Overview
overview
10Static
static
10net8.0-win...er.exe
windows7-x64
1net8.0-win...er.exe
windows10-2004-x64
1net8.0-win...er.exe
windows7-x64
3net8.0-win...er.exe
windows10-2004-x64
7net8.0-win...ion.js
windows7-x64
3net8.0-win...ion.js
windows10-2004-x64
3net8.0-win...ion.py
windows7-x64
3net8.0-win...ion.py
windows10-2004-x64
3net8.0-win...px.exe
windows7-x64
5net8.0-win...px.exe
windows10-2004-x64
5net8.0-win...I2.dll
windows7-x64
1net8.0-win...I2.dll
windows10-2004-x64
1net8.0-win...on.dll
windows7-x64
1net8.0-win...on.dll
windows10-2004-x64
1net8.0-win...nt.dll
windows7-x64
1net8.0-win...nt.dll
windows10-2004-x64
1net8.0-win...on.bat
windows7-x64
1net8.0-win...on.bat
windows10-2004-x64
8net8.0-win...ll.bat
windows7-x64
1net8.0-win...ll.bat
windows10-2004-x64
1net8.0-win...nt.dll
windows7-x64
3net8.0-win...nt.dll
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2025, 13:52 UTC
Behavioral task
behavioral1
Sample
net8.0-windows/Astral Stealer.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
net8.0-windows/Astral Stealer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
net8.0-windows/Astral Stealer.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
net8.0-windows/Astral Stealer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
net8.0-windows/Astral_assets/Injection/discord-injection.js
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
net8.0-windows/Astral_assets/Injection/discord-injection.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
net8.0-windows/Astral_assets/obfuscation/obfuscation.py
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
net8.0-windows/Astral_assets/obfuscation/obfuscation.py
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
net8.0-windows/Astral_assets/upx/upx.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
net8.0-windows/Astral_assets/upx/upx.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
net8.0-windows/Guna.UI2.dll
Resource
win7-20241023-en
Behavioral task
behavioral12
Sample
net8.0-windows/Guna.UI2.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
net8.0-windows/Newtonsoft.Json.dll
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
net8.0-windows/Newtonsoft.Json.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
net8.0-windows/System.Management.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
net8.0-windows/System.Management.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
net8.0-windows/install-python.bat
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
net8.0-windows/install-python.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
net8.0-windows/install.bat
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
net8.0-windows/install.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
net8.0-windows/runtimes/win/lib/net7.0/System.Management.dll
Resource
win7-20241010-en
Behavioral task
behavioral22
Sample
net8.0-windows/runtimes/win/lib/net7.0/System.Management.dll
Resource
win10v2004-20241007-en
General
-
Target
net8.0-windows/install-python.bat
-
Size
683B
-
MD5
d2582c98db5aad03be0d391a265f861b
-
SHA1
bb545f83d8d69c8a1a08cd773ddcb53689e8f57c
-
SHA256
44d62021bd4fa1870a45fc9f1b9bb978196987452688060a87ee97e4626fa4af
-
SHA512
268a5a71c70081ee8d6aa34d0a9158740712e174a70a0fac2972bd8fa812c34107ba2859d2f31391cc4b27f3f81a986160d9feb14880bdf02fe0c43567b2afbe
Malware Config
Signatures
-
Downloads MZ/PE file 1 IoCs
flow pid Process 8 4828 curl.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation python-3.12.2-amd64.exe -
Executes dropped EXE 3 IoCs
pid Process 2152 python-3.12.2-amd64.exe 5068 python-3.12.2-amd64.exe 1220 python-3.12.2-amd64.exe -
Loads dropped DLL 1 IoCs
