Overview

overview

10

Static

static

10

250210-xfd...ed.zip

windows10-ltsc 2021-x64

8

source_prepared.exe

windows10-ltsc 2021-x64

9

discord_to...er.pyc

windows10-ltsc 2021-x64

8

get_cookies.pyc

windows10-ltsc 2021-x64

8

misc.pyc

windows10-ltsc 2021-x64

6

passwords_grabber.pyc

windows10-ltsc 2021-x64

3

source_prepared.pyc

windows10-ltsc 2021-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    250210-xfdafs1phn_pw_infected.zip

  • Size

    116.1MB

  • Sample

    250211-xqma4sxrht

  • MD5

    18d627b24037f9912d0dc0ac0ce83f25

  • SHA1

    693ba09eb9fc2d8dd33b174478a52c09ce8e7d29

  • SHA256

    4543c86762a7355eb1013bfc90d256710fb2bcbbd29f3e670bed52c147bf78ba

  • SHA512

    8aa16089709924fc4d2dd9dbd26edae71ddd1f0994ee6226c9a1ecb111deeb5af440242a6a866568a33de0d6eb220a94a7a6caafc749bbca864ae8d7f8927e45

  • SSDEEP

    3145728:29xHh5v2iaX70KRwpm6DfdL4r3hf2AmPuwD3GEFdqPCsKYyvgY:SxBM170KyBDfpCjmmA3GEFdZYyvgY

Score
10/10
pysilondefense_evasiondiscoveryexecutionpersistencepyinstaller

Malware Config

Targets

    • Target

      250210-xfdafs1phn_pw_infected.zip

    • Size

      116.1MB

    • MD5

      18d627b24037f9912d0dc0ac0ce83f25

    • SHA1

      693ba09eb9fc2d8dd33b174478a52c09ce8e7d29

    • SHA256

      4543c86762a7355eb1013bfc90d256710fb2bcbbd29f3e670bed52c147bf78ba

    • SHA512

      8aa16089709924fc4d2dd9dbd26edae71ddd1f0994ee6226c9a1ecb111deeb5af440242a6a866568a33de0d6eb220a94a7a6caafc749bbca864ae8d7f8927e45

    • SSDEEP

      3145728:29xHh5v2iaX70KRwpm6DfdL4r3hf2AmPuwD3GEFdqPCsKYyvgY:SxBM170KyBDfpCjmmA3GEFdZYyvgY

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral1

    • Target

      source_prepared.exe

    • Size

      116.7MB

    • MD5

      3a6f5832b8f5c692ee5ca00030196baf

    • SHA1

      00e759c77dcd58370d4710aa62f564c15d69cdfc

    • SHA256

      05b20a00303c619e731a2f13f25d677a23f976ec5ceb5fca4d7d79c18fab3500

    • SHA512

      5fc3c0dedddeafad724684f781c99190cb257d8068ca5a656effb2d6b0f01cf0cc2b91f6d31c74ce78834153b28a885cade7929c392c2c4fb5fbc7143551b993

    • SSDEEP

      3145728:4cN7eCRZeibJjz9wHE8/2qHO5iCpBnG0iWMstB2OxyKLuMV6:nN7JN1Zw/NHCiWhieB1

    Score
    9/10
    defense_evasionexecutionpersistence

    • Enumerates VirtualBox DLL files

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      defense_evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral2

    • Target

      discord_token_grabber.pyc

    • Size

      17KB

    • MD5

      e523026b612006e580e96bd9e2a8882c

    • SHA1

      03b9938701f7eff11a0c3632ed805e8188598c88

    • SHA256

      8ae6baddc552f9a47c488760a3d3b04f217f7c999dbffc1a548bb09532e6bf77

    • SHA512

      a0f15f5edecbab4894aa3b85092fc2bde34b76f6048b198ce387d59a56d6c74969201cc43d19cd27a9ff0a6ab72268884a90ef206f0be34a5707a7f6ea24a853

    • SSDEEP

      384:cGllyAavwS9F0RW807PPQviowoYbCj+Mo8WWIc02a8:cIlytvX9iRW8inQ6owoYOyM0d2a8

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral3

    • Target

      get_cookies.pyc

    • Size

      10KB

    • MD5

      b38f506528b3d6d5dbd851426c347b95

    • SHA1

      e91bf4ef42128267934e21be0176e552480f5977

    • SHA256

      85a7c34afad2c270ca690a5b4c30cc8bf16967e623fc77f4de4497901030a93b

    • SHA512

      ab110dc92eba564fd0ec6c6a75e779f588518dc1aa461f072ab02b96bc11fbe25e09faa6a556dc6a127c3e8826382697b72037a0cefbdaf32fd70a723e746295

    • SSDEEP

      192:TzOCIeinQfUF9LdwOEVOFc1mNe47+o+zEzzzzz1zz+HoowAE:TzOUiQccEe4KoOIAE

    Score
    8/10
    defense_evasiondiscovery

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral4

    • Target

      misc.pyc

    • Size

      5KB

    • MD5

      31aa260c6cdeaa9d942cd0dcfcadd16a

    • SHA1

      a6818f3acf5c2ab9d65b41a81cb92b36b85cc932

    • SHA256

      b522284f1a7e518c269c0414160407ec7834a4397f85ef389433b49367b5df9c

    • SHA512

      0dd277ef948315a3554bd8c5110e27afa9b2eac88defc1211771c050cdd27b3668484dec35ec5c5010bff00b62c2cebd9e7286c0b114ad28437719b42bd0fc2c

    • SSDEEP

      96:DSajAihmJG4n3B4SmSSSSlSSSShDwegPbbVxlj0nIAEDS5ejmw01k9Bddpq:eYAfn3ySmSSSSlSSSSeeOPVxx0nIAZeQ

    Score
    6/10
    discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5

    • Target

      passwords_grabber.pyc

    • Size

      8KB

    • MD5

      704dced7f7530b19a34a5f7a71c26b10

    • SHA1

      608d9647488cfa2b5f84a891028168a973bfcfa9

    • SHA256

      1fd284f1e27263bd2a16050c6989933a382c7d196f4c9f247187cc3b3f6ba3ac

    • SHA512

      e4a6710abef2c45d631745c91d8135873be06e5b240a61362e341d05ecc1dedf885487a554b648c328a3c5cc17fcf74e6d066b2e3f51379358ba28c2a0f2f39f

    • SSDEEP

      192:+CE34EAL/GFf/PomdPO23NsDmqFUhkxNivLI9dRvL:Y4EAL/AfRBO8NsxuOxNn

    Score
    3/10
    behavioral6

    • Target

      source_prepared.pyc

    • Size

      185KB

    • MD5

      79a120f52f8bd01e78f435c6603f0019

    • SHA1

      43610bc837c6e3f5003e322a1628ba312990d35b

    • SHA256

      c4c235a06f2e1e7aee09b84efcea5e16468a780b6b289e7ed76628156b921933

    • SHA512

      383fa7e2bf4d6c376cbfaa8e3bdf27dd0c78e70520d3ad18c58f8839404bc723bb409cc8e5b22251b1b94b3a6fbf4be17fa3f87e5ad454fffa6c848c14f9ae03

    • SSDEEP

      3072:IJ2La+fIA9MXUCeolPEtelZN+tVZactGgjHBeCkn0:IYW+fpweol8cN+7ZactGgjHkCh

    Score
    3/10
    behavioral7

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

1
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

File and Directory Discovery

1
T1083

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks