General

  • Target

    18df26240ecdb39d14567b219a38a3f022b09d3881a729417f04ad3d0fc62286.bin

  • Size

    750KB

  • Sample

    250630-yjvvcastas

  • MD5

    253a3f0a9e67457239a9648d01e3e244

  • SHA1

    7d6aa210b3a4759703beb92a1ef4c59294b6a575

  • SHA256

    18df26240ecdb39d14567b219a38a3f022b09d3881a729417f04ad3d0fc62286

  • SHA512

    7ebdf5a3bb92f352c8d82957af8eae6787d0f888b2bc8054a24898c18a01919b76ba95e069c27fdd4947f1372f96c8606081cb0d55c7b62f333e3b229a4865cb

  • SSDEEP

    6144:dNzn4giqNnzaw11Hpg/bE9Rjdcuqnzflksr+BWmtpZQYS2PjCLfjSCpkALDUbr0n:dd/Iyg2Pw2PjCLe3a6Q70zbpM

Malware Config

Extracted

Family

cyber_stealer

C2

https://paxrobot.digital/webpanel/

Attributes
  • pastebin

    https://pastebin.com/raw/6K66Aeyr

Targets

    • Target

      18df26240ecdb39d14567b219a38a3f022b09d3881a729417f04ad3d0fc62286.bin

    • Size

      750KB

    • MD5

      253a3f0a9e67457239a9648d01e3e244

    • SHA1

      7d6aa210b3a4759703beb92a1ef4c59294b6a575

    • SHA256

      18df26240ecdb39d14567b219a38a3f022b09d3881a729417f04ad3d0fc62286

    • SHA512

      7ebdf5a3bb92f352c8d82957af8eae6787d0f888b2bc8054a24898c18a01919b76ba95e069c27fdd4947f1372f96c8606081cb0d55c7b62f333e3b229a4865cb

    • SSDEEP

      6144:dNzn4giqNnzaw11Hpg/bE9Rjdcuqnzflksr+BWmtpZQYS2PjCLfjSCpkALDUbr0n:dd/Iyg2Pw2PjCLe3a6Q70zbpM

    • CyberStealer

      CyberStealer is an infostealer written in C#.

    • Cyber_stealer family

    • Detects CyberStealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v16

Tasks