Malware Analysis Evasive Stealer or Broken Sample?

Xeno1234

Level 14
Thread author
Jun 12, 2023
684
Possible Powershell Password Stealer I came across. Marked as clean via multiple online analysis sites but in the code it appears to take passwords and upload them to discord. Might be broken as multiple errors are displayed.
Could someone take a deeper look?

 

WhiteMouse

Level 5
Verified
Well-known
Apr 19, 2017
240
It doesn't seem like a password stealer to me. It only copy history and browser bookmarks to Temp\BrowserData.txt.

507250409533.png
 

likeastar20

Level 8
Verified
Mar 24, 2016
374
Didn’t test it/look at the code, but check the VT analysis:

“…Overall, the code seems to be designed to extract browser data and upload it to Discord, potentially for malicious purposes…”
 
Last edited:

Xeno1234

Level 14
Thread author
Jun 12, 2023
684
I’ve looked at this file a bit more and it appears to be a broken sample.

In all of the sandboxes, I’m 99% no discord webhook request was made (which is how it should transfer the data). Therefore the data just stays on the system.
 
  • Like
Reactions: Trident

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
661
With this file not being obfuscated it is quite straightforward to determine what it does and that is copying bookmarks and history of Chrome, Firefox, Edge and Opera to BookMarks.txt and uploading this to Discord as indicated by the PowerShell function name.

What is missing, is the context where and how this Powershell code is being used.
This part of the code references a variable $dc
$hookurl = "$dc"

This variable is not set, but it should contain the upload location for Discord. This is also the reason why it is not working. There is no evasion going on, it is just incomplete.

Without context it can be hard to determine if such a file is malicious or clean. However, in this case, I would give it a malware verdict, because I cannot imagine any legitimate reason to upload such data to Discord.

There might be a small chance that some legitimate application has an edge case for doing this, but as a malware analyst I would decide to detect this as malware until someone complains, because in all cases I have seen so far such a functionality was in context of a stealer or RAT with stealing functionality, using Discord channels to communicate and exfiltrate data.

It is odd though, that the code is not obfuscated. I can imagine this being the result of an AMSI dump, it being the code after unpacking, or being some template or example code for a malware.
 

Xeno1234

Level 14
Thread author
Jun 12, 2023
684
I believe i've found another sample similar to this one.
Appears to be some obsucre macro software, but I dont think its legitimate. Its signed by Node JS and its name leads to it being part of their software, refrences something related to minecraft services, and also runs a modified version of conhost, which the name of the process relates to Raccoon Stealer.
Clean on Opentip, Sophos Intelix, Triage, and low VT detections.

Detected by Falcon Sandbox
 
Last edited:

Xeno1234

Level 14
Thread author
Jun 12, 2023
684
I believe i've found another sample similar to this one.
Appears to be some obsucre macro software, but I dont think its legitimate. Its signed by Node JS and its name leads to it being part of their software, refrences something related to minecraft services, and also runs a modified version of conhost, which the name of the process relates to Raccoon Stealer.
Clean on Opentip, Sophos Intelix, Triage, and low VT detections.

Detected by Falcon Sandbox
Kaspersky added Signatures. Fully undetected by Checkpoint Harmony yesterday
 

likeastar20

Level 8
Verified
Mar 24, 2016
374
Kaspersky added Signatures. Fully undetected by Checkpoint Harmony yesterday
I believe i've found another sample similar to this one.
Appears to be some obsucre macro software, but I dont think its legitimate. Its signed by Node JS and its name leads to it being part of their software, refrences something related to minecraft services, and also runs a modified version of conhost, which the name of the process relates to Raccoon Stealer.
Clean on Opentip, Sophos Intelix, Triage, and low VT detections.

Detected by Falcon Sandbox
Interesting detection name by Kaspersky
 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
661
I believe i've found another sample similar to this one.
Appears to be some obsucre macro software, but I dont think its legitimate. Its signed by Node JS and its name leads to it being part of their software, refrences something related to minecraft services, and also runs a modified version of conhost, which the name of the process relates to Raccoon Stealer.
Clean on Opentip, Sophos Intelix, Triage, and low VT detections.

Detected by Falcon Sandbox

Assuming from the screenshot and the configuration file contents, it is a malware spreading hacktool.
I do not see similarity to the earlier sample.

1697078447078.png


1697078616552.png
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top