Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Mint Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Overwrites Mozilla Firefox settings
Queries memory information (via WMI often done to detect virtual machines)
Sigma detected: DNS Query for Anonfiles.com Domain - Sysmon
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Abnormal high CPU Usage
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to detect if online games are installed (MineCraft, World Of Warcraft etc)
Yara detected Credential Stealer