MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc21544389191db1ecad74434878d61245f63335550a20af86d799043bfbbbec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PythonStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc21544389191db1ecad74434878d61245f63335550a20af86d799043bfbbbec
SHA3-384 hash: e111bf9dfef732ccb2f892ebadac85531628b5a247fa7018fc7958300de602065d13a23c8aab2d09c52ff6391818592d
SHA1 hash: 540eb73a64c396d5da19c9267a4f60152817db8e
MD5 hash: 4b04a252512daad6d11c51446573e04d
humanhash: summer-mango-ink-hawaii
File name:Solaris.exe
Download: download sample
Signature PythonStealer
Create hunting rule
File size:79'020'834 bytes
First seen:2024-07-02 18:06:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2ac23c52e7647c5bbea38e98bb68c652 (10 x BlankGrabber, 4 x PythonStealer, 3 x CobaltStrike)
ssdeep 1572864:0gvFUQ6l8GSk8IpG7V+VPhqIbE7WTylPj4iY4MHHLeqPNLtDaSWQZn6Oflz:0gvFU1iGSkB05awIxTy5nMHVLteS3bf9
TLSH T1D00833660721B48AE89675BB31D6D1BC0676EC800B609F8DD2407BF96FD31649F38B71
TrID 72.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
13.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.EXE) OS/2 Executable (generic) (2029/13)
2.5% (.EXE) Generic Win/DOS Executable (2002/3)
dhash icon e8e8f4d48eeccccc (1 x PythonStealer)
Reporter Anonymous
Tags:exe PythonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
562
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dc21544389191db1ecad74434878d61245f63335550a20af86d799043bfbbbec.exe
Verdict:
Malicious activity
Analysis date:
2024-07-02 18:10:23 UTC
Tags:
python discordgrabber generic stealer crypto-regex upx
Link:
https://app.any.run/tasks/2e6c5338-2a93-4407-9d43-d90ec5f99f09

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6684426ebe8570b8fa8922ddwin10vpnfull_triage
Tags:
Execution Network Stealth Trojan Wacapew
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Running batch commands
Creating a process with a hidden window
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file
Launching a process
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a tool to kill processes
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand lolbin microsoft_visual_cc overlay packed redcap
Link:
https://www.filescan.io/uploads/668441caef9fdf64aa719bba/reports/4acddbc5-cddf-40b1-90b8-8e51fcec2ce9/overview
Verdict:
Malicious
Labled as:
Program_Win32_Wacapew_C_ml
Link:
https://www.hybrid-analysis.com/sample/dc21544389191db1ecad74434878d61245f63335550a20af86d799043bfbbbec
Result
Verdict:
MALICIOUS
Result
Threat name:
Python Stealer, Discord Token Stealer, M
Create hunting rule
Detection:
malicious
Classification:
rans.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1466350
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Found pyInstaller with non standard icon
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
UAC bypass detected (Fodhelper)
Uses cmd line tools excessively to alter registry or file data
Writes many files with high entropy
Yara detected Discord Token Stealer
Yara detected Generic Python Stealer
Yara detected MicroClip
Yara detected PySilon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466350 Sample: Solaris.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 122 discord.com 2->122 130 Multi AV Scanner detection for submitted file 2->130 132 Yara detected PySilon Stealer 2->132 134 Yara detected Discord Token Stealer 2->134 136 8 other signatures 2->136 13 Solaris.exe 1001 2->13         started        17 System32.exe 2->17         started        signatures3 process4 file5 106 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 13->106 dropped 108 C:\...\unuran_wrapper.cp310-win_amd64.pyd, PE32+ 13->108 dropped 110 C:\...\_stats_pythran.cp310-win_amd64.pyd, PE32+ 13->110 dropped 118 228 other files (37 malicious) 13->118 dropped 154 Adds a directory exclusion to Windows Defender 13->154 156 Writes many files with high entropy 13->156 158 Found pyInstaller with non standard icon 13->158 19 Solaris.exe 1 3 13->19         started        112 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 17->112 dropped 114 C:\...