\\.\pipe\gecko-crash-server-pipe.4216" 5228 26b18c2f258 tab
                      4⤵
                        PID:4076

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.bin
                  Filesize

                  9KB

                  MD5

                  d58f27a05ea2816635754d6159d86d5e

                  SHA1

                  a11d9435812dda38dc79b4e840f164b57458e3ca

                  SHA256

                  0463936edb3fad74a0b7a9a40bfb41fae7a422f48c6af771808402526c0be4dd

                  SHA512

                  f4b65e5589aa9b69baaaa56e1683c9b9b9362d9bc2dbc1315a77fdc561e0aba8c80701e0f6d8b6533d6cc96128d660bc962cd4eb40e061793d328e39a2e41354

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\8013da98-ba63-442f-b232-a160eb49b166
                  Filesize

                  734B

                  MD5

                  f6542cb85cbd0708c6f0d3fd8c1d5e60

                  SHA1

                  2182ab5815ab6d924064d822a5d5b786fb1a6e37

                  SHA256

                  7f112811108b20f262bd55c1958d865410599df52ac9893b6beda3b2f1772486

                  SHA512

                  2385e65270c81e648d7059dfad861c303cc1a55cfd51771f018e0396b50af7d21dd7f9504813d50296229ddfc7c09e6e14ddc9273f59382b3c9ba398c5f20179

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js
                  Filesize

                  6KB

                  MD5

                  b2f38e3e52ab93231a0c62a3e3a72a3b

                  SHA1

                  053dcb66801a61db347ab6434de540d817310f8d

                  SHA256

                  8e97688ff33e05223982a4e559ab699eacd90f2de8cedcc9f912a2f77b0b2f72

                  SHA512

                  7bd5c2bf81d3a66a19f0642c8d2293a99ceeee5a141157f49e81051f5d1a2326ec5a50d08b31f648552a89637f06f2817fec5e3c0c398c9646927f74e3616544

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  a80072095096a4739e31e2b412dfc735

                  SHA1

                  9d169f6510ab5be445552b34d72cffd34480fd93

                  SHA256

                  0d8604a52bb90c41c1f6461837f1de527500f88897102c38676da94c78a5005d

                  SHA512

                  404a9effaf66221af3ff4762c0514a5aa1bee4be93ab51797f98edeb6f17c56086c2ba2632a1b9a29c891f41e45fec277a31813436e79f3bac802ca941445a6a

                  Download Submit

                • C:\Users\Admin\Downloads\qOjGee_6.pyc.part
                  Filesize

                  185KB

                  MD5

                  60204318ffa2f037879356afb4b03881

                  SHA1

                  f64af513c6fb98d060dad38995fa210ae1d5a5f5

                  SHA256

                  94ad449f7a7b065e6ce3a45dff4a47bb3b97ff4e7951b82319e792b5555b1aee

                  SHA512

                  c04a8a4b6dcff1c740f04d34fabb552084c5426eb8438ffc271a2725e7f84d5fcffcde23ebd1e6e4a78c4851e73e458a2a3d3960c053d61f4efd982981af68f8

                  Download Submit