Edit tour
Windows
Analysis Report
roblox.exe
Overview
General Information
| Sample name: | roblox.exe |
| Analysis ID: | 1577522 |
| MD5: | 6898eace70e2da82f257bc78cb081b2f |
| SHA1: | 5ac5ed21436d8b4c59c0b62836d531844c571d6d |
| SHA256: | bcdd8b7c9ec736765d4596332c0fec1334b035d4456df1ec25b569f9b6431a23 |
| Tags: | 18521511316185215113209bulletproofexePythonStealeruser-abus3reports |
| Infos: |   |
 | |
Detection
Python Stealer, Monster Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Monster Stealer
AI detected suspicious sample
Bypasses PowerShell execution policy
Detected generic credential text file
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Gathers network related connection and port information
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Overwrites the password of the administrator account
Performs a network lookup / discovery via ARP
Potentially malicious time measurement code found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Sigma detected: MSHTA Suspicious Execution 01
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses attrib.exe to hide files
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses netstat to query active network connections and open ports
Yara detected Generic Python Stealer
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Console CodePage Lookup Via CHCP
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Group And Account Reconnaissance Activity Using Net.EXE
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Classification
- System is w10x64
roblox.exe (PID: 6600 cmdline: "C:\Users\ user\Deskt op\roblox. exe" MD5: 6898EACE70E2DA82F257BC78CB081B2F) 
conhost.exe (PID: 6008 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - stub.exe (PID: 1892 cmdline:
C:\Users\u ser\Deskto p\roblox.e xe MD5: D09A400F60C7A298E884F90539E9C72F) - cmd.exe (PID: 6208 cmdline:
C:\Windows \system32\ cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 6844 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic csp roduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
WMIC.exe (PID: 6460 cmdline: wmic cspro duct get u uid MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 7132 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - tasklist.exe (PID: 4668 cmdline:
tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 4160 cmdline:
C:\Windows \system32\ cmd.exe /c "attrib + h +s "C:\U sers\user\ AppData\Lo cal\Monste rUpdateSer vice\Monst er.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - attrib.exe (PID: 1440 cmdline:
attrib +h +s "C:\Use rs\user\Ap pData\Loca l\MonsterU pdateServi ce\Monster .exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD) - cmd.exe (PID: 1476 cmdline:
C:\Windows \system32\ cmd.exe /c "mshta "j avascript: var sh=new ActiveXOb ject('WScr ipt.Shell' ); sh.Popu p('The Pro gram can\x 22t start because ap i-ms-win-c rt-runtime -|l1-1-.dl l is missi ng from yo ur compute r. Try rei nstalling the progra m to fix t his proble m', 0, 'Sy stem Error ', 0+16);c lose()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
