MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61c881908bdc8be9c8ee8e42728b6f116768ff2a4edd540e1d82a02c51fd6322. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PythonStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61c881908bdc8be9c8ee8e42728b6f116768ff2a4edd540e1d82a02c51fd6322
SHA3-384 hash: 48b1f7116acffc976ea200612b9082da5e8ac8d0635a623fe96123a6aca85deb436729d4c389a33aa131216b0c0d1a66
SHA1 hash: 99cbb7341dffb6925a88525ea82ca8cb0cbe10c9
MD5 hash: 231f199ed9540c2d1cbf4233be515988
humanhash: mississippi-july-beer-zebra
File name:231f199ed9540c2d1cbf4233be515988
Download: download sample
Signature PythonStealer
Create hunting rule
File size:11'266'560 bytes
First seen:2024-03-03 05:46:35 UTC
Last seen:2024-03-03 07:23:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e44f44f1060dd800fd861c4e5ad59e21 (12 x PythonStealer)
ssdeep 196608:UPAlP3Zobseq6ERnzeljovAlpbmVjHQLmcVZOfcvL2sTD:KCpoSvRnzeOvW6QLLiE
Threatray 25 similar samples on MalwareBazaar
TLSH T196B63379DA23C5E8CF8BD17446A218E5F639F8B47554E0720385EA605F87FC68A78B03
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:64 exe PythonStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
305
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
61c881908bdc8be9c8ee8e42728b6f116768ff2a4edd540e1d82a02c51fd6322.exe
Verdict:
Malicious activity
Analysis date:
2024-03-03 05:50:19 UTC
Tags:
evasion exela stealer generic python
Link:
https://app.any.run/tasks/08597063-f70c-494a-837b-cfdd89691f15

