empyrean | 094808c3a439d8e8b8f26b1deb2a8f870ef2807d3af2efe8ef122d7f7defc9ad | Triage

Submit
Reports

Overview

overview

Static

static

Mw16 chair.exe

windows7-x64

7

Mw16 chair.exe

windows10-2004-x64

7

Resubmissions

02-01-2025 22:04

250102-1y3vlsxmbz 10

02-01-2025 17:10

250102-vp68sayqbw 10

02-01-2025 16:48

250102-vbc3sa1pdl 10

Sharing

General

Target

Mw16 chair.exe
Size

38.6MB
Sample

250102-vbc3sa1pdl
MD5

29e6c7c04a6b3c941b0822fa2c5fa877
SHA1

b3a17c472737c60924ac16350299a64e33782005
SHA256

094808c3a439d8e8b8f26b1deb2a8f870ef2807d3af2efe8ef122d7f7defc9ad
SHA512

0748c9c072899f284f315bbe5416196919bbb2c82bbe6328931955347b31edd72b0d3e778b3447e090c639cc839472f9f269520fbce0f116d9bff3260bd3484d
SSDEEP

786432:BPclT+3fr3DPLFXNricwQhEfILwbTgpfePclT+3fr3L:oT+3fr3DLFdMQhEg8bgBT+3fr3L

Score

10^/10

empyrean discovery persistence privilege_escalation pyinstaller spyware stealer upx

Static task

static1

pyinstaller empyrean

4 signatures

Behavioral task

behavioral1

Sample

Mw16 chair.exe

Resource

win7-20240903-en

discovery pyinstaller upx

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

Mw16 chair.exe

Resource

win10v2004-20241007-en

discovery persistence privilege_escalation pyinstaller spyware stealer upx

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Targets

- Target
  
  Mw16 chair.exe
- Size
  
  38.6MB
- MD5
  
  29e6c7c04a6b3c941b0822fa2c5fa877
- SHA1
  
  b3a17c472737c60924ac16350299a64e33782005
- SHA256
  
  094808c3a439d8e8b8f26b1deb2a8f870ef2807d3af2efe8ef122d7f7defc9ad
- SHA512
  
  0748c9c072899f284f315bbe5416196919bbb2c82bbe6328931955347b31edd72b0d3e778b3447e090c639cc839472f9f269520fbce0f116d9bff3260bd3484d
- SSDEEP
  
  786432:BPclT+3fr3DPLFXNricwQhEfILwbTgpfePclT+3fr3L:oT+3fr3DLFdMQhEg8bgBT+3fr3L
Score

7^/10

discovery pyinstaller upx persistence privilege_escalation spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Wi-Fi Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

pyinstallerempyrean

behavioral1

discoverypyinstallerupx

behavioral2

discoverypersistenceprivilege_escalationpyinstallerspywarestealerupx

© 2018-2025

Terms | Privacy