General

  • Target

    a86963b7d78c12b831dc01937b02d8c9ece46af4fac07b7c552398f9fb469682.bin

  • Size

    750KB

  • Sample

    250630-y4lgeavms4

  • MD5

    d7cd9f0bdfb48a65d47ed69f824d8bc3

  • SHA1

    fad5cba4fba25c4a3602dc298e9e9931324db394

  • SHA256

    a86963b7d78c12b831dc01937b02d8c9ece46af4fac07b7c552398f9fb469682

  • SHA512

    ca433537520c808c982ac60566d48c649aba42d378c7e791e82bd1e45480a9b142e03ee22c0661b6a803b93f923dd51d44184cd09e23198cb0e454870aeb1fde

  • SSDEEP

    12288:2dOCaN7q0TsvBiIBPw2PjCLe3a6Q70zbpM:37q0TsLw2PjCS3a6Q70zbpM

Malware Config

Extracted

Family

cyber_stealer

C2

https://paxrobot.digital/webpanel/

Attributes
  • pastebin

    https://pastebin.com/raw/6K66Aeyr

Targets

    • Target

      a86963b7d78c12b831dc01937b02d8c9ece46af4fac07b7c552398f9fb469682.bin

    • Size

      750KB

    • MD5

      d7cd9f0bdfb48a65d47ed69f824d8bc3

    • SHA1

      fad5cba4fba25c4a3602dc298e9e9931324db394

    • SHA256

      a86963b7d78c12b831dc01937b02d8c9ece46af4fac07b7c552398f9fb469682

    • SHA512

      ca433537520c808c982ac60566d48c649aba42d378c7e791e82bd1e45480a9b142e03ee22c0661b6a803b93f923dd51d44184cd09e23198cb0e454870aeb1fde

    • SSDEEP

      12288:2dOCaN7q0TsvBiIBPw2PjCLe3a6Q70zbpM:37q0TsLw2PjCS3a6Q70zbpM

    • CyberStealer

      CyberStealer is an infostealer written in C#.

    • Cyber_stealer family

    • Detects CyberStealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v16

Tasks