General
-
Target
01cb5a170ccb486184841f7adf57026bf18fdd25d71824ebe40161256a3f1f9b
-
Size
2.9MB
-
Sample
250806-fnwckadk9w
-
MD5
e5ce3951f82531943d68b4eb1a8e13c2
-
SHA1
c761a375ba038cc5e59874a0039cd9fa3c92f522
-
SHA256
01cb5a170ccb486184841f7adf57026bf18fdd25d71824ebe40161256a3f1f9b
-
SHA512
3b920601e61b9860ba80d98bc2f5ace2a2ed0be0c8f361c323c9494c965ce908f5699e1e2ffb3e0b34aed399bee074f9bd0c23ed62bce86fae6c5a3a86a705cc
-
SSDEEP
49152:rd7H1c8dtr3HCxuZ4zNXfbLLZULEPSP3TGZL:rd7Vc8dtr3HCsENXfbmPD+
Static task
static1
Behavioral task
behavioral1
Sample
01cb5a170ccb486184841f7adf57026bf18fdd25d71824ebe40161256a3f1f9b.exe
Resource
win10v2004-20250619-en
Malware Config
Extracted
cyber_stealer
https://paxrobot.digital/webpanel/
-
pastebin
https://pastebin.com/raw/6K66Aeyr
Targets
-
-
Target
01cb5a170ccb486184841f7adf57026bf18fdd25d71824ebe40161256a3f1f9b
-
Size
2.9MB
-
MD5
e5ce3951f82531943d68b4eb1a8e13c2
-
SHA1
c761a375ba038cc5e59874a0039cd9fa3c92f522
-
SHA256
01cb5a170ccb486184841f7adf57026bf18fdd25d71824ebe40161256a3f1f9b
-
SHA512
3b920601e61b9860ba80d98bc2f5ace2a2ed0be0c8f361c323c9494c965ce908f5699e1e2ffb3e0b34aed399bee074f9bd0c23ed62bce86fae6c5a3a86a705cc
-
SSDEEP
49152:rd7H1c8dtr3HCxuZ4zNXfbLLZULEPSP3TGZL:rd7Vc8dtr3HCsENXfbmPD+
-
Cyber_stealer family
-
Detects CyberStealer
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1