General

  • Target

    LoaderV1.2.exe

  • Size

    15.4MB

  • Sample

    250808-tt6mdaam4x

  • MD5

    c8590dd5e7fa048184ddc0ee14927844

  • SHA1

    e4bd86648914ccfebba6d3692b6a7d157f50ccb2

  • SHA256

    f147f1938b71a78c032612f69aed803d84dc8632e1eba7c380c61abe72b9562f

  • SHA512

    4b1a4e998bcd42b8950f75d04ad3fb788b2d05a91fcfc137cad603e717c5d86c00fcc874eec312837c0fffc43a69e840cb320cca2be1322c7a4f3c2fbae2ff63

  • SSDEEP

    196608:25fqA/WlSVQ0Rs/9iSydoZeC/CIY4t87OvNp7wMK:48Qzmw3doN/oopW

Malware Config

Extracted

Family

cyber_stealer

C2

https://synproxy.live/webpanel/

Targets

    • Target

      LoaderV1.2.exe

    • Size

      15.4MB

    • MD5

      c8590dd5e7fa048184ddc0ee14927844

    • SHA1

      e4bd86648914ccfebba6d3692b6a7d157f50ccb2

    • SHA256

      f147f1938b71a78c032612f69aed803d84dc8632e1eba7c380c61abe72b9562f

    • SHA512

      4b1a4e998bcd42b8950f75d04ad3fb788b2d05a91fcfc137cad603e717c5d86c00fcc874eec312837c0fffc43a69e840cb320cca2be1322c7a4f3c2fbae2ff63

    • SSDEEP

      196608:25fqA/WlSVQ0Rs/9iSydoZeC/CIY4t87OvNp7wMK:48Qzmw3doN/oopW

    • CyberStealer

      CyberStealer is an infostealer written in C#.

    • Cyber_stealer family

    • Detects CyberStealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks