Overview

overview

9

Static

static

7

CefSharp.exe

windows7-x64

1

CefSharp.exe

windows10-2004-x64

1

Mono.Security.dll

windows7-x64

1

Mono.Security.dll

windows10-2004-x64

1

MySql.Data.dll

windows7-x64

1

MySql.Data.dll

windows10-2004-x64

1

Npgsql.dll

windows7-x64

1

Npgsql.dll

windows10-2004-x64

1

Npgsql.resources.dll

windows7-x64

1

Npgsql.resources.dll

windows10-2004-x64

1

core.exe

windows7-x64

1

core.exe

windows10-2004-x64

1

libcef.exe

windows7-x64

9

libcef.exe

windows10-2004-x64

9

sqlscanner.exe

windows7-x64

7

sqlscanner.exe

windows10-2004-x64

7

cstealer.pyc

windows7-x64

3

cstealer.pyc

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sqlscanner.rar

  • Size

    16.2MB

  • Sample

    240630-kfas4svgkc

  • MD5

    73cc24c74a501277c7f48b77bbf526b4

  • SHA1

    b58a7a09f69276aa17efac30979097b379c2499b

  • SHA256

    9d8b9ba55cd5dfa3b2b678539d3e25926d415cd96a7ef8169525baaa06838ff9

  • SHA512

    0c5b3957a8a09e189c02a4d7787387ed2c6d873c3de93174ea52ce1768325201ccd543e068b4e9bf50bb5e1376f4afa14afb5e714fa25dce9b0cd87cea1012b1

  • SSDEEP

    393216:NYDzqwYj+WJ7uRt8TUUZvAxO/i9Hazje9qE8OYDIK8u+A74uuh:aXqwo+WURt8TUV4iQzvE8xh+ANs

Score
9/10
evasionpyinstallerthemidatrojan

Malware Config

Targets

    • Target

      CefSharp.bin

    • Size

      1.6MB

    • MD5

      939712a4d4341fb67c0214621a78fca7

    • SHA1

      53225cb2d07e8131c9fdb086a70a81cd41f588ea

    • SHA256

      f594ff49ea0a51dc4a76609291b7c3e44fcc92789378f899349609407ac55b61

    • SHA512

      f9cd9997394dae980b99018902e347a48b4eab44041e88bad6fc3d10c173b31cea44b0202e7233b1dc934c102c27f1ce5662a01e53b1b0f80197c9c73bb24144

    • SSDEEP

      24576:1UUovXhGzCgXSbnI8pPdzUd+z3ljPO2WDmHj53NOxOHf1:1UU9TSbnJiK1jPO2WDmHj53NOxO

    Score
    1/10
    behavioral1behavioral2

    • Target

      Mono.Security.dll

    • Size

      276KB

    • MD5

      522d9f0dcebcb6c178e8d5604d9eeb15

    • SHA1

      202d8b56767d433c85ded807032cb8eaef28acce

    • SHA256

      bfc33647d6d32680b5344f56cb6dd71b7357412746031056a9b5afa02799c977

    • SHA512

      e379370adbd3690694a917f9cfab4d9302d0f5f1f8a666f1fd902bc091810ad3c354b459893c80269ce0dbf9f63176430e5ce5fce09788d4fd04f3524a069b4e

    • SSDEEP

      3072:Jj6kxhg4ruavYO/rx4DzuFE7TgjpUf7hja93DzL95rYrfcz6Q9VmbsiGH3msZvm4:Vxhg4ruavj4fuNDvTrqS6Q91XgbLgdQ

    Score
    1/10
    behavioral3behavioral4

    • Target

      MySql.Data.dll

    • Size

      272KB

    • MD5

      cbe25039adca6013ee06fcd70db1ba00

    • SHA1

      e33db66a191edb487043a7d2c032f7d104b8feef

    • SHA256

      aaabf1fc6180e8e41a414683e7054fcc172107fa13f687a426adb2e39be98f90

    • SHA512

      27e6cdced64ccd60491f82ae02eba87360293b8f681279b7cf8129412ea828eee0f81f6ae1048771f6e10c02d2439f9898124612026abdf62be6fe6b0790430c

    • SSDEEP

      3072:C4KOFiM66I4qF2aT1xsehrUj3OqbTyZd4vflRd6v5WI/UJ73WmA3gYo:CHOkBj6a8+65bTyZulH6vs

    Score
    1/10
    behavioral5behavioral6

    • Target

      Npgsql.dll

    • Size

      405KB

    • MD5

      7f7fcec95072ffcbfff1ee8e563197b3

    • SHA1

      6b5bba61c4e0af4083370a04b664834712f71aab

    • SHA256

      41dddf803d700f62024e4aeac9540bb6c3fcb78d3708b14c3dbd1e0090b9edec

    • SHA512

      6722d0554bd1ff333528578bd57b8d9c824cf03a0db65b0a6441bd742986c1cb60b9ac8f9dd05c25e3f3bb72ccf200dc800ad8835cc55b34b20df8c78d40a651

