Malware Analysis Report

2025-08-11 04:38

Sample ID 250119-pczqaawqdw
Target Driver3.0.exe
SHA256 451a9144749655514c6cb9b2a5f798228e43ba7be372cbefd1bc6d00d0cb206c
Tags
pyinstaller discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

451a9144749655514c6cb9b2a5f798228e43ba7be372cbefd1bc6d00d0cb206c

Threat Level: Shows suspicious behavior

The file Driver3.0.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller discovery spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Detects Pyinstaller

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-19 12:11

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-19 12:11

Reported

2025-01-19 12:14

Platform

win10ltsc2021-20250113-en

Max time kernel

101s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Driver3.0.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Driver3.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Driver3.0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Driver3.0.exe

"C:\Users\Admin\AppData\Local\Temp\Driver3.0.exe"

C:\Users\Admin\AppData\Local\Temp\Driver3.0.exe

"C:\Users\Admin\AppData\Local\Temp\Driver3.0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 7.98.22.2.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI46682\python38.dll

MD5 2b5f50cc676c7fe476062064155da697
SHA1 d04fe5c342549e83bceb15294f029382946ba3c8
SHA256 59db58d5a51d258ee980298fd429f40bf373a0ba81c5e0625925fc7a46c809a7
SHA512 1d98e097cb054fd9428b4ffa6241eeed87bc160b0968c5eecffc5288ec88df8d3632d77c759a0919bfddf50ca989d4c542361dcccfa669b6ea30f2211707947d

C:\Users\Admin\AppData\Local\Temp\_MEI46682\VCRUNTIME140.dll

MD5 e4ca3dce43b1184bb18ff01f3a0f1a40
SHA1 604611d559ca41e73b12c362de6acf84db9aee43
SHA256 0778c7e17016895bb6962a9774acc5568afa1a50ba309b7d9726c89dad70bdbf
SHA512 137c884afa1b0b731bbd523abb47b83f31487a6ca051487292bc2a9eb7f103a0d3974fa743014018bd564be957210bdcd62c822f4ffb6441aee23b444c23e812

C:\Users\Admin\AppData\Local\Temp\_MEI46682\base_library.zip

MD5 563ca59463328fd39b4e8cc1553652e2
SHA1 083bd40ea0bbb1b47a8f929723fd69fe54848acf
SHA256 785a948e8d6071e04745cbb8bc0e85a52633a3a6593f2ee2179e2166b8383dde
SHA512 b2cabb7bbaa5752366981938239c508f535fee2b796fec4a46b0dc1cab9017712d00c1795b336ee82c08e6e71fd62bd2778448fa6a74e1ce3a287764a522684e

C:\Users\Admin\AppData\Local\Temp\_MEI46682\python3.DLL

MD5 b9d69e6cc10b50367db83dab09bb33ce
SHA1 ce69f30320216ffe1a5da59d2f3e320486141fcb
SHA256 dffc357e3fdc3277b4337f27f75248a19f6628c7d2b855e4ca8fffddeac716e3
SHA512 7b09e7d5a424aa56e10a71d2bc87345e97b8156d03012de84397992477860ae14320f59551835ff3722cff0fdfa2f881a526098ab33d019b0c677a89e24241d0

C:\Users\Admin\AppData\Local\Temp\_MEI46682\_ctypes.pyd

MD5 9920db5cdbcd1e69591ec24566a6eda1
SHA1 0a0ddbdd707a99df9db5374303d77e601496aed4
SHA256 d17a08eb7744162192eec8c99fbc2a6781bc9fba915d3751e6cd1d25b81d4dd1
SHA512 de95fdf48e3c95c9a714bff4e27db29733fc128a1211ada013f8e3e4cb9e50eb134aeaacb0f6e01afc09418591da19de1f6a5152f6256064af9d61a89c10ace6

C:\Users\Admin\AppData\Local\Temp\_MEI46682\libffi-7.dll

MD5 bc20614744ebf4c2b8acd28d1fe54174
SHA1 665c0acc404e13a69800fae94efd69a41bdda901
SHA256 0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57
SHA512 0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

C:\Users\Admin\AppData\Local\Temp\_MEI46682\_socket.pyd

MD5 c60d80f1f1f35f1e923c452b3c67f326
SHA1 156d792b770aa6eaee002099f13a129d424ac8f9
SHA256 568971a512409e205b9242171bb55daa120b8d6b6faec2f7a30415ec13ab83e7
SHA512 9f499cb40a31dbc62af3ac36c5eae961a392654147ba2ea01f647decddf2712e4ecddd2accf9e313c855d381ecf61930c61ded0c77bfae52c5d570a977aa1c71

C:\Users\Admin\AppData\Local\Temp\_MEI46682\select.pyd

MD5 18fb38786f8b0d9054a5f81e41fa4293
SHA1 f0c93d17012dca9b89039667d2d9367b40f991c1
SHA256 fced60bdf3e79c48407e4f903469ab7a36ecf304cbf03e65eb712da6529aae98
SHA512 4aaf6276665dca76696b5801f7a82900dcec3e7eeb56787678d65551dd26ab6b9aabac0dc218b6306ad39408044498fb98a95e7bd4cb70662f68c68c55caf602

C:\Users\Admin\AppData\Local\Temp\_MEI46682\_ssl.pyd

MD5 0de0a1a820602c7014009c03d8a34690
SHA1 6ee30a699b00360bfecde274cf5393e0b33f694c
SHA256 da498586b6b7831bec4fecdb2f0420b88d5ae64293c88c4c4fb3fa3715ed71fa
SHA512 47f77bb81f7f90fbccf3ffd41b3fb55d8422319d4a5eb93a13b54fa7f0288db4f798ae6ce4bc3d3c2b9d6d4ff75c9fc2729e90ff3a7aa3cfcf20732fac8a37ed

