Overview

overview

10

Static

static

10

Celestrial...ak.exe

windows11-21h2-x64

9

discord_to...er.pyc

windows11-21h2-x64

3

get_cookies.pyc

windows11-21h2-x64

3

misc.pyc

windows11-21h2-x64

3

passwords_grabber.pyc

windows11-21h2-x64

3

source_prepared.pyc

windows11-21h2-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Celestrial-Paid-Leak.exe

  • Size

    75.5MB

  • Sample

    240630-zep9qsyaqq

  • MD5

    f039213abab7640ff26bcc39ede11aa9

  • SHA1

    50f929bd448dbe97255206ee6bb2031c2bf6a27b

  • SHA256

    72f3a785dac566d8284f4cd4356e9a83448bdfcbd2f66fa627c9ce52d1506a16

  • SHA512

    b81dae108fd5821765dce5de86c78db0695a51c57b332013a58b52cf2352c4581306749e95a94535866a48af8585b496d369624ecc30c0817620816f38b227c8

  • SSDEEP

    1572864:YvFUQ6lnSk8IpG7V+VPhqIbE7WTylPj4iY4MHHLeqPNLtDaSWQ1Z4w0g:YvFU1lSkB05awIxTy5nMHVLteSD10g

Score
10/10
pysilonevasionexecutionpersistencepyinstallerupx

Malware Config

Targets

    • Target

      Celestrial-Paid-Leak.exe

    • Size

      75.5MB

    • MD5

      f039213abab7640ff26bcc39ede11aa9

    • SHA1

      50f929bd448dbe97255206ee6bb2031c2bf6a27b

    • SHA256

      72f3a785dac566d8284f4cd4356e9a83448bdfcbd2f66fa627c9ce52d1506a16

    • SHA512

      b81dae108fd5821765dce5de86c78db0695a51c57b332013a58b52cf2352c4581306749e95a94535866a48af8585b496d369624ecc30c0817620816f38b227c8

    • SSDEEP

      1572864:YvFUQ6lnSk8IpG7V+VPhqIbE7WTylPj4iY4MHHLeqPNLtDaSWQ1Z4w0g:YvFU1lSkB05awIxTy5nMHVLteSD10g

    Score
    9/10
    evasionexecutionpersistenceupx

    • Enumerates VirtualBox DLL files

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

    • Target

      discord_token_grabber.pyc

    • Size

      8KB

    • MD5

      849e6942b15c2008c7641432902645f5

    • SHA1

      60942191e1ab3c6d3edf697b57d09c1620c51710

    • SHA256

      fa4ec025ef2d20b6ebd19803e7131f6b540a7ba14d6769bfd62c37fb875a134b

    • SHA512

      0e6611f100ea22b2d5d5632cd099f87d57696b73bb9c9d10dde98477b2bb1ff927816b54ee005e07df49d6897f36ad3d858ac142ae082d25800f07597f67248a

    • SSDEEP

      192:ESB7osP1MJaugQXaafNqaclHJLOq3ZJFD/b8xjJzdJv:TP1iavQTqacyq35D0Fnv

    Score
    3/10
    behavioral2

    • Target

      get_cookies.pyc

    • Size

      5KB

    • MD5

      2754e3152f668e31fccca7b6f275716b

    • SHA1

      e9ed74d679a96372c4457e72bc6639a4d96a2378

    • SHA256

      f7e8a57b54489b5b3de66a1d21534ced3d2a2fb1ce8d03c69d4672e62aa00dca

    • SHA512

      a8331f1c179ed97e6f3821cd41953a5ef8a0b63b6d39022cd3f7980494eff8f00b4367301509014e83c410ed4a6db8e4441f8f3547b682aca250bc4fa29f0f47

    • SSDEEP

      96:STUBj1Mvk80VDdybA6HUicwKD7dxWeBJKZLpMglcTK94:wsSl0fQfUpwKfhijMgGW94

    Score
    3/10
    behavioral3

    • Target

      misc.pyc

    • Size

      2KB

    • MD5

      bcb404423ac51f798753e8d11e401071

    • SHA1

      9080018dae3aa157e3a97904c86af06d4a0a6873

    • SHA256

      572b18ccb1838f23714fae1c8cbb399a08796b1eb846960d5463d40ee784fe5a

    • SHA512

      25a2997cff19308956086ae4e464f5039e53149043f094f2a65dae4dfa78b6410650a3c4d1514511f23c6bf77228772fa7b8a3cf5119e4ed46edb65ac40ff800

    Score
    3/10
    behavioral4

    • Target

      passwords_grabber.pyc

    • Size

      4KB

    • MD5

      8b9cbd29c3dfec519a4313b1b7a0069b

    • SHA1

      5efb073593bc8908a7514dad78673c9d65344a6f

    • SHA256

      589d438226abfec8f71ab7724c68011303f82febb6786fd0c57571b0769764f3

    • SHA512

      c0099bcf2d23dd405b2e02e1fd1b946195015eabb1cbd2ce4896f1ab7e5bbc1fbe6600fa529087b5dc295c13219fb6bc1a6ac97efa4c0fc74901f70278c09bfd

    • SSDEEP

      96:2APDnTWeYwDTgWxiX79GzTOjYUyWkUUNPIslLClDWJpR6Yn:TzCUDxiLATmeEUNP/lL3JpsYn

    Score
    3/10
    behavioral5

    • Target

      source_prepared.pyc

    • Size

      65KB

    • MD5

      21e172f12afe8a2726608322ded44e05

    • SHA1

      df670d791575b18eece176dddb6c4ab1a9344c78

    • SHA256

      4be48459709fa29c66e4eb1dc7be64bcfc2a8eea2e55c05f0d61d5f418182b4b

    • SHA512

      0218717d485089fcad9f0a65145721d5ba998c7c4be12ec1fb00048bd1beb8a6329be396e13fd7421b22526d1b1edc1e3097787291dc9cb202e032292984d5b3

    • SSDEEP

      1536:IaBgVgJPkBBj1uYCFjUIOihdBsoGwjRQ53:9g2FkBkFwIOCsoD0

    Score
    3/10
    behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

1
T1112

Credential Access

Discovery

File and Directory Discovery

1
T1083

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

5
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks