pysilon | baaf8097ae1834ddba27342d6a0bab8ad25f758962c09fb56828f0989c1f22b5

Resubmissions

27/08/2024, 09:32

240827-lh5a6stgmd 10

27/08/2024, 08:59

240827-kx7t6ssgmh 10

27/08/2024, 08:56

240827-kv5l2asfnc 10

Sharing

Copy URL

Twitter E-mail

General

Target

AutoBeamer v1.3.exe
Size

76.3MB
Sample

240827-lh5a6stgmd
MD5

d86215b9a4bb1697299ff06a12960de7
SHA1

aa31268571b0ef422a6d1c70f485f31b4f4d280f
SHA256

baaf8097ae1834ddba27342d6a0bab8ad25f758962c09fb56828f0989c1f22b5
SHA512

28c74dc49fc1b718ddff2fb182f048ee77cf65785638fbd686539d6178272330962f3d2b5b73a0e286d069b7e1c6c2b2b9866defa9107a6545a2c5b0ee332945
SSDEEP

1572864:lvhQ6lNWK7vDSk8IpG7V+VPhqIbE7WTylPj4iY4MHHLeqPNLtDaZrZv25qq:lvh1f3PSkB05awIxTy5nMHVLte905X

Score

10^/10

Malware Config

Targets

- Target
  
  AutoBeamer v1.3.exe
- Size
  
  76.3MB
- MD5
  
  d86215b9a4bb1697299ff06a12960de7
- SHA1
  
  aa31268571b0ef422a6d1c70f485f31b4f4d280f
- SHA256
  
  baaf8097ae1834ddba27342d6a0bab8ad25f758962c09fb56828f0989c1f22b5
- SHA512
  
  28c74dc49fc1b718ddff2fb182f048ee77cf65785638fbd686539d6178272330962f3d2b5b73a0e286d069b7e1c6c2b2b9866defa9107a6545a2c5b0ee332945
- SSDEEP
  
  1572864:lvhQ6lNWK7vDSk8IpG7V+VPhqIbE7WTylPj4iY4MHHLeqPNLtDaZrZv25qq:lvh1f3PSkB05awIxTy5nMHVLte905X
Score

9^/10

upx evasion execution persistence
- Enumerates VirtualBox DLL files
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2
- Target
  
  discord_token_grabber.pyc
- Size
  
  8KB
- MD5
  
  849e6942b15c2008c7641432902645f5
- SHA1
  
  60942191e1ab3c6d3edf697b57d09c1620c51710
- SHA256
  
  fa4ec025ef2d20b6ebd19803e7131f6b540a7ba14d6769bfd62c37fb875a134b
- SHA512
  
  0e6611f100ea22b2d5d5632cd099f87d57696b73bb9c9d10dde98477b2bb1ff927816b54ee005e07df49d6897f36ad3d858ac142ae082d25800f07597f67248a
- SSDEEP
  
  192:ESB7osP1MJaugQXaafNqaclHJLOq3ZJFD/b8xjJzdJv:TP1iavQTqacyq35D0Fnv
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  get_cookies.pyc
- Size
  
  5KB
- MD5
  
  2754e3152f668e31fccca7b6f275716b
- SHA1
  
  e9ed74d679a96372c4457e72bc6639a4d96a2378
- SHA256
  
  f7e8a57b54489b5b3de66a1d21534ced3d2a2fb1ce8d03c69d4672e62aa00dca
- SHA512
  
  a8331f1c179ed97e6f3821cd41953a5ef8a0b63b6d39022cd3f7980494eff8f00b4367301509014e83c410ed4a6db8e4441f8f3547b682aca250bc4fa29f0f47
- SSDEEP
  
  96:STUBj1Mvk80VDdybA6HUicwKD7dxWeBJKZLpMglcTK94:wsSl0fQfUpwKfhijMgGW94
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  misc.pyc
- Size
  
  2KB
- MD5
  
  bcb404423ac51f798753e8d11e401071
- SHA1
  
  9080018dae3aa157e3a97904c86af06d4a0a6873
- SHA256
  
  572b18ccb1838f23714fae1c8cbb399a08796b1eb846960d5463d40ee784fe5a
- SHA512
  
  25a2997cff19308956086ae4e464f5039e53149043f094f2a65dae4dfa78b6410650a3c4d1514511f23c6bf77228772fa7b8a3cf5119e4ed46edb65ac40ff800
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  passwords_grabber.pyc
- Size
  
  4KB
- MD5
  
  8b9cbd29c3dfec519a4313b1b7a0069b
- SHA1
  
  5efb073593bc8908a7514dad78673c9d65344a6f
- SHA256
  
  589d438226abfec8f71ab7724c68011303f82febb6786fd0c57571b0769764f3
- SHA512
  
  c0099bcf2d23dd405b2e02e1fd1b946195015eabb1cbd2ce4896f1ab7e5bbc1fbe6600fa529087b5dc295c13219fb6bc1a6ac97efa4c0fc74901f70278c09bfd
- SSDEEP
  
  96:2APDnTWeYwDTgWxiX79GzTOjYUyWkUUNPIslLClDWJpR6Yn:TzCUDxiLATmeEUNP/lL3JpsYn
Score

8^/10

defense_evasion discovery motw persistence phishing privilege_escalation
- Downloads MZ/PE file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Mark of the Web detected: This indicates that the page was originally saved or cloned.
  phishing motw
behavioral10 behavioral9
- Target
  
  source_prepared.pyc
- Size
  
  65KB
- MD5
  
  b37f4a0d6796acbd8a45596cd219e6b1
- SHA1
  
  2f3c61f0727a4ec45a47e19b44543cc5440ee7c3
- SHA256
  
  5229e02cf30d60cd2e6024cde70bc69b4f5288bab15b149866296350a2a37f26
- SHA512
  
  c90026241644684b1ae66a3c8374d2b6675c75492cc096e2acf858e8cb061e920b1754770d0cf871fdcee6175bee069f4171ed5c9d21273d4e4d44e267e109dd
- SSDEEP
  
  1536:IaDgVgJPkBBj1uYCFjUIOihdBsoGwjRQ53:Hg2FkBkFwIOCsoD0
Score

3^/10

discovery
behavioral11 behavioral12