General
-
Target
a86963b7d78c12b831dc01937b02d8c9ece46af4fac07b7c552398f9fb469682.bin
-
Size
750KB
-
Sample
250630-y4lgeavms4
-
MD5
d7cd9f0bdfb48a65d47ed69f824d8bc3
-
SHA1
fad5cba4fba25c4a3602dc298e9e9931324db394
-
SHA256
a86963b7d78c12b831dc01937b02d8c9ece46af4fac07b7c552398f9fb469682
-
SHA512
ca433537520c808c982ac60566d48c649aba42d378c7e791e82bd1e45480a9b142e03ee22c0661b6a803b93f923dd51d44184cd09e23198cb0e454870aeb1fde
-
SSDEEP
12288:2dOCaN7q0TsvBiIBPw2PjCLe3a6Q70zbpM:37q0TsLw2PjCS3a6Q70zbpM
Static task
static1
Behavioral task
behavioral1
Sample
a86963b7d78c12b831dc01937b02d8c9ece46af4fac07b7c552398f9fb469682.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
a86963b7d78c12b831dc01937b02d8c9ece46af4fac07b7c552398f9fb469682.exe
Resource
win11-20250619-en
Malware Config
Extracted
cyber_stealer
https://paxrobot.digital/webpanel/
-
pastebin
https://pastebin.com/raw/6K66Aeyr
Targets
-
-
Target
a86963b7d78c12b831dc01937b02d8c9ece46af4fac07b7c552398f9fb469682.bin
-
Size
750KB
-
MD5
d7cd9f0bdfb48a65d47ed69f824d8bc3
-
SHA1
fad5cba4fba25c4a3602dc298e9e9931324db394
-
SHA256
a86963b7d78c12b831dc01937b02d8c9ece46af4fac07b7c552398f9fb469682
-
SHA512
ca433537520c808c982ac60566d48c649aba42d378c7e791e82bd1e45480a9b142e03ee22c0661b6a803b93f923dd51d44184cd09e23198cb0e454870aeb1fde
-
SSDEEP
12288:2dOCaN7q0TsvBiIBPw2PjCLe3a6Q70zbpM:37q0TsLw2PjCS3a6Q70zbpM
-
Cyber_stealer family
-
Detects CyberStealer
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1