C:\Users\Admin\AppData\Local\Temp\_MEI46682\libcrypto-1_1.dll

MD5 c7298cd5232cf8f6e34b3404fc276266
SHA1 a043e0ff71244a65a9c2c27c95622e6cc127b932
SHA256 1e95a63b165672accde92a9c9f8b9052c8f6357344f1376af9f916aeeb306da3
SHA512 212b0c5d27615e8375d32d1952beee6b8292f38aae9c9612633839c4b102fcdb2555c3ee206f0df942df49cddb1d833e2773d7dc95a367a0c6628b871d6c6892

C:\Users\Admin\AppData\Local\Temp\_MEI46682\_hashlib.pyd

MD5 330910a91b474545512d5b1b1576b8dc
SHA1 db4bdf2869ad1ea2109d43704ad104562c069b55
SHA256 15a177ffaceeda7d420a0046f04618499ae6b5ef6b02bfb1a0d682ef9d464eb9
SHA512 9e3786af1121a4a27b4e0bf71058ea60c559401015402d5c8d0b4ac3b8b948b3d410852adf04ed840db4a92cabb8a632a643b7ca8a2af92f751139ad46fe3fef

C:\Users\Admin\AppData\Local\Temp\_MEI46682\_bz2.pyd

MD5 b85b771a656911b152925434e948e5b6
SHA1 38549c9a3c19f7672ced7739b6ef39e59e6f15e7
SHA256 c0a8cbcb8dd86d43b179698cc94ef3664ec1f69868f1249088376928477c6c24
SHA512 e425a239e4b6ecdb0a6762576816dea3c4f608a0df94b804c6f58db2d42db3690928da63f53e7d83d8745b2e8188b35aed25249fa13455eeceb001eaf51d6080

C:\Users\Admin\AppData\Local\Temp\_MEI46682\_lzma.pyd

MD5 78457883e270ba94f462ee6fd9991bfb
SHA1 c425f8d1592c002cdbfec1659f052e5d70b60a20
SHA256 b1c72ea095304b09439499454ba2738b2332664859b25e3b590102ac38a64562
SHA512 2695da6045d3c9cbd846582f05ec547c29dc2e5c27796cf765f8c4e2587537285e9c9aeed86451d55689d75803ed2e72b7ead36c3b236201a6b7715938c3e0f0

C:\Users\Admin\AppData\Local\Temp\_MEI46682\cryptography\hazmat\bindings\_rust.pyd

MD5 37c5ac5332d0dee2784ef2fc1da72c98
SHA1 d9e65ebeb10ddaff996b38cad1c109c6671cbb3a
SHA256 c5fbbd2e7daaa8aa3a5e3937621b191b7eda09a3ab686f347b100dc18d32fc96
SHA512 4cf6a01a0730cba2b60609d9f3cb0ec3cd4ec35b7e16345da91febb59395a477af1e264463e0eb30e9f76a8be71dbbcab7d4b708bb517fd7444a88e8b6fe1d4e

C:\Users\Admin\AppData\Local\Temp\_MEI46682\_cffi_backend.cp38-win32.pyd

MD5 0902dd1a037f758905320782eb5b5789
SHA1 60f7a41259a3e4427967a17e764f177e1782301c
SHA256 c93ecec95e754ef9604af91cac523d2bdbe86ae803a37d1cfeefb00da977fb95
SHA512 4283447337fabc6d8375055072c2d926a72e2767077d86b789158a41664b8fc426a3258c2676a12ba97e955c77254c5ad8f700148a691527dc623052327bbe29

C:\Users\Admin\AppData\Local\Temp\_MEI46682\unicodedata.pyd

MD5 e1f715fcd3c852a016084d4d78fbeaae
SHA1 30c45e9a42a52047c091cef0060e0d1daea20a32
SHA256 f11480cb47ee949bcda4fb9e0d345dd4f0c23bfce691df90cf352ab9503b934e
SHA512 b925054397a151e8cee195dc17afb79fa260288fd6e5dee59a5d99c5c5cf300d718b52051bba67503e09085bd277710bab9109940d52a74f080315be45bebf21

C:\Users\Admin\AppData\Local\Temp\_MEI46682\cryptography\hazmat\bindings\_openssl.pyd

MD5 30e87036433cb25bf2ece650e90aec3f
SHA1 23d509e09be0af5a3c4d486dedec14e9143be4d8
SHA256 dc6a770ab8f499f66b9ea96fbefd05cb17aaa1dd9cf0ba24234c5836befe6443
SHA512 8bed1f6908cc91c2a4adf7e1f835ed4b92a1217d77c548be1acf1f59e919077ee2a4969a928ce4867974627cdc624510152aa4838db4930a920d9127693dc7c7

C:\Users\Admin\AppData\Local\Temp\_MEI46682\libssl-1_1.dll

MD5 9c266951ad1d135f50884069b4f096b7
SHA1 8d228026bf26ee1c83521afd84def1383028de52
SHA256 06958c63049e2d7fe1f56df3767e884023a76bba1f41319f7fab3439b28174c5
SHA512 df7fcc98246cd5cd37bd5b8bb3eb5e4849c0f7c1098108b8a591611a2185999d353e42d150edf68c0b02ac3bec704f407eb35ebd7c540f6a8224a4ab498bc19f