File name:	Infinity.exe
Full analysis:	https://app.any.run/tasks/53ca68e1-b858-4f60-90ea-746e742e7703
Verdict:	Malicious activity
Threats:	Exela Stealer is an infostealer malware written in Python. It is capable of collecting a wide range of sensitive information from compromised systems and exfiltrating it to attackers over Discord. It is frequently used to steal browser data, and obtain session files from various applications, including gaming platforms, social media platforms, and messaging apps. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	February 06, 2025, 22:26:50
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion stealer python exela screenshot discord pyinstaller susp-powershell ims-api generic discordgrabber growtopia upx rust
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:	84B29DC904C2E7F624E9401B66D78704
SHA1:	D7E9C010F945905408E084394DC93C3620DC20A2
SHA256:	B0C852BB64AB08B015CE82333AEB44A5F9A5828CB13C059E497ADF99CC417E70
SSDEEP:	98304:3J30tg3RDx6IrrLl90v+XHVFRSmd3xIW2nGqqMAA8VH8Be/q/Ks7mVx/KW/7bxR4:ZlgoFxvfA3XovcBNUaio

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2025:02:06 11:49:12+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.41
CodeSize:	172032
InitializedDataSize:	94208
UninitializedDataSize:	-
EntryPoint:	0xce20
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	10.0.19041.746
ProductVersionNumber:	10.0.19041.746
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Infinity Services
FileVersion:	10.0.19041.746 (WinBuild.160101.0800)
InternalName:	Infinity.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	Infinity.exe
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	10.0.19041.746


(PID) Process:	(3996) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdHigh
Value: 31160550
(PID) Process:	(3996) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdLow
Value:

PID	Process	Filename		Type
6476	Infinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI64762\_ctypes.pyd		executable
		MD5:B1F12F4BFC0BD49A6646A0786BC5BC00	SHA256:1FE61645ED626FC1DEC56B2E90E8E551066A7FF86EDBD67B41CB92211358F3D7
6476	Infinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI64762\_cffi_backend.cp310-win_amd64.pyd		executable
		MD5:7727212E7BDBF63B1A39FB7FAAD24265	SHA256:B0116303E1E903D6EB02A69D05879F38AF1640813F4B110CB733FFFF6E4E985C
6476	Infinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI64762\_lzma.pyd		executable
		MD5:95BADB08CD77E563C9753FADC39A34DD	SHA256:5545627B465D780B6107680922EF44144A22939DD406DEAE44858B79747E301A
6476	Infinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI64762\VCRUNTIME140.dll		executable
		MD5:11D9AC94E8CB17BD23DEA89F8E757F18	SHA256:E1D6F78A72836EA120BD27A33AE89CBDC3F3CA7D9D0231AAA3AAC91996D2FA4E
6476	Infinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI64762\_decimal.pyd		executable
		MD5:B7F498DA5AEC35140A6D928A8F792911	SHA256:B15F0DC3CE6955336162C9428077DCEDFA1C52E60296251521819F3239C26EE8
6476	Infinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI64762\_asyncio.pyd		executable
		MD5:480D3F4496E16D54BB5313D206164134	SHA256:568FB5C3D9B170CE1081AD12818B9A12F44AB1577449425A3EF30C2EFBEE613D
6476	Infinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI64762\_multiprocessing.pyd		executable
		MD5:28F6FCC0B7BB10A45FF1370C9E1B9561	SHA256:6DD33D49554EE61490725EA2C9129C15544791AB7A65FB523CC9B4F88D38744B
6476	Infinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI64762\_overlapped.pyd		executable
		MD5:745706AB482FE9C9F92383292F121072	SHA256:4D98E7D1B74BD209F8C66E1A276F60B470F6A5D6F519F76A91EB75BE157A903D
6476	Infinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI64762\_hashlib.pyd		executable
		MD5:31DFA2CAAEE02CC38ADF4897B192D6D1	SHA256:DC045AC7D4BDE60B0F122D307FCD2BBAF5E1261A280C4FB67CFC43DE5C0C2A0F
6476	Infinity.exe	C:\Users\admin\AppData\Local\Temp\_MEI64762\_sqlite3.pyd		executable
		MD5:1DBEC8753E5CD062CD71A8BB294F28F9	SHA256:6D95D41A36B5C9E3A895EFF91149978AA383B6A8617D542ACCEF2080737C3CAD

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.18:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3220	svchost.exe	GET	200	23.48.23.18:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6500	Infinity.exe	GET	200	208.95.112.1:80	http://ip-api.com/json	unknown	—	—	whitelisted
—	—	GET	404	45.112.123.126:443	https://api.gofile.io/getServer	unknown	text	14 b	whitelisted
—	—	POST	404	162.159.128.233:443	https://discord.com/api/webhooks/1337013960460861530/xR8z94mEjnq1Nkw-7dJ0Hkii5A_lVS1lryyizVaTkoecVWKJOXpliNRkWQcqDyCA3iSb	unknown	—	—	whitelisted
—	—	POST	404	162.159.138.232:443	https://discord.com/api/webhooks/1337013960460861530/xR8z94mEjnq1Nkw-7dJ0Hkii5A_lVS1lryyizVaTkoecVWKJOXpliNRkWQcqDyCA3iSb	unknown	binary	45 b	whitelisted
—	—	POST	404	162.159.128.233:443	https://discord.com/api/webhooks/1337013960460861530/xR8z94mEjnq1Nkw-7dJ0Hkii5A_lVS1lryyizVaTkoecVWKJOXpliNRkWQcqDyCA3iSb	unknown	binary	45 b	whitelisted
—	—	POST	200	45.112.123.227:443	https://store1.gofile.io/uploadFile	unknown	binary	442 b	whitelisted
—	—	POST	404	162.159.136.232:443	https://discord.com/api/webhooks/1337013960460861530/xR8z94mEjnq1Nkw-7dJ0Hkii5A_lVS1lryyizVaTkoecVWKJOXpliNRkWQcqDyCA3iSb	unknown	binary	45 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	104.126.37.128:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3220	svchost.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.18:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3220	svchost.exe	23.48.23.18:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4712	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
www.bing.com	104.126.37.128 104.126.37.131 104.126.37.154 104.126.37.139 104.126.37.146 104.126.37.130 104.126.37.186 104.126.37.153 104.126.37.123	whitelisted
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158 20.73.194.208	whitelisted
google.com	142.250.184.238	whitelisted
crl.microsoft.com	23.48.23.18 23.48.23.30 23.48.23.32 23.48.23.37	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
ip-api.com	208.95.112.1	whitelisted
discord.com	162.159.128.233 162.159.137.232 162.159.136.232 162.159.138.232 162.159.135.232	whitelisted
api.gofile.io	45.112.123.126	whitelisted
store1.gofile.io	45.112.123.227	whitelisted
self.events.data.microsoft.com	20.189.173.18	whitelisted

PID	Process	Class	Message
2192	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2192	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
6500	Infinity.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
2192	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
—	—	Misc activity	ET HUNTING Discord WebHook Activity M2 (Contains Key, embeds)
6500	Infinity.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
6500	Infinity.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
—	—	Misc activity	ET HUNTING Discord WebHook Activity M2 (Contains Key, embeds)
2192	svchost.exe	Potentially Bad Traffic	ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
6500	Infinity.exe	Misc activity	ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)

General Info

Infinity.exe

84B29DC904C2E7F624E9401B66D78704

D7E9C010F945905408E084394DC93C3620DC20A2

B0C852BB64AB08B015CE82333AEB44A5F9A5828CB13C059E497ADF99CC417E70

98304:3J30tg3RDx6IrrLl90v+XHVFRSmd3xIW2nGqqMAA8VH8Be/q/Ks7mVx/KW/7bxR4:ZlgoFxvfA3XovcBNUaio

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Create files in the Startup directory

Steals credentials from Web Browsers

Actions looks like stealing of personal data

ExelaStealer has been detected

Starts NET.EXE to view/add/change user profiles

Starts NET.EXE to view/change users localgroup

DISCORDGRABBER has been detected (YARA)

Bypass execution policy to execute commands

GROWTOPIA has been detected (YARA)

Changes powershell execution policy (Bypass)

SUSPICIOUS

Executable content was dropped or overwritten

Get information on the list of running processes

Uses WMIC.EXE to obtain Windows Installer data

Process drops legitimate windows executable

Process drops python dynamic module

The process drops C-runtime libraries

Starts a Microsoft application from unusual location

Application launched itself

Accesses product unique identifier via WMI (SCRIPT)

Uses ATTRIB.EXE to modify file attributes

Starts CMD.EXE for commands execution

Starts application with an unusual extension

Starts POWERSHELL.EXE for commands execution

Checks for external IP

Uses WMIC.EXE to obtain local storage devices information

Uses QUSER.EXE to read information about current user sessions

Uses NETSH.EXE to obtain data on the network

Uses SYSTEMINFO.EXE to read the environment

Uses WMIC.EXE to obtain commands that are run when users log in

Process uses IPCONFIG to discover network configuration

Possible usage of Discord/Telegram API has been detected (YARA)

Uses ROUTE.EXE to obtain the routing table information

Windows service management via SC.EXE

Suspicious use of NETSH.EXE

BASE64 encoded PowerShell command has been detected

Base64-obfuscated command line is found

Process uses ARP to discover network configuration

Starts SC.EXE for service management

CSC.EXE is used to compile C# code

Loads Python modules

Captures screenshot (POWERSHELL)

The process bypasses the loading of PowerShell profile settings

INFO

The sample compiled with english language support

Checks supported languages

Reads the computer name

Create files in a temporary directory

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Changes the display of characters in the console

The Powershell gets current clipboard

PyInstaller has been detected (YARA)

Reads the time zone

Found Base64 encoded reflection usage via PowerShell (YARA)

Prints a route via ROUTE.EXE

Application based on Rust

Reads the machine GUID from the registry

Checks operating system version

UPX packer has been detected

Malware configuration

ims-api

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes