General

  • Target

    01cb5a170ccb486184841f7adf57026bf18fdd25d71824ebe40161256a3f1f9b

  • Size

    2.9MB

  • Sample

    250806-fnwckadk9w

  • MD5

    e5ce3951f82531943d68b4eb1a8e13c2

  • SHA1

    c761a375ba038cc5e59874a0039cd9fa3c92f522

  • SHA256

    01cb5a170ccb486184841f7adf57026bf18fdd25d71824ebe40161256a3f1f9b

  • SHA512

    3b920601e61b9860ba80d98bc2f5ace2a2ed0be0c8f361c323c9494c965ce908f5699e1e2ffb3e0b34aed399bee074f9bd0c23ed62bce86fae6c5a3a86a705cc

  • SSDEEP

    49152:rd7H1c8dtr3HCxuZ4zNXfbLLZULEPSP3TGZL:rd7Vc8dtr3HCsENXfbmPD+

Malware Config

Extracted

Family

cyber_stealer

C2

https://paxrobot.digital/webpanel/

Attributes
  • pastebin

    https://pastebin.com/raw/6K66Aeyr

Targets

    • Target

      01cb5a170ccb486184841f7adf57026bf18fdd25d71824ebe40161256a3f1f9b

    • Size

      2.9MB

    • MD5

      e5ce3951f82531943d68b4eb1a8e13c2

    • SHA1

      c761a375ba038cc5e59874a0039cd9fa3c92f522

    • SHA256

      01cb5a170ccb486184841f7adf57026bf18fdd25d71824ebe40161256a3f1f9b

    • SHA512

      3b920601e61b9860ba80d98bc2f5ace2a2ed0be0c8f361c323c9494c965ce908f5699e1e2ffb3e0b34aed399bee074f9bd0c23ed62bce86fae6c5a3a86a705cc

    • SSDEEP

      49152:rd7H1c8dtr3HCxuZ4zNXfbLLZULEPSP3TGZL:rd7Vc8dtr3HCsENXfbmPD+

    • CyberStealer

      CyberStealer is an infostealer written in C#.

    • Cyber_stealer family

    • Detects CyberStealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v16

Tasks