Edit tour
Windows
Analysis Report
TiKj3IVDj4.exe
Overview
General Information
| Sample name: | TiKj3IVDj4.exerenamed because original name is a hash value |
| Original sample name: | 56543167a8b1731dafeee93e5f2bf479.exe |
| Analysis ID: | 1428424 |
| MD5: | 56543167a8b1731dafeee93e5f2bf479 |
| SHA1: | de6722a7ac2976d3ae3780057beb18e461a035b1 |
| SHA256: | 22eedb7d3fabf9d2719f4baf7c6ec7a077b0d8c43f46cc2be02a4a30baa30726 |
| Tags: | 64exePythonStealertrojan |
| Infos: |   |
 | |
Detection
Mint Stealer
| Score: | 96 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Mint Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Overwrites Mozilla Firefox settings
Queries memory information (via WMI often done to detect virtual machines)
Sigma detected: DNS Query for Anonfiles.com Domain - Sysmon
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Abnormal high CPU Usage
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to detect if online games are installed (MineCraft, World Of Warcraft etc)
Yara detected Credential Stealer
Classification
- System is w10x64
TiKj3IVDj4.exe (PID: 3036 cmdline: "C:\Users\ user\Deskt op\TiKj3IV Dj4.exe" MD5: 56543167A8B1731DAFEEE93E5F2BF479) 
conhost.exe (PID: 5888 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - amady.exe (PID: 1796 cmdline:
"C:\Users\ user\Deskt op\TiKj3IV Dj4.exe" MD5: C7719270D0E6CF4E65EC4C827ACECE06) 
powershell.exe (PID: 6216 cmdline: powershell -c "Get-W miObject - Query \"Se lect * fro m Win32_Ca cheMemory\ "" MD5: 04029E121A0CFA5991749937DD22A1D9) 
HOSTNAME.EXE (PID: 7016 cmdline: hostname MD5: 33AFAA43B84BDEAB12E02F9DBD2B2EE0) - cmd.exe (PID: 3564 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic csp roduct get uuid | mo re +1" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
WMIC.exe (PID: 4296 cmdline: wmic cspro duct get u uid MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - more.com (PID: 6188 cmdline:
more +1 MD5: EDB3046610020EE614B5B81B0439895E) - cmd.exe (PID: 520 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic OS get captio n, osarchi tecture | more +1" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - WMIC.exe (PID: 1912 cmdline:
wmic OS ge t caption, osarchite cture MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - more.com (PID: 744 cmdline:
more +1 MD5: EDB3046610020EE614B5B81B0439895E) - cmd.exe (PID: 5292 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic cpu get name | more +1" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - WMIC.exe (PID: 2608 cmdline:
wmic cpu g et name MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - more.com (PID: 3452 cmdline:
more +1 MD5: EDB3046610020EE614B5B81B0439895E) - cmd.exe (PID: 3088 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic PAT H Win32_Vi deoControl ler get na me | more +1" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - WMIC.exe (PID: 2056 cmdline:
wmic PATH Win32_Vide oControlle r get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - more.com (PID: 1156 cmdline:
more +1 MD5: EDB3046610020EE614B5B81B0439895E) - cmd.exe (PID: 1568 cmdline:
C:\Windows \system32\ cmd.exe /c "wmic com putersyste m get tota lphysicalm emory | mo re +1" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - WMIC.exe (PID: 2864 cmdline:
wmic compu tersystem get totalp hysicalmem ory MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - more.com (PID: 1848 cmdline:
more +1 MD5: EDB3046610020EE614B5B81B0439895E)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MintStealer | Yara detected Mint Stealer | Joe Security | ||
| JoeSecurity_MintStealer | Yara detected Mint Stealer | Joe Security | ||
| JoeSecurity_MintStealer | Yara detected Mint Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_MintStealer | Yara detected Mint Stealer | Joe Security |
System Summary |   |
|---|
| Source: | Author: pH-T (Nextron Systems): | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Source: | Author: frack113: | ||
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||