    • SSDEEP

      6144:IzITdL4Wm0u0biWMxF/0nRn1NP/L5Pt7hdRYBv/5KWYsV0gc64MfS:xR4WmxkiWSyX6/fhJS

    Score
    1/10
    behavioral7behavioral8

    • Target

      Npgsql.resources.dll

    • Size

      16KB

    • MD5

      1d0fec45c292e419f2924c834dc10ba5

    • SHA1

      7bf14c3655b75e945bd1c8d3209b81fad2efc1f9

    • SHA256

      449eed18738b7394ee0d0a55aa340ed46afd9dedcc8462fe0ca29360a65eeb8d

    • SHA512

      44076a9869d2623741846e15af634c0f1cf9b3890bcfb88106539114ed6c8a9848ac2ac7ed92dd13d4a6f00d6ff70dbe193d33d034918c8ed2d4b4d7cf12271f

    • SSDEEP

      192:5Y+ImQLOXI3s3+kSvf1IdE1n+00tDvicifgzgz4LJzIJDwin0seCbE/4IB5zPEer:xIj4IPkq1nj0tTic9ccJIVHMZB5bzt

    Score
    1/10
    behavioral10behavioral9

    • Target

      core.cfg

    • Size

      618KB

    • MD5

      5f0bed2e03e65b67592dd76ff0eeed1f

    • SHA1

      e9ef5d5e3f07a550e9350a15f5544ee1ef242cf4

    • SHA256

      2bd204e41629ab41f499a5d71796f390f94be0133f9d1d4e9809f4d0b473136d

    • SHA512

      0edaa56d4b689bd7f787f0f81c45742d0677f5cca34dd640f36a2da6a6dc38059c96ee1262cc05d75f13097a5e9470efc010e0a0a5a5e8f61ab7357f8de9d685

    • SSDEEP

      12288:qymeXQAKnfJYR0FZ1qGtcbtp6cqKwSKCz1:qneReZ1qKcbtZZwBy

    Score
    1/10
    behavioral11behavioral12

    • Target

      libcef.lib

    • Size

      3.0MB

    • MD5

      a553208ea4a57f1334669fe1e80113b7

    • SHA1

      509aebd8384adb5f0d5f37dd3dd2b799ca7ddae6

    • SHA256

      c868a800bef638fd579202534fa763a584cf78a01447afc89908ed1bae308ace

    • SHA512

      08765ce1ed9d095527b469495b2138e6446c9034916f4030e7c02c43ea7b39708c1d3cd4f35c9df156633e77cdcb702258f7d627c028c902ac3f450dd0643eef

    • SSDEEP

      49152:k81zxrw6PRLfCprOOR0yXNnMFraaDbXkQe/9p:k81zxrwkCNlxNgrfn0n

    Score
    9/10
    evasionthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral13behavioral14

    • Target

      sqlscanner.exe

    • Size

      13.5MB

    • MD5

      a9420a585475d7c4f54b934cc9343908

    • SHA1

      603422c8f842c73c97b793d510ef2c311be83337

    • SHA256

      65fd9a6135a40b72400561e11383a4a32b7e239f4f46006324977f8a2a6c5fb2

    • SHA512

      6a3887e509e6e36a8ca99c897a51a45271d2db200e44a9e299ce1a314d5609353dc5f87ab4bb23af5360c40221d41a9a471ede1b6b591f18e85d0a7c82553c39

    • SSDEEP

      196608:3YZl4XkYUOAcewuLIoBA1HeT39IigwE1ncKOVVtd97wWhkiLtQGN+j0WHivexy4n:W0XUOAc1Iq1+TtIiFg0VBxwdS6bj9iU

    Score
    7/10

    • Loads dropped DLL

    behavioral15behavioral16

    • Target

      cstealer.pyc

    • Size

      67KB

    • MD5

      f0b888fbf9b2c319ba828cb623992abf

    • SHA1

      a8bc0389d054fc398b4fc40b2b6ee02fe65b240f

    • SHA256

      e3606d7dfe5666db81b9ae1e8d48a5303719f950c7505cb7d3f1e849e2391471

    • SHA512

      6a2decec3631e277518807d484d58816b6619d44b1dc7404b01788188dec41039a87d4020fcb1b58310d5b487107a7cf315e5f4691330bf9c4e72fbe4c8d13e6

    • SSDEEP

      1536:l0xqOgoxpqBJlMstbo88jLQQFX3qS0Vr+LRheG:lqv/+bo88PDXh0r+LRP

    Score
    3/10
    behavioral17behavioral18

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks