cf0b47eafa7787a698bc8dbb62d18f1d16d0659ff7bd7e6312ccb50b08b754b6

Analysis

max time kernel
74s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
28/02/2025, 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

net8.0-windows/Astral Stealer.exe
Size

139KB
MD5

726c717d3e26f216b316f169ae4befd2
SHA1

673efa718917cfd5685a3fa91f8ca0607ee59bda
SHA256

1e7a930303762a3a1f8678da099225d9276d1a9fa16ced07a9fb4f14e0201bd9
SHA512

2438ec07d41d19f7c4aa1885408784f5d68bcf979b5481cf0de14bfdb5d91d9b96ef6d651291733e4141e4b8f23bbb139baa04ebb92033ca9c4b9797519adb52
SSDEEP

3072:PiS4omp03WQthI/9S3BZi08iRQ1G78IVn2sbS7cJp8lt2:PiS4ompB9S3BZi0a1G78IVAcLct

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Astral Stealer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Astral Stealer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Astral Stealer.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 460	3092	Astral Stealer.exe	77
PID 3092 wrote to memory of 460	3092	Astral Stealer.exe	77

C:\Users\Admin\AppData\Local\Temp\net8.0-windows\Astral Stealer.exe
"C:\Users\Admin\AppData\Local\Temp\net8.0-windows\Astral Stealer.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c pyinstaller --onefile --name --version-file=./Astral_assets/version/version.txt .py
  2⤵
  PID:460

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads