Analysis Overview
SHA256
cfc6d572bd3b9eb1ac7781cfcfc60a1b5c536d1d169d7f19e51298b82df1ed4e
Threat Level: Known bad
The file EnigmaSpf.zip was found to be: Known bad.
Malicious Activity Summary
A stealer written in Python and packaged with Pyinstaller
Blankgrabber family
Unsigned PE
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-19 23:19
Signatures
A stealer written in Python and packaged with Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blankgrabber family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 23:19
Reported
2024-06-19 23:20
Platform
win7-20240611-en
Max time kernel
1s
Max time network
1s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe
"C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 104.26.1.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| N/A | 127.0.0.1:49207 | tcp | |
| N/A | 127.0.0.1:49209 | tcp | |
| N/A | 23.63.101.171:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 199.232.214.172:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 23.55.97.11:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 23.55.97.11:80 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 23:19
Reported
2024-06-19 23:23
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe
"C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\EnigmaSpf.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo Couldn't resolve host name && timeout /t 5"
C:\Windows\system32\cmd.exe
cmd /C "color b && title Error && echo Couldn't resolve host name && timeout /t 5"
C:\Windows\system32\timeout.exe
timeout /t 5
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| N/A | 127.0.0.1:61577 | tcp | |
| N/A | 127.0.0.1:61579 | tcp |