pid Process 5068 python-3.12.2-amd64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language python-3.12.2-amd64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language python-3.12.2-amd64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language python-3.12.2-amd64.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001397c7f967de25740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001397c7f90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001397c7f9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1397c7f9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001397c7f900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeBackupPrivilege 2408 vssvc.exe Token: SeRestorePrivilege 2408 vssvc.exe Token: SeAuditPrivilege 2408 vssvc.exe Token: SeBackupPrivilege 4464 srtasks.exe Token: SeRestorePrivilege 4464 srtasks.exe Token: SeSecurityPrivilege 4464 srtasks.exe Token: SeTakeOwnershipPrivilege 4464 srtasks.exe Token: SeBackupPrivilege 4464 srtasks.exe Token: SeRestorePrivilege 4464 srtasks.exe Token: SeSecurityPrivilege 4464 srtasks.exe Token: SeTakeOwnershipPrivilege 4464 srtasks.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2836 wrote to memory of 4828 2836 cmd.exe 83 PID 2836 wrote to memory of 4828 2836 cmd.exe 83 PID 2836 wrote to memory of 2152 2836 cmd.exe 84 PID 2836 wrote to memory of 2152 2836 cmd.exe 84 PID 2836 wrote to memory of 2152 2836 cmd.exe 84 PID 2152 wrote to memory of 5068 2152 python-3.12.2-amd64.exe 85 PID 2152 wrote to memory of 5068 2152 python-3.12.2-amd64.exe 85 PID 2152 wrote to memory of 5068 2152 python-3.12.2-amd64.exe 85 PID 5068 wrote to memory of 1220 5068 python-3.12.2-amd64.exe 86 PID 5068 wrote to memory of 1220 5068 python-3.12.2-amd64.exe 86 PID 5068 wrote to memory of 1220 5068 python-3.12.2-amd64.exe 86 PID 2836 wrote to memory of 4640 2836 cmd.exe 100 PID 2836 wrote to memory of 4640 2836 cmd.exe 100 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\net8.0-windows\install-python.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\system32\curl.execurl -L -o python-3.12.2-amd64.exe https://www.python.org/ftp/python/3.12.2/python-3.12.2-amd64.exe2⤵
- Downloads MZ/PE file
PID:4828
-
-
C:\Users\Admin\AppData\Local\Temp\net8.0-windows\python-3.12.2-amd64.exepython-3.12.2-amd64.exe /quiet InstallAllUsers=1 PrependPath=1 Include_test=02⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\Temp\{09EF196C-FEDD-4DBC-ADD9-4A4B41A425AD}\.cr\python-3.12.2-amd64.exe"C:\Windows\Temp\{09EF196C-FEDD-4DBC-ADD9-4A4B41A425AD}\.cr\python-3.12.2-amd64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\net8.0-windows\python-3.12.2-amd64.exe" -burn.filehandle.attached=568 -burn.filehandle.self=564 /quiet InstallAllUsers=1 PrependPath=1 Include_test=03⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\Temp\{E8EC24EC-0CDF-490C-8240-5A90D30B4A38}\.be\python-3.12.2-amd64.exe"C:\Windows\Temp\{E8EC24EC-0CDF-490C-8240-5A90D30B4A38}\.be\python-3.12.2-amd64.exe" -q -burn.elevated BurnPipe.{433118BB-7CD2-4ABC-A355-EF29F868719D} {D6B6EF45-B84D-4E6E-8900-2254F333C422} 50684⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1220
-
-
-
-
C:\Windows\system32\curl.execurl -L -o get-pip.py https://bootstrap.pypa.io/get-pip.py2⤵PID:4640
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
PID:4464
Network
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Requestwww.python.orgIN AResponsewww.python.orgIN CNAMEdualstack.python.map.fastly.netdualstack.python.map.fastly.netIN A151.101.0.223dualstack.python.map.fastly.netIN A151.101.192.223dualstack.python.map.fastly.netIN A151.101.64.223dualstack.python.map.fastly.netIN A151.101.128.223
-
Remote address:151.101.0.223:443RequestGET /ftp/python/3.12.2/python-3.12.2-amd64.exe HTTP/1.1
Host: www.python.org
User-Agent: curl/7.55.1
Accept: */*
ResponseHTTP/1.1 200 OK
Content-Length: 26667456
server: nginx
etag: "65c2b5a6-196e9c0"
last-modified: Tue, 06 Feb 2024 22:41:42 GMT
content-type: application/octet-stream
x-clacks-overhead: GNU Terry Pratchett
via: 1.1 varnish, 1.1 varnish, 1.1 varnish
Accept-Ranges: bytes
Age: 237295
Date: Fri, 24 Jan 2025 13:52:41 GMT
X-Served-By: cache-lga21944-LGA, cache-lga21940-LGA, cache-lcy-eglc8600085-LCY
X-Cache: MISS, HIT, HIT
X-Cache-Hits: 0, 71, 0
X-Timer: S1737726761.283000,VS0,VE1
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
-
