Overview

overview

10

Static

static

3

Cyber Snif...ff.exe

windows10-2004-x64

10

Cyber Snif...ff.exe

windows10-2004-x64

1

Cyber Snif...PC.dll

windows10-2004-x64

1

Cyber Snif...rs.dll

windows10-2004-x64

1

Cyber Snif...pf.dll

windows10-2004-x64

1

Cyber Snif...on.dll

windows10-2004-x64

1

Cyber Snif...et.dll

windows10-2004-x64

1

Cyber Snif...ss.dll

windows10-2004-x64

1

Cyber Snif...ap.dll

windows10-2004-x64

1

Cyber Snif...or.dll

windows10-2004-x64

1

Cyber Snif...nt.dll

windows10-2004-x64

1

Cyber Snif...if.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CyberSniffer.rar

  • Size

    14.7MB

  • Sample

    250410-y8ejna11ds

  • MD5

    c642890bc1a1400dcd99335e7db4f3a9

  • SHA1

    82a173373fd92b1a67c76465e71e7892092afa36

  • SHA256

    602b9427b660f5fa3835cbc9801026731a38cfc1e102b04565a793bdd012a7b2

  • SHA512

    6c8f16a314120e2b202540224b42c17d6fdd688a87ff0afb958cd3d6d2817cb0a8a084ad572a83d5d09f1355000d9cc69ea6b056c602ed408c358472fe1aacbc

  • SSDEEP

    393216:HIHBIX+GFt3KeyjGnewLb3m/FwLDdusE+lEnDi/G0kNpPoqlI:oHBIOEtojGeGTm/Fw9q+6n+mNpPoqO

Score
10/10
exelastealercollectiondefense_evasiondiscoverypersistenceprivilege_escalationpyinstallerspywarestealerupx

Malware Config

Targets

    • Target

      Cyber Sniffer/Cyber Sniff.exe

    • Size

      12.0MB

    • MD5

      1dc24869be83a3b3d12cd948b7de76d3

    • SHA1

      14662601b31ec28afcb33818bb4b15f54bd7cc74

    • SHA256

      249b19b21cd7ad84612c645872cfd19bc8c1232209e9a6d3392933375fea3601

    • SHA512

      ecea177e342d5154ad07295eaa80d5ff5dfd51739bfe92dc81c02c6f2f8bd3378f2563da5c5eb95e1070391aa826ac266c64b07d395d0244a987e3850ab42f48

    • SSDEEP

      196608:HEJYa+R+6FKIJo3icAKIXEcSN2wCKfPUFW5rS2s+YThPB9ivaU9LvZQ0:H8Y1KWFnrM2fKfPUFerjsH9ivftBp

    Score
    10/10
    exelastealercollectiondefense_evasiondiscoverypersistenceprivilege_escalationpyinstallerspywarestealerupx

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

      stealerexelastealer

    • Exelastealer family

      exelastealer

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

    • Target

      Cyber Sniffer/CyberSniff.dll

    • Size

      2.2MB

    • MD5

      6bf3a2f9268f9cd99552aecfa10a6abd

    • SHA1

      ae49c79144df631328f74d08c806a0d999756eae

    • SHA256

      e23b27f3242ac9d3a94717eb06e20acbb229b125673430a3ac3dcfb7e73bc944

    • SHA512

      b46562ac5cc657a2166dd4fb6692a14d73b7e439c829c6db7591de767fc2e9c5a95276b785032e1d0a76cd5cc1e89b902a23813cbdf649eaf27bd89bf0ae6561

    • SSDEEP

      24576:Gj+JxH3eCsapypA2p7CjapypAZreCbapypAjl7CcapypAPW17:QweCsagP7CjagUeCbagE7CcagGW

    Score
    1/10
    behavioral2

    • Target

      Cyber Sniffer/DiscordRPC.dll

    • Size

      80KB

    • MD5

      9ed0cc60faa1ca995f75dc8b4bf407c4

    • SHA1

      87dc3a8ef47d8b2f6c0c4570adfe91188b7dc960

    • SHA256

      acfde5b1463c95832dd7757a0407d7b81584d1f2aa5175095ca88a47535b2557

    • SHA512

      9ae2c83aff79dbbde9ac3499a52398241cb9342eb12d3212dacebbaf5dd3d25fb1675b2a27982cbc77f1eb3f025ebc23b28581c40e374979d64fac3aad7c2771

