Analysis of .Net Stealer GrandSteal (2019-03-18)

In this post I share my notes about the analysis of a sample (an stealer written in .Net) whose family is unknown to me (any feedback is welcome, if you know the family for the sample that I describe, please tell me and I will update this post). Somebody tagged the sample as quasar at Any.Run, however, after analyzing it and comparing with Quasar code, I concluded this sample doesn't seem to belong to Quasar family. Searching information about the collected IoCs was not successful to classify the sample. I am calling it GrandSteal because of the internal names of the .Net classes of the malware's decompiled code.

• Original Packed Sample: 89782B6CDAAAB7848D544255D5FE7002
• Source Url: http://a4.doshimotai[.]ru/pxpx.exe
• Info Url: VxVault URLhaus
• Automatic Generated Report: PepperMalware Report
• Virustotal First Submission: 2019-03-18 22:28:20
• Any.Run Analysis: Here
• Any.Run Tags: Evasion, Trojan, Rat, Quasar
• My Classification: I named it GrandSteal because of the internal .Net classes names (if you have any information about any well-known family that this malware belongs to, please, tell me and I will update this post)
• Decompiled Source Code: PepperMalware Github