Overview
overview
9Static
static
7CefSharp.exe
windows7-x64
1CefSharp.exe
windows10-2004-x64
1Mono.Security.dll
windows7-x64
1Mono.Security.dll
windows10-2004-x64
1MySql.Data.dll
windows7-x64
1MySql.Data.dll
windows10-2004-x64
1Npgsql.dll
windows7-x64
1Npgsql.dll
windows10-2004-x64
1Npgsql.resources.dll
windows7-x64
1Npgsql.resources.dll
windows10-2004-x64
1core.exe
windows7-x64
1core.exe
windows10-2004-x64
1libcef.exe
windows7-x64
9libcef.exe
windows10-2004-x64
9sqlscanner.exe
windows7-x64
7sqlscanner.exe
windows10-2004-x64
7cstealer.pyc
windows7-x64
3cstealer.pyc
windows10-2004-x64
3Analysis
-
max time kernel
45s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 08:32
Behavioral task
behavioral1
Sample
CefSharp.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
CefSharp.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Mono.Security.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
Mono.Security.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
MySql.Data.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
MySql.Data.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Npgsql.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Npgsql.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
Npgsql.resources.dll
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
Npgsql.resources.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
core.exe
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
core.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
libcef.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
libcef.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
sqlscanner.exe
Resource
win7-20240611-en
Behavioral task
behavioral16
Sample
sqlscanner.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
cstealer.pyc
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
cstealer.pyc
Resource
win10v2004-20240226-en
General
-
Target
cstealer.pyc
-
Size
67KB
-
MD5
f0b888fbf9b2c319ba828cb623992abf
-
SHA1
a8bc0389d054fc398b4fc40b2b6ee02fe65b240f
-
SHA256
e3606d7dfe5666db81b9ae1e8d48a5303719f950c7505cb7d3f1e849e2391471
-
SHA512
6a2decec3631e277518807d484d58816b6619d44b1dc7404b01788188dec41039a87d4020fcb1b58310d5b487107a7cf315e5f4691330bf9c4e72fbe4c8d13e6
-
SSDEEP
1536:l0xqOgoxpqBJlMstbo88jLQQFX3qS0Vr+LRheG:lqv/+bo88PDXh0r+LRP
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pyc rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2720 AcroRd32.exe 2720 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1752 wrote to memory of 2540 1752 cmd.exe rundll32.exe PID 1752 wrote to memory of 2540 1752 cmd.exe rundll32.exe PID 1752 wrote to memory of 2540 1752 cmd.exe rundll32.exe PID 2540 wrote to memory of 2720 2540 rundll32.exe AcroRd32.exe PID 2540 wrote to memory of 2720 2540 rundll32.exe AcroRd32.exe PID 2540 wrote to memory of 2720 2540 rundll32.exe AcroRd32.exe PID 2540 wrote to memory of 2720 2540 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\cstealer.pyc1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\cstealer.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\cstealer.pyc"3⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD59280c6c3d04512f3321bd04d610e35ac
SHA1ddd9135bee502b53322026e81037de0c9c14ba9c
SHA256e03ba6833eae2c89e2c5f2f97135d1b493174e692b36857fd24657ed2fe520c1
SHA51224303088345788ec27972ec487b3d5b78b29231a7556196982a865771871eaed6986645e5e415ec8f0e373aa62ab15cd7de143907d2d4478be7a6510192447a7