    • SSDEEP

      1536:q+nxJexI0myeXrvyBuaekzvaUUozZPM9o+mnxVS49:q+nex5mRXrvyzTe9o+mR9

    Score
    1/10
    behavioral3

    • Target

      Cyber Sniffer/MaterialDesignColors.dll

    • Size

      295KB

    • MD5

      914c26874567d180a2dd407aa3fb12f6

    • SHA1

      bf2f6ffde84453a1fa559c485c2209ed5f6028f0

    • SHA256

      aed3efc36186c40c758df954b76f5be4a02eec64486c32aa65a2ca877ea5f21f

    • SHA512

      1af5d387b62cdcd03d1236461a82c00435ef00fdbb83fc0adf43ad6b64071d4fcc2384ff8eecc670be8915e4881524d1157190e452b6572b0702024ca45ef0f5

    • SSDEEP

      1536:LUNSzgEIbkIbRDu/UQXwQdU7fKoVxbdsuK:LpztIbRDKUok7fKoVxbpK

    Score
    1/10
    behavioral4

    • Target

      Cyber Sniffer/MaterialDesignThemes.Wpf.dll

    • Size

      8.7MB

    • MD5

      b6b346f60f7943ea6b0d2cd3e37cdea4

    • SHA1

      8af329bc72d78a449612bf0d3c9a7744afb71849

    • SHA256

      8c32f2872fb86c65c01dfea688afc48c22013672976219bc1ae2d2d16d285d8d

    • SHA512

      47174a9f9d70849328262b04d998aed3f01dd6acd896a3a5f1f1a0452ac2bc622114790d6915c1f5a43e040c7d5a3b9e9a4a64a28d06c5699111f333153b95ff

    • SSDEEP

      98304:COlXJDntBksKY+ND3WyA4+TLVei10vMzPv8/4C8B5XVS49Xzy83IiEcJMrCR2fS0:CSnJ45/9iD54+V11bFv4z

    Score
    1/10
    behavioral5

    • Target

      Cyber Sniffer/Newtonsoft.Json.dll

    • Size

      679KB

    • MD5

      916d32b899f1bc23b209648d007b99fd

    • SHA1

      e3673d05d46f29e68241d4536bddf18cdd0a913d

    • SHA256

      72cf291d4bab0edd08a9b07c6173e1e7ad1abb7ab727fd7044bf6305d7515661

    • SHA512

      60bd2693daa42637f8ae6d6460c3013c87f46f28e9b0dbf9d7f6764703b904a7c8c22e30b4ba13f1f23f6cbee7d9640ee3821c48110e67440f237c2bb2ee5eb6

    • SSDEEP

      12288:1eos/POdGV5jfWrV/9Yeh9eRcyLfLYtT5mWxTZ/B7jW5JMtRRpKzQk:10/POdGV5jfW5VnhFyvOB7jW5JMty

    Score
    1/10
    behavioral6

    • Target

      Cyber Sniffer/PacketDotNet.dll

    • Size

      279KB

    • MD5

      a6a8334de471f57cea7dfd133b435a59

    • SHA1

      c889fd7f49eb8afc5a4f8e8bd3bfbc003d2cde70

    • SHA256

      4cff6d1abafbb93b79632b2a2f4990b93bdbdf1c2bb6965629bb9e085ec3e8e3

    • SHA512

      e2f98d3417800edc32780c120e05ab0212e5ac0aef301c107d17cd49846c82cf6d5bddd8ffbd93f051bc3f232cec3837e639241ecbe09ab2a9b9c3334929fd2c

    • SSDEEP

      6144:7Y2fkCf7xFIPxmdRBqeZ/PAJ3JARB7+iN9L7Y9mYRGj:7ACf7xFjRBqeZ/P1B7+iN9Q0

    Score
    1/10
    behavioral7

    • Target

      Cyber Sniffer/SharpCompress.dll

    • Size

      548KB

    • MD5

      76cb31819dad5b386cf995b9ca13a76c

    • SHA1

      fc526128f986aeebed2829296c4c54108d84551f

    • SHA256

      963e2620197e09a3e246ce1e751b042c849f78f84b5e472517510d113b9965bc

    • SHA512

      47fadb24407a080fd8434568c798f134b2ff947cee83c938f8ff3e047c864f25e31a7fbd84fff89030037d7e6e0d2a11c2a990a43d4a81073b38fea9ba807cbb

