The script extracts clean DLL files and malware named “python.exe.” These are used to cover up the loading of the malicious payload-MrAnon Stealer. The malware downloads and extracts files from a specific domain to run a harmful Python script. The attacker also uses tricks like false error messages to hide successful infection. NET executable files and PowerShell scripts. The malware uses PowerGUI and cx-Freeze tools to create a complex process that involves. In this attack, the threat attacker sends phishing emails with fake room booking details, aiming at specific regions. Desktop Wallets: Bytecoin Wallet, Guarda, Atomic Wallet, Coinomi Wallet, Bitcoin Armory, and Exodus.Browsers Data: 7Star, Amigoz, Bravez, Cent Browser, Chrome Canary, Epic Privacy Browser, Google Chrome, Iridium, Kometa, Microsoft Edge, Opera, Opera GX, Orbitum, Sputnik, Torch, Uran, Vivaldi, Yandex, Firefox, Pale Moon, SeaMonkey, and Waterfox.It also gathers information from the following sources: It then uses “ImageGrab” to capture a screenshot, saving it with the filename “Screenshot (Username ).png.” Additionally, it establishes connections with legitimate websites such as “” and “/jsonp” to retrieve the system’s IP address, country name, and country code. “ArmoryQt.exe”, “Atomic Wallet.exe”, “brave.exe”, “bytecoin-gui.exe”, “chrome.exe”, “Coinomi.exe”, “Discord.exe”, “DiscordCanary.exe”, “Element.exe”, “Exodus.exe”, “firefox.exe”, “Guarda.exe”, “KeePassXC.exe”, “NordVPN.exe”, “OpenVPNConnect.exe”, “seamonkey.exe”, “Signal.exe”, “Telegram.exe”, “filezilla.exe”, “filezilla-server-gui.exe”, “keepassxc-proxy.exe”, “msedge.exe”, “nordvpn-service.exe”, “opera.exe”, “steam.exe”, “walletd.exe”, “waterfox.exe”, “yandex.exe” First, the malware verifies whether the following processes are currently running on the system and terminates them if they exist:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |