Overview

overview

10

Static

static

10

AutoBeamer v1.3.exe

windows11-21h2-x64

9

discord_to...er.pyc

windows11-21h2-x64

3

get_cookies.pyc

windows11-21h2-x64

3

misc.pyc

windows11-21h2-x64

3

passwords_grabber.pyc

windows11-21h2-x64

3

source_prepared.pyc

windows11-21h2-x64

3

Resubmissions

27/08/2024, 09:32

240827-lh5a6stgmd 10

27/08/2024, 08:59

240827-kx7t6ssgmh 10

27/08/2024, 08:56

240827-kv5l2asfnc 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    AutoBeamer v1.3.exe

  • Size

    76.3MB

  • Sample

    240827-kx7t6ssgmh

  • MD5

    d86215b9a4bb1697299ff06a12960de7

  • SHA1

    aa31268571b0ef422a6d1c70f485f31b4f4d280f

  • SHA256

    baaf8097ae1834ddba27342d6a0bab8ad25f758962c09fb56828f0989c1f22b5

  • SHA512

    28c74dc49fc1b718ddff2fb182f048ee77cf65785638fbd686539d6178272330962f3d2b5b73a0e286d069b7e1c6c2b2b9866defa9107a6545a2c5b0ee332945

  • SSDEEP

    1572864:lvhQ6lNWK7vDSk8IpG7V+VPhqIbE7WTylPj4iY4MHHLeqPNLtDaZrZv25qq:lvh1f3PSkB05awIxTy5nMHVLte905X

Score
10/10
pysilondefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationpyinstallerupx

Malware Config

Targets

    • Target

      AutoBeamer v1.3.exe

    • Size

      76.3MB

    • MD5

      d86215b9a4bb1697299ff06a12960de7

    • SHA1

      aa31268571b0ef422a6d1c70f485f31b4f4d280f

    • SHA256

      baaf8097ae1834ddba27342d6a0bab8ad25f758962c09fb56828f0989c1f22b5

    • SHA512

      28c74dc49fc1b718ddff2fb182f048ee77cf65785638fbd686539d6178272330962f3d2b5b73a0e286d069b7e1c6c2b2b9866defa9107a6545a2c5b0ee332945

    • SSDEEP

      1572864:lvhQ6lNWK7vDSk8IpG7V+VPhqIbE7WTylPj4iY4MHHLeqPNLtDaZrZv25qq:lvh1f3PSkB05awIxTy5nMHVLte905X

    Score
    9/10
    defense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationupx

    • Enumerates VirtualBox DLL files

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1

    • Target

      discord_token_grabber.pyc

    • Size

      8KB

    • MD5

      849e6942b15c2008c7641432902645f5

    • SHA1

      60942191e1ab3c6d3edf697b57d09c1620c51710

    • SHA256

      fa4ec025ef2d20b6ebd19803e7131f6b540a7ba14d6769bfd62c37fb875a134b

    • SHA512

      0e6611f100ea22b2d5d5632cd099f87d57696b73bb9c9d10dde98477b2bb1ff927816b54ee005e07df49d6897f36ad3d858ac142ae082d25800f07597f67248a

    • SSDEEP

      192:ESB7osP1MJaugQXaafNqaclHJLOq3ZJFD/b8xjJzdJv:TP1iavQTqacyq35D0Fnv

    Score
    3/10
    behavioral2

    • Target

      get_cookies.pyc

    • Size

      5KB

    • MD5

      2754e3152f668e31fccca7b6f275716b

    • SHA1

      e9ed74d679a96372c4457e72bc6639a4d96a2378

    • SHA256

      f7e8a57b54489b5b3de66a1d21534ced3d2a2fb1ce8d03c69d4672e62aa00dca

    • SHA512

      a8331f1c179ed97e6f3821cd41953a5ef8a0b63b6d39022cd3f7980494eff8f00b4367301509014e83c410ed4a6db8e4441f8f3547b682aca250bc4fa29f0f47

    • SSDEEP

      96:STUBj1Mvk80VDdybA6HUicwKD7dxWeBJKZLpMglcTK94:wsSl0fQfUpwKfhijMgGW94

    Score
    3/10
    behavioral3

    • Target

      misc.pyc

    • Size

      2KB

    • MD5

      bcb404423ac51f798753e8d11e401071

    • SHA1

      9080018dae3aa157e3a97904c86af06d4a0a6873

    • SHA256

      572b18ccb1838f23714fae1c8cbb399a08796b1eb846960d5463d40ee784fe5a

    • SHA512

      25a2997cff19308956086ae4e464f5039e53149043f094f2a65dae4dfa78b6410650a3c4d1514511f23c6bf77228772fa7b8a3cf5119e4ed46edb65ac40ff800

    Score
    3/10
    behavioral4

    • Target

      passwords_grabber.pyc

    • Size

      4KB

    • MD5

      8b9cbd29c3dfec519a4313b1b7a0069b

    • SHA1

      5efb073593bc8908a7514dad78673c9d65344a6f

    • SHA256

      589d438226abfec8f71ab7724c68011303f82febb6786fd0c57571b0769764f3

    • SHA512

      c0099bcf2d23dd405b2e02e1fd1b946195015eabb1cbd2ce4896f1ab7e5bbc1fbe6600fa529087b5dc295c13219fb6bc1a6ac97efa4c0fc74901f70278c09bfd

    • SSDEEP

      96:2APDnTWeYwDTgWxiX79GzTOjYUyWkUUNPIslLClDWJpR6Yn:TzCUDxiLATmeEUNP/lL3JpsYn

    Score
    3/10
    behavioral5

    • Target

      source_prepared.pyc

    • Size

      65KB

    • MD5

      b37f4a0d6796acbd8a45596cd219e6b1

    • SHA1

      2f3c61f0727a4ec45a47e19b44543cc5440ee7c3

    • SHA256

      5229e02cf30d60cd2e6024cde70bc69b4f5288bab15b149866296350a2a37f26

    • SHA512

      c90026241644684b1ae66a3c8374d2b6675c75492cc096e2acf858e8cb061e920b1754770d0cf871fdcee6175bee069f4171ed5c9d21273d4e4d44e267e109dd

    • SSDEEP

      1536:IaDgVgJPkBBj1uYCFjUIOihdBsoGwjRQ53:Hg2FkBkFwIOCsoD0

    Score
    3/10
    behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

1
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Browser Information Discovery

1
T1217

File and Directory Discovery

1
T1083

Peripheral Device Discovery

2
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks