General
-
Target
LoaderV1.2.exe
-
Size
15.4MB
-
Sample
250808-tt6mdaam4x
-
MD5
c8590dd5e7fa048184ddc0ee14927844
-
SHA1
e4bd86648914ccfebba6d3692b6a7d157f50ccb2
-
SHA256
f147f1938b71a78c032612f69aed803d84dc8632e1eba7c380c61abe72b9562f
-
SHA512
4b1a4e998bcd42b8950f75d04ad3fb788b2d05a91fcfc137cad603e717c5d86c00fcc874eec312837c0fffc43a69e840cb320cca2be1322c7a4f3c2fbae2ff63
-
SSDEEP
196608:25fqA/WlSVQ0Rs/9iSydoZeC/CIY4t87OvNp7wMK:48Qzmw3doN/oopW
Static task
static1
Behavioral task
behavioral1
Sample
LoaderV1.2.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
LoaderV1.2.exe
Resource
win10ltsc2021-20250619-en
Behavioral task
behavioral3
Sample
LoaderV1.2.exe
Resource
win11-20250610-en
Malware Config
Extracted
cyber_stealer
https://synproxy.live/webpanel/
Targets
-
-
Target
LoaderV1.2.exe
-
Size
15.4MB
-
MD5
c8590dd5e7fa048184ddc0ee14927844
-
SHA1
e4bd86648914ccfebba6d3692b6a7d157f50ccb2
-
SHA256
f147f1938b71a78c032612f69aed803d84dc8632e1eba7c380c61abe72b9562f
-
SHA512
4b1a4e998bcd42b8950f75d04ad3fb788b2d05a91fcfc137cad603e717c5d86c00fcc874eec312837c0fffc43a69e840cb320cca2be1322c7a4f3c2fbae2ff63
-
SSDEEP
196608:25fqA/WlSVQ0Rs/9iSydoZeC/CIY4t87OvNp7wMK:48Qzmw3doN/oopW
-
Cyber_stealer family
-
Detects CyberStealer
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1