Edit tour
Windows
Analysis Report
grA6aqodO5.exe
Overview
General Information
| Sample name: | grA6aqodO5.exerenamed because original name is a hash value |
| Original sample name: | 564c71a41d9e6400ae36286ea2fbaaba.exe |
| Analysis ID: | 1537039 |
| MD5: | 564c71a41d9e6400ae36286ea2fbaaba |
| SHA1: | cc90d100b134db6b272471b237a83a3184557591 |
| SHA256: | 0253bd8a62406deeab51514384070dff10cf8d5fcd04f838d6133a40bea8506f |
| Tags: | exeuser-abuse_ch |
| Infos: |  |
 | |
Detection
Python Stealer, CStealer
| Score: | 68 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected CStealer
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Yara detected Generic Python Stealer
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
grA6aqodO5.exe (PID: 7544 cmdline: "C:\Users\ user\Deskt op\grA6aqo dO5.exe" MD5: 564C71A41D9E6400AE36286EA2FBAABA) - grA6aqodO5.exe (PID: 7636 cmdline:
"C:\Users\ user\Deskt op\grA6aqo dO5.exe" MD5: 564C71A41D9E6400AE36286EA2FBAABA)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| DynamicStealer | Dynamic Stealer is a Github Project C# written code by L1ghtN4n. This code collects passwords and uploads these to Telegram. According to Cyble this Eternity Stealer leverages code from this project and also Jester Stealer could be rebranded from it. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CStealer | Yara detected CStealer | Joe Security | ||
| JoeSecurity_GenericPythonStealer | Yara detected Generic Python Stealer | Joe Security | ||
| JoeSecurity_CStealer | Yara detected CStealer | Joe Security |
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Code function: | 2_2_00007FFBAB79CD30 | |
| Source: | Code function: | 2_2_00007FFBAB7E4C40 | |
| Source: | Code function: | 2_2_00007FFBAB7CEC70 | |
| Source: | Code function: | 2_2_00007FFBAB7C8C80 | |
| Source: | Code function: | 2_2_00007FFBAB7822D9 | |
| Source: | Code function: | 2_2_00007FFBAB781AB4 | |
| Source: | Code function: | 2_2_00007FFBAB784C00 | |
| Source: | Code function: | 2_2_00007FFBAB7CEC10 | |
| Source: | Code function: | 2_2_00007FFBAB781460 | |
| Source: | Code function: | 2_2_00007FFBAB796B20 | |
| Source: | Code function: | 2_2_00007FFBAB784B30 | |
| Source: | Code function: | 2_2_00007FFBAB79EB48 | |
| Source: | Code function: | 2_2_00007FFBAB781A0F | |
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||