General
-
Target
Boostrapper.zip
-
Size
87.1MB
-
Sample
250214-e1m2aasjcq
-
MD5
27616850440e9d8eb88466b0478377f7
-
SHA1
5a4426560ca3c02876e1dca60ed9130d5d9258e1
-
SHA256
f46d32b7f318804b59c4fd9f41694ff4f8e2af3ed9d6af73904e811088f50fd4
-
SHA512
5f59dccf2a43959e1c71e31292df5d6fececb26a01279b1694ff63bded43fa1137af818578903e3585b5d257f3d5af268c5b3f9bca67cc7ac5d6055b6c6b1c87
-
SSDEEP
1572864:gDX63XiLgUzUmKoujuWQqGjY4DCBNlOneqPqbH8YGg9chFk0Imo7O0:gb6nUgUzUmVujuWb2Y4A4WHtaFk08Z
Malware Config
Targets
-
-
Target
Boostrapper.zip
-
Size
87.1MB
-
MD5
27616850440e9d8eb88466b0478377f7
-
SHA1
5a4426560ca3c02876e1dca60ed9130d5d9258e1
-
SHA256
f46d32b7f318804b59c4fd9f41694ff4f8e2af3ed9d6af73904e811088f50fd4
-
SHA512
5f59dccf2a43959e1c71e31292df5d6fececb26a01279b1694ff63bded43fa1137af818578903e3585b5d257f3d5af268c5b3f9bca67cc7ac5d6055b6c6b1c87
-
SSDEEP
1572864:gDX63XiLgUzUmKoujuWQqGjY4DCBNlOneqPqbH8YGg9chFk0Imo7O0:gb6nUgUzUmVujuWb2Y4A4WHtaFk08Z
Score8/10-
Downloads MZ/PE file
-
-
-
Target
New folder (8)/Boostrapper.exe
-
Size
87.4MB
-
MD5
328b232d2e73f6bb2c3b4527347e79dd
-
SHA1
0990cbef0acd7a8d98bd1f1ce69e117640e1c8aa
-
SHA256
ec6bdb22c9db50ee324c9a551ae60d13a79c05473951e4174646b6e09f491cfc
-
SHA512
a4758fadfbbe9ae8067921d69d4f78472d03ee0644875e9d7cf75443c516c0ce97311adfde5600126cef8a4c1695c801e201a3e471d3ca86e069715c7b440aa1
-
SSDEEP
1572864:b2GKlXebWesm/OkiqOv8im2A3+T9E7CliHiYgj+h58sMw5I5e3T9PcJFJZ:bnKRCZsm/OknOv8i36+TXwZ5FQe3TgJ
Score9/10-
Enumerates VirtualBox DLL files
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
discord_token_grabber.pyc
-
Size
17KB
-
MD5
e523026b612006e580e96bd9e2a8882c
-
SHA1
03b9938701f7eff11a0c3632ed805e8188598c88
-
SHA256
8ae6baddc552f9a47c488760a3d3b04f217f7c999dbffc1a548bb09532e6bf77
-
SHA512
a0f15f5edecbab4894aa3b85092fc2bde34b76f6048b198ce387d59a56d6c74969201cc43d19cd27a9ff0a6ab72268884a90ef206f0be34a5707a7f6ea24a853
-
SSDEEP
384:cGllyAavwS9F0RW807PPQviowoYbCj+Mo8WWIc02a8:cIlytvX9iRW8inQ6owoYOyM0d2a8
Score3/10 -
-
-
Target
get_cookies.pyc
-
Size
10KB
-
MD5
b38f506528b3d6d5dbd851426c347b95
-
SHA1
e91bf4ef42128267934e21be0176e552480f5977
-
SHA256
85a7c34afad2c270ca690a5b4c30cc8bf16967e623fc77f4de4497901030a93b
-
SHA512
ab110dc92eba564fd0ec6c6a75e779f588518dc1aa461f072ab02b96bc11fbe25e09faa6a556dc6a127c3e8826382697b72037a0cefbdaf32fd70a723e746295
-
SSDEEP
192:TzOCIeinQfUF9LdwOEVOFc1mNe47+o+zEzzzzz1zz+HoowAE:TzOUiQccEe4KoOIAE
Score8/10-
Downloads MZ/PE file
-
-
-
Target
misc.pyc
-
Size
5KB
-
MD5
31aa260c6cdeaa9d942cd0dcfcadd16a
-
SHA1
a6818f3acf5c2ab9d65b41a81cb92b36b85cc932
-
SHA256
b522284f1a7e518c269c0414160407ec7834a4397f85ef389433b49367b5df9c
-
SHA512
0dd277ef948315a3554bd8c5110e27afa9b2eac88defc1211771c050cdd27b3668484dec35ec5c5010bff00b62c2cebd9e7286c0b114ad28437719b42bd0fc2c
-
SSDEEP
96:DSajAihmJG4n3B4SmSSSSlSSSShDwegPbbVxlj0nIAEDS5ejmw01k9Bddpq:eYAfn3ySmSSSSlSSSSeeOPVxx0nIAZeQ
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory
-
-
-
Target
passwords_grabber.pyc
-
Size
8KB
-
MD5
704dced7f7530b19a34a5f7a71c26b10
-
SHA1
608d9647488cfa2b5f84a891028168a973bfcfa9
-
SHA256
1fd284f1e27263bd2a16050c6989933a382c7d196f4c9f247187cc3b3f6ba3ac
-
SHA512
e4a6710abef2c45d631745c91d8135873be06e5b240a61362e341d05ecc1dedf885487a554b648c328a3c5cc17fcf74e6d066b2e3f51379358ba28c2a0f2f39f
-
SSDEEP
192:+CE34EAL/GFf/PomdPO23NsDmqFUhkxNivLI9dRvL:Y4EAL/AfRBO8NsxuOxNn
Score8/10-
Downloads MZ/PE file
-
-
-
Target
source_prepared.pyc
-
Size
185KB
-
MD5
802dcac26acd9f4b0c5a8d9a2ff0745e
-
SHA1
08d8f16b67b480acf3884e6e0501084b81d74856
-
SHA256
2dba45c9a3ce31f96712a61aa95ec78df4c9b80f5c46500bf0ce9bc9ab3e7721
-
SHA512
e3b5d5fdce53282b33dfb19cf128d4698e6220f1cccaa99b6187b79382246fba7e2b9a924a657a859fbe4d3d2a77f6275a5b7dfb189fe7ed93835b991a4e597c
-
SSDEEP
3072:ccHSLai9sA9MpcgSobPEtelZN+tVZa3Bcgh909Ckn0:clWi9lUSob8cN+7Za3Bcgh94Ch
Score8/10-
Downloads MZ/PE file
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
5Virtualization/Sandbox Evasion
1