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Nuitka-9992781-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Сreating synchronization primitives
Connection attempt
Creating a file
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Enabling the 'hidden' option for recently created files
Creating a window
Searching for the window
Forced system process termination
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Changing a file
Reading critical registry keys
Launching the process to change network settings
Launching the process to interact with network services
Launching a tool to kill processes
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug expand lolbin nuitka packed packed redcap shell32
Link:
https://www.filescan.io/uploads/65e419f706b24253d2358d8b/reports/8043e6a8-b446-4af7-be0e-2f654d17171a/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/61c881908bdc8be9c8ee8e42728b6f116768ff2a4edd540e1d82a02c51fd6322
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0f1d5f10-fa0f-4876-a3ec-376eba942088
Result
Threat name:
Python Stealer, Monster Stealer
Create hunting rule
Detection:
malicious
Classification:
spre.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1402075
Signature
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Gathers network related connection and port information
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites the password of the administrator account
Performs a network lookup / discovery via ARP
Potentially malicious time measurement code found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Sigma detected: Capture Wi-Fi password
Sigma detected: Suspicious Manipulation Of Default Accounts Via Net.EXE
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses netstat to query active network connections and open ports
Yara detected Generic Python Stealer
Yara detected Monster Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1402075 Sample: 4t3jSuvHnc.exe Startdate: 03/03/2024 Architecture: WINDOWS Score: 100 81 restores.name 2->81 83 raw.githubusercontent.com 2->83 85 ip-api.com 2->85 103 Sigma detected: Capture Wi-Fi password 2->103 105 Multi AV Scanner detection for dropped file 2->105 107 Multi AV Scanner detection for submitted file 2->107 109 5 other signatures 2->109 10 4t3jSuvHnc.exe 47 2->10         started        14 svchost.exe 2->14         started        signatures3 process4 file5 67 C:\Users\user\AppData\...\_quoting_c.pyd, PE32+ 10->67 dropped 69 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 10->69 dropped 71 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 10->71 dropped 73 32 other files (31 malicious) 10->73 dropped 127 Found many strings related to Crypto-Wallets (likely being stolen) 10->127 129 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->129 16 stub.exe 27 10->16         started        signatures6 process7 dnsIp8 75 ip-api.com 208.95.112.1, 49714, 80 TUT-ASUS United States 16->75 77 raw.githubusercontent.com 185.199.108.133, 443, 49715 FASTLYUS Netherlands 16->77 79 2 other IPs or domains 16->79 63 C:\Users\user\AppData\Local\...\Monster.exe, PE32+ 16->63 dropped 65 C:\Users\user\AppData\...\system_info.txt, Algol 16->65 dropped 95 Found many strings related to Crypto-Wallets (likely being stolen) 16->95 97 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->97 99 Tries to harvest and steal browser information (history, passwords, etc) 16->99 101 5 other signatures 16->101 21 cmd.exe 1 16->21         started        24 cmd.exe 16->24         started        26 cmd.exe 1 16->26         started        28 17 other processes 16->28 file9 signatures10 process11 signatures12 111 Encrypted powershell cmdline option found 21->111 113 Bypasses PowerShell execution policy 21->113 115 Uses netstat to query active network connections and open ports 21->115 125 2 other signatures 21->125 30 conhost.exe 21->30         started        117 Overwrites the password of the administrator account 24->117 119 Gathers network related connection and port information 24->119 121 Performs a network lookup / discovery via ARP 24->121 32 systeminfo.exe 24->32         started        35 net.exe 24->35         started        37 net.exe 24->37         started        45 16 other processes 24->45 39 WMIC.exe 1 26->39         started        41 conhost.exe 26->41         started        123 Tries to harvest and steal WLAN passwords 28->123 43 WMIC.exe 1 28->43         started        47 31 other processes 28->47 process13 signatures14 87 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 32->87 49 WmiPrvSE.exe 32->49         started        89 Overwrites the password of the administrator account 35->89 51 net1.exe 35->51         started        53 net1.exe 37->53         started        91 Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes) 39->91 93 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 39->93 55 quser.exe 45->55         started        57 net1.exe 45->57         started        59 net1.exe 45->59         started        61 net1.exe 45->61         started        process15
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/61c881908bdc8be9c8ee8e42728b6f116768ff2a4edd540e1d82a02c51fd6322
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/61c881908bdc8be9c8ee8e42728b6f116768ff2a4edd540e1d82a02c51fd6322/
Threat name:
Win64.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-02-28 01:21:41 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mheideel3sf6tshorzbhfc3pcftwr7zkj3ovidq5qkqcyup5mmra._file
Verdict:
malicious
Similar samples:
55b9e104fe2e170a98ab5d030757182188fd56cdf04c292f05f5a3d9d9c9b669
PythonStealer
60f351b0db70f792c111229211107802f70ca8e9ce8d6cf8c8d4cb397981d965
PythonStealer
626d8f4358194ddba886b240b5c7a63cd851dbf2b9bea1917d61c98fa0e68893
PythonStealer
74f3138036e7fac6464e48b866197afc56d80b3bfa9c1944d3226258ec49492a
PythonStealer
89a7841adbf26185cef3e1f694a61257d2d45f08851c38ec429e767b45b32413
PythonStealer
97efe91fe5eff3dcdcb055f037f1df01c1409e6bd38a8f07170ea53a0ff265ef
PythonStealer
a4ffd596dcb461d4fe2020b2d41e2dd7e210cc832afdba56e72f433a8296e466
PythonStealer
b192344ce34120edcbae9a176d8406c18d78a177e5e186f735caa436ec473edf
PythonStealer
d9814ac2cfa7d3baafe11e4807c6033314a828ab3236a45fad9a39894d6883e0
PythonStealer
f0b789e7ac0c5eee6f264daeb13620aaf4baaa09a3e519a1c136822b63241c3e
PythonStealer
+ 15 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240303-ggvywsed62/
Behaviour
Detects videocard installed
Enumerates processes with tasklist
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
61c881908bdc8be9c8ee8e42728b6f116768ff2a4edd540e1d82a02c51fd6322
MD5 hash:
231f199ed9540c2d1cbf4233be515988
SHA1 hash:
99cbb7341dffb6925a88525ea82ca8cb0cbe10c9
Link:
https://www.unpac.me/results/940be328-5f24-4d20-b671-6f79c2e8b0ca/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/61c881908bdc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61c881908bdc8be9c8ee8e42728b6f116768ff2a4edd540e1d82a02c51fd6322

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PythonStealer

Executable exe 61c881908bdc8be9c8ee8e42728b6f116768ff2a4edd540e1d82a02c51fd6322

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2774664/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System ShellSHELL32.dll::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::GenerateConsoleCtrlEvent
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetFileAttributesW

Comments


Avatar
zbet commented on 2024-03-03 05:46:36 UTC

url : hxxp://193.233.132.167/lend/juditttt.exe