\unuran_wrapper.cp310-win_amd64.pyd, PE32+ 17->114 dropped 116 C:\...\_stats_pythran.cp310-win_amd64.pyd, PE32+ 17->116 dropped 120 309 other files (41 malicious) 17->120 dropped 23 System32.exe 17->23         started        signatures6 process7 file8 96 C:\Users\user\...\System32.exe, PE32+ 19->96 dropped 142 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->142 144 Adds a directory exclusion to Windows Defender 19->144 25 cmd.exe 19->25         started        28 powershell.exe 23 19->28         started        30 cmd.exe 1 19->30         started        32 cmd.exe 23->32         started        34 cmd.exe 23->34         started        36 cmd.exe 23->36         started        38 4 other processes 23->38 signatures9 process10 signatures11 148 Uses cmd line tools excessively to alter registry or file data 25->148 40 System32.exe 25->40         started        49 3 other processes 25->49 150 Loading BitLocker PowerShell Module 28->150 43 conhost.exe 28->43         started        45 conhost.exe 30->45         started        47 ComputerDefaults.exe 32->47         started        51 3 other processes 32->51 53 2 other processes 34->53 56 2 other processes 36->56 58 7 other processes 38->58 process12 file13 98 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 40->98 dropped 100 C:\...\unuran_wrapper.cp310-win_amd64.pyd, PE32+ 40->100 dropped 102 C:\...\_stats_pythran.cp310-win_amd64.pyd, PE32+ 40->102 dropped 104 309 other files (41 malicious) 40->104 dropped 60 System32.exe 40->60         started        64 System32.exe 47->64         started        146 UAC bypass detected (Fodhelper) 56->146 signatures14 process15 dnsIp16 126 discord.com 162.159.135.232, 443, 49742 CLOUDFLARENETUS United States 60->126 128 127.0.0.1 unknown unknown 60->128 152 Adds a directory exclusion to Windows Defender 60->152 67 powershell.exe 60->67         started        70 cmd.exe 60->70         started        88 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 64->88 dropped 90 C:\...\unuran_wrapper.cp310-win_amd64.pyd, PE32+ 64->90 dropped 92 C:\...\_stats_pythran.cp310-win_amd64.pyd, PE32+ 64->92 dropped 94 210 other files (20 malicious) 64->94 dropped 72 System32.exe 64->72         started        file17 signatures18 process19 dnsIp20 138 Loading BitLocker PowerShell Module 67->138 75 conhost.exe 67->75         started        77 conhost.exe 70->77         started        124 162.159.136.232, 443, 49746 CLOUDFLARENETUS United States 72->124 140 Adds a directory exclusion to Windows Defender 72->140 79 powershell.exe 72->79         started        82 cmd.exe 72->82         started        signatures21 process22 signatures23 160 Loading BitLocker PowerShell Module 79->160 84 conhost.exe 79->84         started        86 conhost.exe 82->86         started        process24
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dc21544389191db1ecad74434878d61245f63335550a20af86d799043bfbbbec
Gathering data
Threat name:
Win64.Trojan.PySpy
Create hunting rule
Status:
Malicious
First seen:
2024-06-29 14:06:27 UTC
File Type:
PE+ (Exe)
Extracted files:
5449
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3qqviq4jdeo3d3fnorbuq6gwcjc7mmzvkufcbl4g26mqio73xpwa._file
Verdict:
unknown
Result
Malware family:
pysilon
Create hunting rule
Score:
  10/10
Tags:
family:pysilon evasion execution persistence pyinstaller upx
Link:
https://tria.ge/reports/240702-wqbc6sydjj/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Loads dropped DLL
UPX packed file
Command and Scripting Interpreter: PowerShell
Sets file to hidden
Enumerates VirtualBox DLL files
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d4b1e409-7736-4bd1-b551-17f9d4361d52
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:PyInstaller_Packed_April_2024
Create hunting rule
Author:NDA0N
Description:Detects files packed with PyInstaller

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::FindFirstFileW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::SetDllDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments