BAT/InfoStealer.97DB!tr.pws

Analysis

BAT/InfoStealer.97DB!tr.pws is a detection for a password-stealing trojan. A password-stealing trojan searches the infected system for passwords and sends them to a remote attacker.
Below are some of its observed characteristics/behaviours:

• This malware takes the form of a batch script. The script utilizes curl, in silent mode, in an attempt to stealthily steal the victims's data via a discord webhook. It will download a tool that will be used to take a screenshot of the victim's system when the script is run. The malware will gather system information, and additional information, such as the currently running proccesses and remote user sesions, on the victim machine. It will save the information to multiple text files and send the files to the discord server. The malware will then use the curl command to try and steal user data related to Chrome, Opera, Vivaldi, Firefox, Steam, Minecraft, osu! and Growtopia and send it via the webhook. Finally, it will create a scheduled task for persistance and delete itself after execution.


• The malware attempts to connect to the following sites:
  
  • https://github.com/chun[removed]hot.exe?raw=true
  • https://discord.com/api/webhooks/9413[removed]W9T_c


• Following are some of the near/exact IOCs/file hash associated with this detection:
  
  • Md5:2ddce208e357acdeda2ff225778797db
    Sha256:a21f2e8e5861dbc232e4c6934edbf9fa355575d1e5839f7596a297b5737473c8
  • Md5:42aa3f8eaf14fc237623a29e8e467fc8
    Sha256:13b1a126765b4936cd01aa9028a0d89d32738a8b8521e9b42818a8d942489e52
  • Md5:49ff89a9dfccb072833c7e10df9f9ec1
    Sha256:88ce93eefb51f0ec32cb216c098843d7fb0ae9124a7eb4d9ea4149025a37e769
  • Md5:504c329152071270f61e62fae35873d1
    Sha256:9381803366b91869ae1eba87638d76d94b95e5c2a217705ff469c8c4f099d16a
  • Md5:ce2fc0e4340368bee0fb40c44b591325
    Sha256:397aeddedc17a6a977c636531da636a5c6e52a4512bae8d6c68156e20168e304

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.