Overview

overview

10

Static

static

10

XeloraBootsrapper.exe

windows7-x64

7

XeloraBootsrapper.exe

windows10-2004-x64

9

discord_to...er.pyc

windows7-x64

3

discord_to...er.pyc

windows10-2004-x64

3

get_cookies.pyc

windows7-x64

3

get_cookies.pyc

windows10-2004-x64

3

misc.pyc

windows7-x64

3

misc.pyc

windows10-2004-x64

3

passwords_grabber.pyc

windows7-x64

3

passwords_grabber.pyc

windows10-2004-x64

3

source_prepared.pyc

windows7-x64

3

source_prepared.pyc

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XeloraBootsrapper.exe

  • Size

    63.9MB

  • Sample

    240702-t1px7svhlj

  • MD5

    495998a4af43fbb86de788221c3e4f70

  • SHA1

    cbe854305068674613f980622e8c8d1a5f48398f

  • SHA256

    9d569f5ac42ebde189703f5a1598b90edb17ff0b38bd6d7eadd0d48043f63407

  • SHA512

    4008a12c0e0fcd9b785c44a4100352206c0f95ed9ac538a83c6d01c9f3670544695224f2f5d023f7ada097a2d020c81287fec5b9e765c45df7c16a37f2934cc3

  • SSDEEP

    1572864:xvxZQglX2i+TnE7Ulg8iYgj+h58sMw5IlWI9RghcJX0:xvxZxRz+Tfe25FSB9RR0

Score
10/10
pysilonevasionexecutionpersistencepyinstallerupx

Malware Config

Targets

    • Target

      XeloraBootsrapper.exe

    • Size

      63.9MB

    • MD5

      495998a4af43fbb86de788221c3e4f70

    • SHA1

      cbe854305068674613f980622e8c8d1a5f48398f

    • SHA256

      9d569f5ac42ebde189703f5a1598b90edb17ff0b38bd6d7eadd0d48043f63407

    • SHA512

      4008a12c0e0fcd9b785c44a4100352206c0f95ed9ac538a83c6d01c9f3670544695224f2f5d023f7ada097a2d020c81287fec5b9e765c45df7c16a37f2934cc3

    • SSDEEP

      1572864:xvxZQglX2i+TnE7Ulg8iYgj+h58sMw5IlWI9RghcJX0:xvxZxRz+Tfe25FSB9RR0

    Score
    9/10
    upxevasionexecutionpersistence

    • Enumerates VirtualBox DLL files

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

    • Target

      discord_token_grabber.pyc

    • Size

      17KB

    • MD5

      e523026b612006e580e96bd9e2a8882c

    • SHA1

      03b9938701f7eff11a0c3632ed805e8188598c88

    • SHA256

      8ae6baddc552f9a47c488760a3d3b04f217f7c999dbffc1a548bb09532e6bf77

    • SHA512

      a0f15f5edecbab4894aa3b85092fc2bde34b76f6048b198ce387d59a56d6c74969201cc43d19cd27a9ff0a6ab72268884a90ef206f0be34a5707a7f6ea24a853

    • SSDEEP

      384:cGllyAavwS9F0RW807PPQviowoYbCj+Mo8WWIc02a8:cIlytvX9iRW8inQ6owoYOyM0d2a8

    Score
    3/10
    behavioral3behavioral4

    • Target

      get_cookies.pyc

    • Size

      10KB

    • MD5

      b38f506528b3d6d5dbd851426c347b95

    • SHA1

      e91bf4ef42128267934e21be0176e552480f5977

    • SHA256

      85a7c34afad2c270ca690a5b4c30cc8bf16967e623fc77f4de4497901030a93b

    • SHA512

      ab110dc92eba564fd0ec6c6a75e779f588518dc1aa461f072ab02b96bc11fbe25e09faa6a556dc6a127c3e8826382697b72037a0cefbdaf32fd70a723e746295

    • SSDEEP

      192:TzOCIeinQfUF9LdwOEVOFc1mNe47+o+zEzzzzz1zz+HoowAE:TzOUiQccEe4KoOIAE

    Score
    3/10
    behavioral5behavioral6

    • Target

      misc.pyc

    • Size

      5KB

    • MD5

      31aa260c6cdeaa9d942cd0dcfcadd16a

    • SHA1

      a6818f3acf5c2ab9d65b41a81cb92b36b85cc932

    • SHA256

      b522284f1a7e518c269c0414160407ec7834a4397f85ef389433b49367b5df9c

    • SHA512

      0dd277ef948315a3554bd8c5110e27afa9b2eac88defc1211771c050cdd27b3668484dec35ec5c5010bff00b62c2cebd9e7286c0b114ad28437719b42bd0fc2c

    • SSDEEP

      96:DSajAihmJG4n3B4SmSSSSlSSSShDwegPbbVxlj0nIAEDS5ejmw01k9Bddpq:eYAfn3ySmSSSSlSSSSeeOPVxx0nIAZeQ

    Score
    3/10
    behavioral7behavioral8

    • Target

      passwords_grabber.pyc

    • Size

      8KB

    • MD5

      704dced7f7530b19a34a5f7a71c26b10

    • SHA1

      608d9647488cfa2b5f84a891028168a973bfcfa9

    • SHA256

      1fd284f1e27263bd2a16050c6989933a382c7d196f4c9f247187cc3b3f6ba3ac

    • SHA512

      e4a6710abef2c45d631745c91d8135873be06e5b240a61362e341d05ecc1dedf885487a554b648c328a3c5cc17fcf74e6d066b2e3f51379358ba28c2a0f2f39f

    • SSDEEP

      192:+CE34EAL/GFf/PomdPO23NsDmqFUhkxNivLI9dRvL:Y4EAL/AfRBO8NsxuOxNn

    Score
    3/10
    behavioral10behavioral9

    • Target

      source_prepared.pyc

    • Size

      178KB

    • MD5

      540e5e14ea58cd5596de29c90e936afa

    • SHA1

      cf7494b6d4cd9186226bb264fb934483114993a1

    • SHA256

      8b654ae6aaece8827e7cdf218c82860bda876493dc5ccb1243301c7111255593

    • SHA512

      8e2f520017df2a156e509159a5d1971a8c07b8000298e63dd57bd7c0888aaf96220f6655c0241f4463d26833478d7df0fbe6b214bfe903ce1286463fb1a5e66d

    • SSDEEP

      3072:/HDLaXM1/ZvYcz6ojPEtelZN+sYRxSgzvn6CknK:bWXmD6oj8cN+VRxSgzv6Cr

    Score
    3/10
    behavioral11behavioral12

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

1
T1112

Credential Access

Discovery

File and Directory Discovery

1
T1083

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

5
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks