EDR Product Analysis of an Infostealer

AhnLab Security Emergency response Center (ASEC) released an analysis report on an Infostealer that is being distributed through YouTube.

Infostealer Being Distributed via YouTube

As mentioned in the report, an Infostealer is being distributed through various platforms, and the leaked information is causing both direct and indirect harm to users. Understanding what information has been stolen and where it is being sent is crucial in order to minimize the damage caused by an Infostealer infection.

AhnLab EDR keeps logs of what information has been stolen by Infostealers and where it was sent, greatly aiding in the tracking process and preventing further harm. As covered in the previously released analysis report, this malware steals an assortment of data stored on a PC. A folder named 44 is randomly created in either the ApplicationData, LocalApplicationData, or the CommonApplicationData path, where the stolen information is then copied and compressed before being sent. Currently, a connection cannot be established to the destination URL.

Figure 1. EDR detection screen

Figure 2. Process tree summary

Figure 1 shows the AhnLab EDR detection screen for the Infostealer that was distributed through YouTube which was mentioned earlier in this post. The various recorded data is summarized and organized in Figure 2. Based on the summarized process tree, the stolen data can be tracked through AhnLab EDR.

Figure 3. Detection screen of a compressed file being created

The search result shown in Figure 3 displays the timeline where the detection phrase from the process tree of Figure 2 was used. It can detect compressions that happen for the purpose of information stealing.

Figure 4. Detection screen of file creation

Figure 4 shows the detection screen that is displayed on AhnLab EDR about the txt files created by the Infostealer that contains the PC and process information. A process list is saved in process.txt while information.txt contains the extracted system information.

Figure 5. Detection screen of computer information collection

Figure 6. Detection screen of WMI queries

Figure 7. Clipboard data collected

Figures 5 through 7 demonstrate the detection of the stolen system information being stored in information.txt.

Figure 8. Screen capture

Figure 8 shows a record of the Infostealer taking a screenshot.

Figure 9. Checking stolen files

As shown in Figure 9, every EDR behavior is recorded in AhnLab EDR, including the copying of files by a stealer. This enables users to search for such behaviors.

Beyond the information already discussed, AhnLab EDR provides additional details that aid in tracking stolen information and its destination. Due to the accessibility of malware on various platforms, it is important for users to refrain from downloading illegal programs and opening emails from untrusted senders. Even if proactive measures are taken against all threats, mistakes can still occur. AhnLab EDR is able to respond to threats that occur due to mistakes.

[File Detection]
– Infostealer/Win.CALIBER.R513735 (2022.09.06.00)


– hxxps://discordapp[.]com/api/webhooks/947181971019292714/gXE5T4ZQQF0yGOhuBSDhTkFXB0ut9ai71IZmOFvsdIaznalhyvQP0h45xCss-8W7KQCo
– hxxps://discord[.]com/api/webhooks/940299131098890301/RU4T0D4gNAYM0BZkAMMKQRwGBORfHiJUJ5lJ20Gd-s2yCIX9lXCbyB6yZ6zHUA5B-H42

More details about AhnLab EDR which actively tracks threats and provides endpoint visibility through behavior-based detection and analysis can be found here on the AhnLab page.

Categories:AhnLab Detection

5 2 votes
Article Rating
Notify of

1 Comment
Inline Feedbacks
View all comments

[…] post EDR Product Analysis of an Infostealer appeared first on ASEC […]