mshta.exe (PID: 1532 cmdline: mshta "jav ascript:va r sh=new A ctiveXObje ct('WScrip t.Shell'); sh.Popup( 'The Progr am can\x22 t start be cause api- ms-win-crt -runtime-| l1-1-.dll is missing from your computer. Try reins talling th e program to fix thi s problem' , 0, 'Syst em Error', 0+16);clo se()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) - cmd.exe (PID: 6160 cmdline:
C:\Windows \system32\ cmd.exe /c "taskkill /F /IM ch rome.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - taskkill.exe (PID: 6408 cmdline:
taskkill / F /IM chro me.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7) - cmd.exe (PID: 5612 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - tasklist.exe (PID: 6476 cmdline:
tasklist / FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 904 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll.exe Get -Clipboard " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
powershell.exe (PID: 4276 cmdline: powershell .exe Get-C lipboard MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 3920 cmdline:
C:\Windows \system32\ cmd.exe /c "chcp" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - chcp.com (PID: 7140 cmdline:
chcp MD5: 33395C4732A49065EA72590B14B64F32) - cmd.exe (PID: 6208 cmdline:
C:\Windows \system32\ cmd.exe /c "chcp" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - chcp.com (PID: 5520 cmdline:
chcp MD5: 33395C4732A49065EA72590B14B64F32) - cmd.exe (PID: 7124 cmdline:
C:\Windows \system32\ cmd.exe /c "echo ### #System In fo#### & s ysteminfo & echo ### #System Ve rsion#### & ver & ec ho ####Hos t Name#### & hostnam e & echo # ###Environ ment Varia ble#### & set & echo ####Logic al Disk### # & wmic l ogicaldisk get capti on,descrip tion,provi dername & echo ####U ser Info## ## & net u ser & echo ####Onlin e User#### & query u ser & echo ####Local Group#### & net loc algroup & echo ####A dministrat ors Info## ## & net l ocalgroup administra tors & ech o ####Gues t User Inf o#### & ne t user gue st & echo ####Admini strator Us er Info### # & net us er adminis trator & e cho ####St artup Info #### & wmi c startup get captio n,command & echo ### #Tasklist# ### & task list /svc & echo ### #Ipconfig# ### & ipco nfig/all & echo #### Hosts#### & type C:\ WINDOWS\Sy stem32\dri vers\etc\h osts & ech o ####Rout e Table### # & route print & ec ho ####Arp Info#### & arp -a & echo #### Netstat### # & netsta t -ano & e cho ####Se rvice Info #### & sc query type = service state= all & echo ## ##Firewall info#### & netsh fir ewall show state & n etsh firew all show c onfig" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - systeminfo.exe (PID: 6948 cmdline:
systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD) - WmiPrvSE.exe (PID: 5860 cmdline:
C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - HOSTNAME.EXE (PID: 5016 cmdline:
hostname MD5: 33AFAA43B84BDEAB12E02F9DBD2B2EE0) - WMIC.exe (PID: 4440 cmdline:
wmic logic aldisk get caption,d escription ,providern ame MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - net.exe (PID: 5520 cmdline:
net user MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 4072 cmdline:
C:\Windows \system32\ net1 user MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) - query.exe (PID: 7100 cmdline:
query user MD5: 29043BC0B0F99EAFF36CAD35CBEE8D45) - quser.exe (PID: 4208 cmdline:
"C:\Window s\system32 \quser.exe " MD5: 480868AEBA9C04CA04D641D5ED29937B) - net.exe (PID: 4832 cmdline:
