General
-
Target
18df26240ecdb39d14567b219a38a3f022b09d3881a729417f04ad3d0fc62286.bin
-
Size
750KB
-
Sample
250630-yjvvcastas
-
MD5
253a3f0a9e67457239a9648d01e3e244
-
SHA1
7d6aa210b3a4759703beb92a1ef4c59294b6a575
-
SHA256
18df26240ecdb39d14567b219a38a3f022b09d3881a729417f04ad3d0fc62286
-
SHA512
7ebdf5a3bb92f352c8d82957af8eae6787d0f888b2bc8054a24898c18a01919b76ba95e069c27fdd4947f1372f96c8606081cb0d55c7b62f333e3b229a4865cb
-
SSDEEP
6144:dNzn4giqNnzaw11Hpg/bE9Rjdcuqnzflksr+BWmtpZQYS2PjCLfjSCpkALDUbr0n:dd/Iyg2Pw2PjCLe3a6Q70zbpM
Static task
static1
Behavioral task
behavioral1
Sample
18df26240ecdb39d14567b219a38a3f022b09d3881a729417f04ad3d0fc62286.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
18df26240ecdb39d14567b219a38a3f022b09d3881a729417f04ad3d0fc62286.exe
Resource
win11-20250619-en
Malware Config
Extracted
cyber_stealer
https://paxrobot.digital/webpanel/
-
pastebin
https://pastebin.com/raw/6K66Aeyr
Targets
-
-
Target
18df26240ecdb39d14567b219a38a3f022b09d3881a729417f04ad3d0fc62286.bin
-
Size
750KB
-
MD5
253a3f0a9e67457239a9648d01e3e244
-
SHA1
7d6aa210b3a4759703beb92a1ef4c59294b6a575
-
SHA256
18df26240ecdb39d14567b219a38a3f022b09d3881a729417f04ad3d0fc62286
-
SHA512
7ebdf5a3bb92f352c8d82957af8eae6787d0f888b2bc8054a24898c18a01919b76ba95e069c27fdd4947f1372f96c8606081cb0d55c7b62f333e3b229a4865cb
-
SSDEEP
6144:dNzn4giqNnzaw11Hpg/bE9Rjdcuqnzflksr+BWmtpZQYS2PjCLfjSCpkALDUbr0n:dd/Iyg2Pw2PjCLe3a6Q70zbpM
-
Cyber_stealer family
-
Detects CyberStealer
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1