File name:

cstealer.exe

Full analysis: https://app.any.run/tasks/ff0e1ff1-c503-49df-a6b3-b9b3ab0d3fa8
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: September 21, 2024, 13:45:37
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
pyinstaller
ims-api
generic
discordgrabber
stealer
waspstealer
python
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

02AC9146D7D51B7032A4891DF606D82F

SHA1:

EB612A9A5B4D0DC852EB064B2D6D9FDEBDAD57F7

SHA256:

7EAA54CA79015F31664678C19E567E57219A4CCA237242CD9DA681B74247D498

SSDEEP:

98304:v6CMJBrswokcaCJr/VzkvddwCXkFqdz3aC3bww/Al+Biyz6oqV2kTpcGc4tP2bX+:MYQuyVqbrcC60OTv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DISCORDGRABBER has been detected (YARA)

      • cstealer.exe (PID: 2524)

    • WASPSTEALER has been detected (YARA)

      • cstealer.exe (PID: 2524)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • cstealer.exe (PID: 4476)

    • Loads Python modules

      • cstealer.exe (PID: 2524)

    • The process drops C-runtime libraries

      • cstealer.exe (PID: 4476)

    • Application launched itself

      • cstealer.exe (PID: 4476)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • cstealer.exe (PID: 2524)

    • Process drops python dynamic module

      • cstealer.exe (PID: 4476)

    • Executable content was dropped or overwritten

      • cstealer.exe (PID: 4476)

  • INFO

    • Create files in a temporary directory

      • cstealer.exe (PID: 4476)

    • Reads the computer name

      • cstealer.exe (PID: 4476)
      • cstealer.exe (PID: 2524)

    • Checks supported languages

      • cstealer.exe (PID: 2524)
      • cstealer.exe (PID: 4476)

    • PyInstaller has been detected (YARA)

      • cstealer.exe (PID: 4476)
      • cstealer.exe (PID: 2524)

    • Checks proxy server information

      • cstealer.exe (PID: 2524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:09:21 02:35:32+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 172032
InitializedDataSize: 154624
UninitializedDataSize: -
EntryPoint: 0xcdb0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT cstealer.exe THREAT cstealer.exe

Process information

PID
CMD
Path
Indicators
Parent process
2524"C:\Users\admin\Desktop\cstealer.exe" C:\Users\admin\Desktop\cstealer.exe
cstealer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\cstealer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4476"C:\Users\admin\Desktop\cstealer.exe" C:\Users\admin\Desktop\cstealer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\cstealer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
403
Read events
403
Write events
0
Delete events
0

Modification events

No data
Executable files
67
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
4476cstealer.exeC:\Users\admin\AppData\Local\Temp\_MEI44762\Crypto\Cipher\_ARC4.pydexecutable
MD5:6176101B7C377A32C01AE3EDB7FD4DE6
SHA256:EFEA361311923189ECBE3240111EFBA329752D30457E0DBE9628A82905CD4BDB
4476cstealer.exeC:\Users\admin\AppData\Local\Temp\_MEI44762\Crypto\Cipher\_raw_ctr.pydexecutable
MD5:C6B20332B4814799E643BADFFD8DF2CD
SHA256:61C7A532E108F67874EF2E17244358DF19158F6142680F5B21032BA4889AC5D8
4476cstealer.exeC:\Users\admin\AppData\Local\Temp\_MEI44762\Crypto\Cipher\_raw_cast.pydexecutable
MD5:CF3C2F35C37AA066FA06113839C8A857
SHA256:1261783F8881642C3466B96FA5879A492EA9E0DAB41284ED9E4A82E8BCF00C80
4476cstealer.exeC:\Users\admin\AppData\Local\Temp\_MEI44762\Crypto\Cipher\_raw_des.pydexecutable
MD5:0B538205388FDD99A043EE3AFAA074E4
SHA256:C4769D3E6EB2A2FECB5DEC602D45D3E785C63BB96297268E3ED069CC4A019B1A
4476cstealer.exeC:\Users\admin\AppData\Local\Temp\_MEI44762\Crypto\Cipher\_raw_des3.pydexecutable
MD5:6C3E976AB9F47825A5BD9F73E8DBA74E
SHA256:238CDB6B8FB611DB4626E6D202E125E2C174C8F73AE8A3273B45A0FC18DEA70C
4476cstealer.exeC:\Users\admin\AppData\Local\Temp\_MEI44762\Crypto\Cipher\_raw_blowfish.pydexecutable
MD5:45616B10ABE82D5BB18B9C3AB446E113
SHA256:F348DB1843B8F38A23AEE09DD52FB50D3771361C0D529C9C9E142A251CC1D1EC
4476cstealer.exeC:\Users\admin\AppData\Local\Temp\_MEI44762\Crypto\Cipher\_raw_ecb.pydexecutable
MD5:FEE13D4FB947835DBB62ACA7EAFF44EF
SHA256:3E0D07BBF93E0748B42B1C2550F48F0D81597486038C22548224584AE178A543
4476cstealer.exeC:\Users\admin\AppData\Local\Temp\_MEI44762\Crypto\Cipher\_raw_ocb.pydexecutable
MD5:D48BFFA1AF800F6969CFB356D3F75AA6
SHA256:4AA5E9CE7A76B301766D3ECBB06D2E42C2F09D0743605A91BF83069FEFE3A4DE
4476cstealer.exeC:\Users\admin\AppData\Local\Temp\_MEI44762\Crypto\Cipher\_raw_aesni.pydexecutable
MD5:BBEA5FFAE18BF0B5679D5C5BCD762D5A
SHA256:1F4288A098DA3AAC2ADD54E83C8C9F2041EC895263F20576417A92E1E5B421C1
4476cstealer.exeC:\Users\admin\AppData\Local\Temp\_MEI44762\Crypto\Cipher\_Salsa20.pydexecutable
MD5:371776A7E26BAEB3F75C93A8364C9AE0
SHA256:15257E96D1CA8480B8CB98F4C79B6E365FE38A1BA9638FC8C9AB7FFEA79C4762
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
20
DNS requests
7
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2120
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6924
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4200
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
6924
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4200
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
20.189.173.11:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2524
cstealer.exe
172.67.75.40:443
rentry.co
CLOUDFLARENET
US
suspicious
2120
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6924
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.78
whitelisted
rentry.co
  • 172.67.75.40
  • 104.26.2.16
  • 104.26.3.16
unknown
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Misc activity
ET INFO Pastebin Service Domain in DNS Lookup (rentry .co)
2524
cstealer.exe
Misc activity
ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
cstealer.exe