Remote address:8.8.8.8:53Request223.0.101.151.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.66.101.151.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request188.77.23.2.in-addr.arpaIN PTRResponse188.77.23.2.in-addr.arpaIN PTRa2-23-77-188deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestbootstrap.pypa.ioIN AResponsebootstrap.pypa.ioIN CNAMEdualstack.c.ssl.global.fastly.netdualstack.c.ssl.global.fastly.netIN A151.101.192.175dualstack.c.ssl.global.fastly.netIN A151.101.128.175dualstack.c.ssl.global.fastly.netIN A151.101.0.175dualstack.c.ssl.global.fastly.netIN A151.101.64.175
-
Remote address:151.101.192.175:443RequestGET /get-pip.py HTTP/1.1
Host: bootstrap.pypa.io
User-Agent: curl/7.55.1
Accept: */*
ResponseHTTP/1.1 200 OK
Content-Length: 2275758
Content-Type: text/x-python
Last-Modified: Mon, 18 Nov 2024 17:04:16 GMT
ETag: "673b7390-22b9ae"
Strict-Transport-Security: max-age=31536000; includeSubDomains
Via: 1.1 varnish, 1.1 varnish
Accept-Ranges: bytes
Date: Fri, 24 Jan 2025 13:52:59 GMT
Age: 3810
X-Served-By: cache-iad-kcgs7200050-IAD, cache-lcy-eglc8600074-LCY
X-Cache: HIT, HIT
X-Cache-Hits: 78, 1
X-Timer: S1737726780.601882,VS0,VE4
-
Remote address:8.8.8.8:53Request167.57.26.184.in-addr.arpaIN PTRResponse167.57.26.184.in-addr.arpaIN PTRa184-26-57-167deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request175.192.101.151.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request181.129.81.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request9.173.189.20.in-addr.arpaIN PTRResponse
-
151.101.0.223:443https://www.python.org/ftp/python/3.12.2/python-3.12.2-amd64.exetls, httpcurl.exe487.9kB 27.5MB 10332 19708
HTTP Request
GET https://www.python.org/ftp/python/3.12.2/python-3.12.2-amd64.exeHTTP Response
200 -
49.1kB 2.4MB 1004 1700
HTTP Request
GET https://bootstrap.pypa.io/get-pip.pyHTTP Response
200
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
60 B 169 B 1 1
DNS Request
www.python.org
DNS Response
151.101.0.223151.101.192.223151.101.64.223151.101.128.223
-
72 B 132 B 1 1
DNS Request
223.0.101.151.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
73 B 133 B 1 1
DNS Request
133.66.101.151.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
133.32.126.40.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
188.77.23.2.in-addr.arpa
-
63 B 174 B 1 1
DNS Request
bootstrap.pypa.io
DNS Response
151.101.192.175151.101.128.175151.101.0.175151.101.64.175
-
72 B 137 B 1 1
DNS Request
167.57.26.184.in-addr.arpa
-
74 B 134 B 1 1
DNS Request
175.192.101.151.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
72 B 147 B 1 1
DNS Request
181.129.81.91.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
9.173.189.20.in-addr.arpa
-
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5f342256ee74ff8d8dfc95fdef9325a2f
SHA11bae613f32a12fc4dac9698d81048407a87db430
SHA25696e58b5962f307566141ea9b393e136cbdf811db9f02968dc5bc88f43989345c
SHA5126cb415947bd8d55a1e5fa76e35c394196048679533015ce64db05804599415837cfe4f490503cd467eadfc3475cca951941a5baba1ecca998b1d15e1f4053b58
-
Filesize
25.4MB
MD544abfae489d87cc005d50a9267b5d58d
SHA1af778548383c17cb154530f1c06344c9cced9272
SHA256b9314802f9efbf0f20a8e2cb4cacc4d5cfb0110dac2818d94e770e1ba5137c65
SHA512e955f0bee350cd8f7e4da6a8e8f02db40e477b7465a77c8ecab46a54338c0a9d8acf3d22d524af2c45c25685df2468970ea1b70b83321c7f8e3fae230f3c7f16
-
Filesize
858KB
MD5ab21a1bea9e3eaab64a2c062ab613221
SHA1310b1f7921af8edf125eacba71944b6e5356acdf
SHA2561474dbd6a33da8f2f0b50007ba48f0c1ddb3e0e6f8c969722eed1e683a9af68a
SHA512b39b5a24bb7b2d3ead8aed284452c94280398a9e4855f17a8e3593fe718e9b3573e88b15f1dd4659030827e754b17e7f918ba24803e4d522ad9601167fb70df4
-
Filesize
675KB
MD58294dc8850dd596d0ce8455167496832
SHA15c75c685c95bee8c1a39187da8af46b6c7892757
SHA256565f03893da383e5bec8c6eaa7c8fbb3e6db0b9bddd5a1399b0dec66fa44d64d
SHA51221015ca201b64e3316f3d1ee32e4c562d0142111c1ed576f03aa078619fe656c56848b5998313af23aabb97293c5452be0e27d5c44878be5d90ac2d2d2f05851
-
Filesize
50KB
MD5888eb713a0095756252058c9727e088a
SHA1c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4
SHA25679434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067
SHA5127c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0