pysilon | 2a7bbfcf72ac2ba1d70b42481809113979f2999bedee9ec2a860a3e1c51994b6 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

ZEHAHAHA.exe

windows7-x64

7

ZEHAHAHA.exe

windows10-2004-x64

9

Sharing

General

Target

ZEHAHAHA.exe
Size

30.4MB
Sample

241201-jpggksymgx
MD5

d3daed0c9c1f809601ea7683b007380c
SHA1

1b46c16855ea23e22c6ec45444241a55bc58cef6
SHA256

2a7bbfcf72ac2ba1d70b42481809113979f2999bedee9ec2a860a3e1c51994b6
SHA512

0da2c32e73132af01096a0f89009e697a6dfb2b30a3a0b740e809accddedefb731a9beebd25a8c21ca363f7be1660f8e90527f64c0397e2c8c9901199cc9b5d8
SSDEEP

786432:e+iIZUW8rm1NddbOzcY8761MZ6deV8v0W5w68gv/FvM+0:I5WqmddCE7tdhW7/K+

Score

10^/10

pysilon discovery evasion execution persistence pyinstaller upx

Static task

static1

pyinstaller pysilon

4 signatures

Behavioral task

behavioral1

Sample

ZEHAHAHA.exe

Resource

win7-20241023-en

windows7-x64

18 signatures

1800 seconds

Behavioral task

behavioral2

Sample

ZEHAHAHA.exe

Resource

win10v2004-20241007-en

evasion execution persistence upx

windows10-2004-x64

13 signatures

1800 seconds

Malware Config

Targets

- Target
  
  ZEHAHAHA.exe
- Size
  
  30.4MB
- MD5
  
  d3daed0c9c1f809601ea7683b007380c
- SHA1
  
  1b46c16855ea23e22c6ec45444241a55bc58cef6
- SHA256
  
  2a7bbfcf72ac2ba1d70b42481809113979f2999bedee9ec2a860a3e1c51994b6
- SHA512
  
  0da2c32e73132af01096a0f89009e697a6dfb2b30a3a0b740e809accddedefb731a9beebd25a8c21ca363f7be1660f8e90527f64c0397e2c8c9901199cc9b5d8
- SSDEEP
  
  786432:e+iIZUW8rm1NddbOzcY8761MZ6deV8v0W5w68gv/FvM+0:I5WqmddCE7tdhW7/K+
Score

9^/10

discovery upx evasion execution persistence
- Enumerates VirtualBox DLL files
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Browser Information Discovery

File and Directory Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

pyinstallerpysilon

behavioral1

behavioral2

evasionexecutionpersistenceupx

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.