net localg roup MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 5744 cmdline:
C:\Windows \system32\ net1 local group MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) - net.exe (PID: 1440 cmdline:
net localg roup admin istrators MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 4744 cmdline:
C:\Windows \system32\ net1 local group admi nistrators MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) - net.exe (PID: 4436 cmdline:
net user g uest MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 4688 cmdline:
C:\Windows \system32\ net1 user guest MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) - net.exe (PID: 5464 cmdline:
net user a dministrat or MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 3992 cmdline:
C:\Windows \system32\ net1 user administra tor MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) - WMIC.exe (PID: 3920 cmdline:
wmic start up get cap tion,comma nd MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - tasklist.exe (PID: 1532 cmdline:
tasklist / svc MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - ipconfig.exe (PID: 6336 cmdline:
ipconfig / all MD5: 62F170FB07FDBB79CEB7147101406EB8) - ROUTE.EXE (PID: 2076 cmdline:
route prin t MD5: 3C97E63423E527BA8381E81CBA00B8CD) - ARP.EXE (PID: 6460 cmdline:
arp -a MD5: 2AF1B2C042B83437A4BE82B19749FA98) - NETSTAT.EXE (PID: 5548 cmdline:
netstat -a no MD5: 7FDDD6681EA81CE26E64452336F479E6) - sc.exe (PID: 5324 cmdline:
sc query t ype= servi ce state= all MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - netsh.exe (PID: 5032 cmdline:
netsh fire wall show state MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) - netsh.exe (PID: 6720 cmdline:
netsh fire wall show config MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) - cmd.exe (PID: 7108 cmdline:
C:\Windows \system32\ cmd.exe /c "netsh wl an show pr ofiles" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - netsh.exe (PID: 1524 cmdline:
netsh wlan show prof iles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) - cmd.exe (PID: 6408 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic csp roduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - WMIC.exe (PID: 4832 cmdline:
wmic cspro duct get u uid MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - cmd.exe (PID: 6128 cmdline:
C:\Windows \system32\ cmd.exe /c "powershe ll.exe -No Profile -E xecutionPo licy Bypas s -Encoded Command Ww BSAGUAZgBs AGUAYwB0AG kAbwBuAC4A QQBzAHMAZQ BtAGIAbAB5 AF0AOgA6AE wAbwBhAGQA VwBpAHQAaA BQAGEAcgB0 AGkAYQBsAE 4AYQBtAGUA KAAiAFMAeQ BzAHQAZQBt AC4ARAByAG EAdwBpAG4A ZwAiACkADQ AKAGYAdQBu AGMAdABpAG 8AbgAgAHMA YwByAGUAZQ BuAHMAaABv AHQAKABbAE QAcgBhAHcA aQBuAGcALg BSAGUAYwB0 AGEAbgBnAG wAZQBdACQA YgBvAHUAbg BkAHMALAAg ACQAcABhAH QAaAApACAA ewANAAoAIA AgACAAJABi AG0AcAAgAD 0AIABOAGUA dwAtAE8AYg BqAGUAYwB0 ACAARAByAG EAdwBpAG4A ZwAuAEIAaQ B0AG0AYQBw ACAAJABiAG 8AdQBuAGQA cwAuAHcAaQ BkAHQAaAAs ACAAJABiAG 8AdQBuAGQA cwAuAGgAZQ BpAGcAaAB0 AA0ACgAgAC AAIAAkAGcA cgBhAHAAaA BpAGMAcwAg AD0AIABbAE QAcgBhAHcA aQBuAGcALg BHAHIAYQBw AGgAaQBjAH MAXQA6ADoA RgByAG8AbQ BJAG0AYQBn AGUAKAAkAG IAbQBwACkA DQAKAA0ACg AgACAAIAAk AGcAcgBhAH AAaABpAGMA cwAuAEMAbw BwAHkARgBy AG8AbQBTAG MAcgBlAGUA bgAoACQAYg BvAHUAbgBk AHMALgBMAG 8AYwBhAHQA