Overview

overview

10

Static

static

10

source_prepared.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    source_prepared.exe

  • Size

    107.5MB

  • Sample

    241011-pcaq6a1fje

  • MD5

    73f6e0980b3fefed364c6c0c7e6787f8

  • SHA1

    c7db42d5d1104fd2425d982369e4f338a646a697

  • SHA256

    763a7d2838bc41dee5534dddb38368a35269ea32f82bbb89ba3147261bd4d7eb

  • SHA512

    aa1bf329e04e50ead25973ee9148f19167ece507d0cb4228b457cc6dba634ede01290af3820aae779ce0cda2f2a95ac93fa79aa50dfb06be1cac164b0adf795e

  • SSDEEP

    3145728:ZN5L8iS6xjKcBa6/2qHO5i/p0nG0iWMstB2OxARE:/tJSWNa6NHCixiieB

Score
10/10
pysilondiscoveryevasionexecutionpersistencepyinstallerspywarestealer

Malware Config

Targets

    • Target

      source_prepared.exe

    • Size

      107.5MB

    • MD5

      73f6e0980b3fefed364c6c0c7e6787f8

    • SHA1

      c7db42d5d1104fd2425d982369e4f338a646a697

    • SHA256

      763a7d2838bc41dee5534dddb38368a35269ea32f82bbb89ba3147261bd4d7eb

    • SHA512

      aa1bf329e04e50ead25973ee9148f19167ece507d0cb4228b457cc6dba634ede01290af3820aae779ce0cda2f2a95ac93fa79aa50dfb06be1cac164b0adf795e

    • SSDEEP

      3145728:ZN5L8iS6xjKcBa6/2qHO5i/p0nG0iWMstB2OxARE:/tJSWNa6NHCixiieB

    Score
    9/10
    discoveryevasionexecutionpersistencespywarestealer

    • Enumerates VirtualBox DLL files

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

1
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

File and Directory Discovery

1
T1083

Query Registry

1
T1012

System Information Discovery

1
T1082

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks