empyrean | e6f27d0e9530edd04a6343618eb98ea1cd748625f42aa0a7ea87b73a8bd886f7 | Triage

Submit
Reports

Overview

overview

Static

static

untitled f...in.zip

windows11-21h2-x64

Resubmissions

04-10-2024 13:58

241004-q9w64axfpp 10

04-10-2024 13:13

241004-qggkyazena 10

04-10-2024 13:07

241004-qc4jxazcra 10

04-10-2024 02:09

241004-clckwsyeqk 10

03-10-2024 16:57

241003-vgn28szcke 10

03-10-2024 14:11

241003-rhrmzasgjg 10

03-10-2024 01:23

241003-brvg8axcnk 10

02-10-2024 22:37

241002-2j96ta1dlj 10

Sharing

General

Target

untitled folder.zip
Size

455KB
Sample

241004-qggkyazena
MD5

06d3b5b5a792a9c81895f0e8c8153578
SHA1

2921dcd2557428c9b09aa4b99a18859be902d4e4
SHA256

e6f27d0e9530edd04a6343618eb98ea1cd748625f42aa0a7ea87b73a8bd886f7
SHA512

8d5a8b89e7f1e47311e465e01280ee515a6799f7792ee5fb7eb4857633f1c5476a409f634016bfd38fc997d89f94d4b3ba4e6ab42a4902838904f6c435a3fb04
SSDEEP

12288:b/LllAgPcsN0nPZfz0Q+qede/2ONj5AHs+e:TLAsanPNIde/F5A0

Score

10^/10

empyrean defense_evasion discovery execution persistence privilege_escalation stealer

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

untitled folder/empyrean-main.zip

Resource

win11-20240802-en

empyrean defense_evasion discovery execution persistence privilege_escalation stealer

windows11-21h2-x64

30 signatures

1800 seconds

Malware Config

Targets

- Target
  
  untitled folder/empyrean-main.zip
- Size
  
  458KB
- MD5
  
  6535abdad3ba947fa280b8d5f836751b
- SHA1
  
  5c7d20d35bcd2049fea5c07ad4d83e4e0e2fb494
- SHA256
  
  15f5346f636fa7879882f23611d46da7d7fab3e03cf75366f8721fe54804f8fd
- SHA512
  
  5edc1bac7c636d2488578d97544cedd18f61124f2a732b49ffd891aeac00a19af6dc4c42e8e4c9e52f5ae0e908f059219f0ceae698d9084453335877bea132a1
- SSDEEP
  
  12288:oHl1OgPc6NQpZZbzYQqKevezSE3l52fsl:oH26CpZNUvezH52w
Score

10^/10

empyrean defense_evasion discovery execution persistence privilege_escalation stealer
- Detects Empyrean stealer
- Empyrean Stealer
  An Open-source information stealer.
  stealer empyrean
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Downloads MZ/PE file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Modify Registry

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

empyreandefense_evasiondiscoveryexecutionpersistenceprivilege_escalationstealer

© 2018-2025

Terms | Privacy