UNVEILING A PYTHON STEALER – INF0S3C STEALER

MITRE Techniques

• [T1047 ] Windows Management Instrumentation – Used for execution and host interrogation through system commands and Windows management queries; quoted behavior: ‘runs systeminfo and getmac to collect OS, hardware, and MAC address details.’
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – PowerShell invoked via cmd.exe to gather host information and perform collection tasks; quoted behavior: ‘silently invokes multiple PowerShell commands through the Command Prompt to gather host information.’
• [T1064 ] Scripting – Embedded Python bytecode executed at runtime (obfuscated/compressed and Base64-encoded) to implement grabber functionality; quoted behavior: ‘an obfuscation routine that compresses and Base64-encodes the Python code, which is then reconstructed and executed at runtime.’
• [T1106 ] Native API – Uses Windows API imports (e.g., OpenProcessToken, VirtualProtect) to perform process and memory operations and support data collection/injection; quoted behavior: ‘APIs such as OpenProcessToken and VirtualProtect are present in the import table.’
• [T1129 ] Shared Modules – Bundles dependency libraries and an embedded Python environment via PyInstaller to enable execution without host components; quoted behavior: ‘unpacks and loads bundled dependency libraries, including an embedded Python environment and required modules.’
• [T1112 ] Modify Registry – Implements persistence through registry modifications and autostart entries; quoted behavior: ‘Implements persistence via Windows Startup and UAC bypass.’
• [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Copies the executable to Startup folder (disguised as .scr) for autostart; quoted behavior: ‘copies the executable into the Windows Startup folder (disguised with a .scr extension) so it runs automatically each time the system starts.’
• [T1027.002 ] Obfuscated Files or Information: Software Packing – Uses UPX and PyInstaller packing to obscure code and hinder analysis; quoted behavior: ‘packed with UPX … and subsequently packed using PyInstaller.’
• [T1036 ] Masquerading – Renames or disguises files (e.g., .scr) and archive naming “Blank-WDAGUtilityAccount.rar” to appear benign; quoted behavior: ‘produced Blank-WDAGUtilityAccount.rar, confirming the malware’s design for secure data exfiltration.’
• [T1070.006 ] Indicator Removal: Timestomp – Employs techniques to modify timestamps or cleanup artifacts (self-delete/melt) to reduce forensic visibility; quoted behavior: ‘Can self-delete or “melt” after execution.’
• [T1140 ] Deobfuscate/Decode Files or Information – Reconstructs compressed/Base64-encoded Python code at runtime before execution; quoted behavior: ‘compresses and Base64-encodes the Python code, which is then reconstructed and executed at runtime.’
• [T1202 ] Indirect Command Execution – Executes system commands (systeminfo, getmac, tasklist, tree) indirectly via command interpreter; quoted behavior: ‘executes Windows commands (systeminfo and getmac) … runs the tasklist command … using tree /A /F.’
• [T1497.001 ] Virtualization/Sandbox Evasion: System Checks – Performs anti-VM and environment checks to evade analysis/sandboxes; quoted behavior: ‘Includes anti-VM checks … Virtualization/Sandbox Evasion: System Checks.’
• [T1562.001 ] Impair Defenses: Disable or Modify Tools – Capable of blocking antivirus-related sites and modifying defenses; quoted behavior: ‘ability to block antivirus-related sites.’
• [T1003 ] OS Credential Dumping – Extracts stored credentials and passwords including Wi‑Fi passwords and browser-stored credentials; quoted behavior: ‘collects … Wi-Fi passwords’ and ‘steals sensitive data, including passwords, cookies, autofill data’.
• [T1057 ] Process Discovery – Enumerates running processes and modules (tasklist, K32EnumProcessModules) to build process lists; quoted behavior: ‘enumerates running processes and generates hierarchical views’ and ‘tasklist/FO LIST saved as Task List.txt.’
• [T1082 ] System Information Discovery – Gathers system configuration, CPU info, product keys, IP and geolocation data; quoted behavior: ‘captures system details such as computer name, CPU information, and product key’.
• [T1083 ] File and Directory Discovery – Enumerates common user directories and builds directory trees; quoted behavior: ‘collects directory structures from user folders (Desktop, Pictures, Documents, Music, Videos, Downloads) using tree /A /F.’
• [T1005 ] Data from Local System – Collects local files and artifacts (screenshots, browser data, wallets) for exfiltration; quoted behavior: ‘targets … screenshots, and other related data.’
• [T1115 ] Clipboard Data – Capability to collect clipboard contents as part of local data collection operations; quoted behavior: ‘Collection … Clipboard Data’ listed in analysis.
• [T1071 ] Application Layer Protocol – Exfiltrates stolen archive to Discord (application-layer channel) using network communications; quoted behavior: ‘transmits the packaged data to an external communication channel … delivered via Discord’.
• [T1485 ] Data Destruction – Optionally self-delete or “melt” to remove traces after operation; quoted behavior: ‘Can self-delete or “melt” after execution.’
• [T1486 ] Data Encrypted for Impact – Packages collected data into a password‑protected RAR archive to protect exfiltrated contents; quoted behavior: ‘creates a password-protected RAR archive of collected data … default password (“blank123”).’