Edit tour
Windows
Analysis Report
MkWMm5piE5.exe
Overview
General Information
| Sample name: | MkWMm5piE5.exerenamed because original name is a hash value |
| Original sample name: | 2daa3a1b14af19d4daf3a60a493d2613b87eba00e13b21e1b12dcea681b3dc80.exe |
| Analysis ID: | 1571338 |
| MD5: | 05d551d9e91e59cfa28c7d7b2a5e2374 |
| SHA1: | b9d58e533693c1936dc515d9c0400ca36dc0c049 |
| SHA256: | 2daa3a1b14af19d4daf3a60a493d2613b87eba00e13b21e1b12dcea681b3dc80 |
| Tags: | busquedasxurl-comexeuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
Python Stealer
| Score: | 72 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found pyInstaller with non standard icon
Sigma detected: Suspicious Script Execution From Temp Folder
Yara detected Generic Python Stealer
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
MkWMm5piE5.exe (PID: 7568 cmdline: "C:\Users\ user\Deskt op\MkWMm5p iE5.exe" MD5: 05D551D9E91E59CFA28C7D7B2A5E2374) - MkWMm5piE5.exe (PID: 7680 cmdline:
"C:\Users\ user\Deskt op\MkWMm5p iE5.exe" MD5: 05D551D9E91E59CFA28C7D7B2A5E2374) 
powershell.exe (PID: 7716 cmdline: powershell -Command " Add-Ty pe -Assemb lyName Sys tem.Window s.Forms Add-Type - AssemblyNa me System. Drawing $screen = [System.Wi ndows.Form s.SystemIn formation] ::VirtualS creen $b itmap = Ne w-Object S ystem.Draw ing.Bitmap $screen.W idth, $scr een.Height $graphi cs = [Syst em.Drawing .Graphics] ::FromImag e($bitmap) $graphi cs.CopyFro mScreen($s creen.Loca tion, [Sys tem.Drawin g.Point]:: Empty, $sc reen.Size) $bitmap .Save(\"C: \Users\use r\AppData\ Local\Temp \desktop_s creenshot. png\") " MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 7724 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GenericPythonStealer | Yara detected Generic Python Stealer | Joe Security | ||
| JoeSecurity_GenericPythonStealer | Yara detected Generic Python Stealer | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Code function: | 2_2_00007FFEDCE47F00 | |
| Source: | Code function: | 2_2_00007FFEDCE4D040 | |
| Source: | Code function: | 2_2_00007FFEDCE32536 | |
| Source: | Code function: | 2_2_00007FFEDCE8FCC0 | |
| Source: | Code function: | 2_2_00007FFEDCE47CB0 | |
| Source: | Code function: | 2_2_00007FFEDCE3157D | |
| Source: | Code function: | 2_2_00007FFEDCE311E0 | |
| Source: | Code function: | 2_2_00007FFEDCE3108C | |
| Source: | Code function: | 2_2_00007FFEDCE87DE0 | |
| Source: | Code function: | 2_2_00007FFEDCE325EF | |
| Source: | Code function: | 2_2_00007FFEDCE55DE0 | |
| Source: | Code function: | 2_2_00007FFEDCE5DDC0 | |
| Source: | Code function: | 2_2_00007FFEDCE3FDB0 | |
| Source: | Code function: | 2_2_00007FFEDCE3176C | |
| Source: | Code function: | 2_2_00007FFEDCE49D50 | |
| Source: | Code function: | 2_2_00007FFEDCE31B18 | |
| Source: | Code function: | 2_2_00007FFEDCE325A4 | |
| Source: | Code function: | 2_2_00007FFEDCE93F10 | |
| Source: | Code function: | 2_2_00007FFEDCE33EE0 | |
| Source: | Code function: | 2_2_00007FFEDCE99E90 | |
| Source: | Code function: | 2_2_00007FFEDCE319E7 | |
| Source: | Code function: | 2_2_00007FFEDCE35E4A | |
| Source: | Code function: | 2_2_00007FFEDCE3107D | |
| Source: | Code function: | 2_2_00007FFEDCE45FD0 | |
| Source: | Code function: | 2_2_00007FFEDCE32400 | |
| Source: | Code function: | 2_2_00007FFEDCE31D8E | |
| Source: | Code function: | 2_2_00007FFEDCE55F90 | |
| Source: | Code function: | 2_2_00007FFEDCE3144C | |
| Source: | Code function: | 2_2_00007FFEDCE31ACD | |
| Source: | Code function: | 2_2_00007FFEDCE31B31 | |
| Source: | Code function: | 2_2_00007FFEDCE8FF50 | |
| Source: | Code function: | 2_2_00007FFEDCE758F0 | |
| Source: | Code function: | 2_2_00007FFEDCE3231F | |
| Source: | Code function: | 2_2_00007FFEDCE31555 | |
| Source: | Code function: | 2_2_00007FFEDCE31EE2 | |
| Source: | Code function: | 2_2_00007FFEDCE31997 | |
| Source: | Code function: | 2_2_00007FFEDCE3D8AF | |
| Source: | Code function: | 2_2_00007FFEDCE9B8B0 | |
| Source: | Code function: | 2_2_00007FFEDCE93880 | |
| Source: | Code function: | 2_2_00007FFEDCE31483 | |
| Source: | Code function: | 2_2_00007FFEDCE31846 | |
| Source: | Code function: | 2_2_00007FFEDCE3193D | |
| Source: | Code function: | 2_2_00007FFEDCE9D9E0 | |
| Source: | Code function: | 2_2_00007FFEDCE311C2 | |
| Source: | Code function: | 2_2_00007FFEDCE799A0 | |
| Source: | Code function: | 2_2_00007FFEDCE31023 | |
| Source: | Code function: | 2_2_00007FFEDCE7D960 | |
| Source: | Code function: | 2_2_00007FFEDCE81950 | |
| Source: | Code function: | 2_2_00007FFEDCE63B10 | |
| Source: | Code function: | 2_2_00007FFEDCE3FB00 | |
| Source: | Code function: | 2_2_00007FFEDCE7FB00 | |
| Source: | Code function: | 2_2_00007FFEDCE312D0 | |
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||