aQBvAG4ALA AgAFsARABy AGEAdwBpAG 4AZwAuAFAA bwBpAG4AdA BdADoAOgBF AG0AcAB0AH kALAAgACQA YgBvAHUAbg BkAHMALgBz AGkAegBlAC kADQAKAA0A CgAgACAAIA AkAGIAbQBw AC4AUwBhAH YAZQAoACQA cABhAHQAaA ApAA0ACgAN AAoAIAAgAC AAJABnAHIA YQBwAGgAaQ BjAHMALgBE AGkAcwBwAG 8AcwBlACgA KQANAAoAIA AgACAAJABi AG0AcAAuAE QAaQBzAHAA bwBzAGUAKA ApAA0ACgB9 AA0ACgANAA oAJABiAG8A dQBuAGQAcw AgAD0AIABb AEQAcgBhAH cAaQBuAGcA LgBSAGUAYw B0AGEAbgBn AGwAZQBdAD oAOgBGAHIA bwBtAEwAVA BSAEIAKAAw ACwAIAAwAC wAIAAxADkA MgAwACwAIA AxADAAOAAw ACkADQAKAC QAcABhAHQA aAAgAD0AIA AoAEcAZQB0 AC0ASQB0AG UAbQAgAC4A KQAuAEYAdQ BsAGwATgBh AG0AZQArAC IAXABzAGMA cgBlAGUAbg BzAGgAbwB0 AC4AcABuAG cAIgANAAoA cwBjAHIAZQ BlAG4AcwBo AG8AdAAgAC QAYgBvAHUA bgBkAHMAIA AkAHAAYQB0 AGgA" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - powershell.exe (PID: 828 cmdline:
powershell .exe -NoPr ofile -Exe cutionPoli cy Bypass -EncodedCo mmand WwBS AGUAZgBsAG UAYwB0AGkA bwBuAC4AQQ BzAHMAZQBt AGIAbAB5AF 0AOgA6AEwA bwBhAGQAVw BpAHQAaABQ AGEAcgB0AG kAYQBsAE4A YQBtAGUAKA AiAFMAeQBz AHQAZQBtAC 4ARAByAGEA dwBpAG4AZw AiACkADQAK AGYAdQBuAG MAdABpAG8A bgAgAHMAYw ByAGUAZQBu AHMAaABvAH QAKABbAEQA cgBhAHcAaQ BuAGcALgBS AGUAYwB0AG EAbgBnAGwA ZQBdACQAYg BvAHUAbgBk AHMALAAgAC QAcABhAHQA aAApACAAew ANAAoAIAAg ACAAJABiAG 0AcAAgAD0A IABOAGUAdw AtAE8AYgBq AGUAYwB0AC AARAByAGEA dwBpAG4AZw AuAEIAaQB0 AG0AYQBwAC AAJABiAG8A dQBuAGQAcw AuAHcAaQBk AHQAaAAsAC AAJABiAG8A dQBuAGQAcw AuAGgAZQBp AGcAaAB0AA 0ACgAgACAA IAAkAGcAcg BhAHAAaABp AGMAcwAgAD 0AIABbAEQA cgBhAHcAaQ BuAGcALgBH AHIAYQBwAG gAaQBjAHMA XQA6ADoARg ByAG8AbQBJ AG0AYQBnAG UAKAAkAGIA bQBwACkADQ AKAA0ACgAg ACAAIAAkAG cAcgBhAHAA aABpAGMAcw AuAEMAbwBw AHkARgByAG 8AbQBTAGMA cgBlAGUAbg AoACQAYgBv AHUAbgBkAH MALgBMAG8A YwBhAHQAaQ BvAG4ALAAg AFsARAByAG EAdwBpAG4A ZwAuAFAAbw BpAG4AdABd ADoAOgBFAG 0AcAB0AHkA LAAgACQAYg BvAHUAbgBk AHMALgBzAG kAegBlACkA DQAKAA0ACg AgACAAIAAk AGIAbQBwAC 4AUwBhAHYA ZQAoACQAcA BhAHQAaAAp AA0ACgANAA oAIAAgACAA JABnAHIAYQ BwAGgAaQBj AHMALgBEAG kAcwBwAG8A cwBlACgAKQ ANAAoAIAAg ACAAJABiAG 0AcAAuAEQA aQBzAHAAbw BzAGUAKAAp AA0ACgB9AA 0ACgANAAoA JABiAG8AdQ BuAGQAcwAg AD0AIABbAE QAcgBhAHcA aQBuAGcALg BSAGUAYwB0 AGEAbgBnAG wAZQBdADoA OgBGAHIAbw BtAEwAVABS AEIAKAAwAC wAIAAwACwA IAAxADkAMg AwACwAIAAx ADAAOAAwAC kADQAKACQA cABhAHQAaA AgAD0AIAAo AEcAZQB0AC 0ASQB0AGUA bQAgAC4AKQ AuAEYAdQBs AGwATgBhAG 0AZQArACIA XABzAGMAcg BlAGUAbgBz AGgAbwB0AC 4AcABuAGcA IgANAAoAcw BjAHIAZQBl AG4AcwBoAG 8AdAAgACQA YgBvAHUAbg BkAHMAIAAk AHAAYQB0AG gA MD5: 04029E121A0CFA5991749937DD22A1D9)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GenericPythonStealer | Yara detected Generic Python Stealer | Joe Security | ||
| JoeSecurity_MonsterStealer | Yara detected Monster Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_GenericPythonStealer | Yara detected Generic Python Stealer | Joe Security | ||
| JoeSecurity_MonsterStealer | Yara detected Monster Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_GenericPythonStealer | Yara detected Generic Python Stealer | Joe Security | ||
| Click to see the 11 entries | ||||
System Summary |   |
|---|
| Source: | Author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule): | ||
| Source: | Author: Perez Diego (@darkquassar), oscd.community: | ||
| Source: | Author: frack113: | ||