    • SSDEEP

      6144:xRNu3An7qcTExl69Jr0ayPkvmadx+liQZh6c7K03BpMXSEoMmT:xRNuwNSl695pDd2h6mVBpmza

    Score
    1/10
    behavioral8

    • Target

      Cyber Sniffer/SharpPcap.dll

    • Size

      68KB

    • MD5

      0ba9a0e2f4c6122cbd221f9487e6edd0

    • SHA1

      bd28b2e5ed1a2de6172b678f40fcf15cad0a4082

    • SHA256

      9653c299268b81788ec3d9d30ce75e92f8d14846e8428254d80702c46a857938

    • SHA512

      29f85ec19986578feb3890f3c772e4d4a3aee09034cf597e24a77baf53ee001766229cadc1ef623111fdf35f594f63900a25e3157b21a6b62fe6a5f8c2be2f79

    • SSDEEP

      1536:S6H0fdjXIxhoM4zlUmOMxMjzijzYjzdjzSZGNfwvC0ZQzjh:RyIt4pUwMjzijzYjzdjzKGNfJ0ZQR

    Score
    1/10
    behavioral9

    • Target

      Cyber Sniffer/SimpleInjector.dll

    • Size

      443KB

    • MD5

      f41812a9dd2000c8ed266b0fdde6448f

    • SHA1

      099b4ad395479dde5948e4a384cd6aa3ba76829b

    • SHA256

      b8da962f4852afee72c179695d7bb0de950e6fb55634a38b36433efc19c6b784

    • SHA512

      2587c94ecd292f8dedb19228ae9f03c92218f43fc89fcf4cd2a68ff7b5d50627c2d42618bcef924d15ae7d8703a803e8309e082b2bafbb00c53d874d22e31598

    • SSDEEP

      6144:HSuyk1Ao4/Xl2+YGAxKeQypviRfW4C4TxHKbdMiPjxUO2:HMkYUEANiBnpKbFUf

    Score
    1/10
    behavioral10

    • Target

      Cyber Sniffer/System.Management.dll

    • Size

      284KB

    • MD5

      83cda4cc597e6a0b2ebbd1b8f41e94d3

    • SHA1

      10415fa323a21d412eb36e583a98385088065d61

    • SHA256

      aa474c96b9fd17cb3580d89bb8eb716cb1407c89026b5e8180402666eeeb766a

    • SHA512

      ff7d869d416e3c47c082b8bd2d6907bbbe457d17d093cd84f66d42b978d143c088e008388041b440b01f7d82e373dde9b1b5c1acfd9553f98a63fa579d7ec8d2

    • SSDEEP

      6144:HG17jgxtTSfK7JK7XUUmhOzZiRZHhGASipzvZhHcx:HG17jgfefK747ZmhOzZiRZH2wgx

    Score
    1/10
    behavioral11

    • Target

      Cyber Sniffer/WpfAnimatedGif.dll

    • Size

      42KB

    • MD5

      bd86598613f23b58a5e11ce0023fb14a

    • SHA1

      3fdfc27d65d4c271f40af0bebc88b894de83b2f8

    • SHA256

      091c944f2db95521f9190319173f17848d515da8f5a2374a0ab680406ba65914

    • SHA512

      26351713cd36f2504d32f0ca980c51fdc5c225b5ae4af1418a2cdf42aac285b82970d902dfbf3eb52c6600878ee594f76deadc30823f0048e689a83b56cc11eb

    • SSDEEP

      768:o4F3ZIiQwls5bcabDFfQe/sYKRGbIoCHQyv6UuY4xVqvW:o4F3ZIiQwlQbDJb/sYKRGnCwyJt4Hd

    Score
    1/10
    behavioral12

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Network Service Discovery

1
T1046

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

Process Discovery

1
T1057

Query Registry

1
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

System Network Connections Discovery

1
T1049

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks