Threat Research

Python InfoStealer With Dynamic Sandbox Detection

Securonix

A Python-based info stealer now uses dynamic sandbox detection by pulling Indicators Of Detection (IOD) from online sources to decide whether to run. It also retrieves external indicator lists from rentry.co and exfiltrates cookies from a wide set of targeted sites. #PythonInfoStealer #SandboxDetection #Virtualization

Keypoints

  • The malware is a Python-based info stealer that incorporates dynamic sandbox/VM detection.
  • The Indicators Of Detection (IOD) list is stored online on a Pastebin-like site to allow updates across deployed scripts.
  • The script fetches multiple indicator files from rentry.co to guide its behavior (e.g., GPU, VM name, BIOS, etc.).
  • A sample check uses WMI to enumerate GPU information and exit if a match is found in the remote list (anti-analysis).
  • The stealer targets cookies from a broad set of popular sites and exfiltrates them when keywords are present in URLs.
  • The article notes the VT score and provides the SHA256 hash for the sample, linking to VirusTotal for context.

MITRE Techniques

  • [T1497] Virtualization/Sandbox Evasion – “IOD (Indicators Of Detection) list is stored online on a Pastebin-like site, allowing the indicators to be updated for all scripts already deployed.” The malware uses online IODs to detect sandboxes and stops execution if detected. – “The script will fetch indicators from many files hosted on rentry.co”
  • [T1105] Ingress Tool Transfer – The malware downloads indicator files from external hosts to configure its behavior. – “The script will fetch indicators from many files hosted on rentry.co” (e.g., processl = requests.get(“hxxps://rentry[.]co/x6g3is75/raw”).text)
  • [T1047] Windows Management Instrumentation – The sample uses WMI to enumerate GPU information for detection. – “def checkgpu(self): c = wmi.WMI() for gpu in c.Win32_DisplayConfiguration(): GPUm = gpu.Description.strip()”
  • [T1555.003] Credentials in Web Browsers – The stealer exfiltrates cookies from targeted sites. – “Cookies belonging to URLs containing these keywords will also be exfiltrated.”

Indicators of Compromise

  • [File hash] SHA256 – e0f6dcf43e19d3ff5d2c19abced7ddc2e703e4083fbdebce5a7d44a4395d7d06
  • [URL] Remote indicator files – https://rentry.co/x6g3is75/raw, https://rentry.co/ty8exwnb/raw, and 9 more items
  • [Domain] Targeted sites for cookie exfiltration – coinbase.com, gmail.com, discord.com, and other sites listed in the keyword array

Read more: https://isc.sans.edu/diary/Python+InfoStealer+With+Dynamic+Sandbox+Detection/30668/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint