General
-
Target
ByfronBP.exe
-
Size
23.4MB
-
Sample
250411-k4lwaavpx9
-
MD5
9ecdcd68f8ba8ee3590124b409175a99
-
SHA1
c17f5267e05b167acb72280fdb01747fb1e20108
-
SHA256
00729f82b26a8fca859a4aa9a718df03d2e1deaf57c93004dbecffb89ce2e970
-
SHA512
13d257093572184d86ebe77f0067dba3b376d58ed25853af2fe95bd2d9b758892daaec64c9fc370797ec8c1b02f2e1a22e02509e6124f6d72627d228d08288d6
-
SSDEEP
393216:FqPnLFXlrgzIxBZgQhMDOETgsvcGzCcgNi9ri77FHsZjOI0r06EPXYMZO:8PLFXNgkyQhREcciYM7WNF01EzY
Malware Config
Targets
-
-
Target
ByfronBP.exe
-
Size
23.4MB
-
MD5
9ecdcd68f8ba8ee3590124b409175a99
-
SHA1
c17f5267e05b167acb72280fdb01747fb1e20108
-
SHA256
00729f82b26a8fca859a4aa9a718df03d2e1deaf57c93004dbecffb89ce2e970
-
SHA512
13d257093572184d86ebe77f0067dba3b376d58ed25853af2fe95bd2d9b758892daaec64c9fc370797ec8c1b02f2e1a22e02509e6124f6d72627d228d08288d6
-
SSDEEP
393216:FqPnLFXlrgzIxBZgQhMDOETgsvcGzCcgNi9ri77FHsZjOI0r06EPXYMZO:8PLFXNgkyQhREcciYM7WNF01EzY
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
main.pyc
-
Size
7KB
-
MD5
9be288e160511cb7167db814b448fe97
-
SHA1
3b0abc31f4cd3e719f0d680cb5d6fcca8eef5389
-
SHA256
53ff3d0a5c6a1ed972adb415d7ddcaf666d3e0d55793f579923a758908ec64a7
-
SHA512
c433a39e9db1e57783fe47c515e8b602693d1791882192c69b0f0189caa9f4137cf593eab21aa8e5762afc63fc3900826686f5823e32ed0d160b4c8486e5f868
-
SSDEEP
192:wDRD4nD8HRhWdXw5sDtt8r6JhwCMdw2nw:QR8WPWu5g4+2CP2w
Score3/10 -
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1