Inf0s3c Stealer, a stealthy Python-based grabber built to harvest system information and user data from Windows hosts.
Packed as a 64-bit PE file identified with UPX and bundled via PyInstaller, the executable imports a suite of Windows API functions to enumerate processes, navigate directories, manipulate memory, and manage security settings.
Once executed, it methodically collects host identifiers, CPU details, network configurations, and captures screenshots.
It then traverses user folders—Desktop, Documents, Pictures, Downloads—compiles the stolen data into a temporary workspace, and packages everything into a password-protected RAR archive.
Finally, the malware exfiltrates the archive automatically to an attacker-controlled Discord channel. Inf0s3c Stealer demonstrates host reconnaissance, data aggregation, secure packaging, and automated exfiltration capabilities, making it a potent tool for targeted data theft.
This analysis dissects a Windows grabber specimen dubbed Inf0s3c Stealer. The 6.8 MB sample is a 64-bit Portable Executable, first compressed with UPX 5.02 and then packed using PyInstaller, hiding embedded Python bytecode and resources.
Through unpacking and extraction, researchers obtained the malware’s internal components, enabling a detailed review of its packing layers, imported Windows API calls, and runtime behavior focused on data collection and covert exfiltration.
- Inf0s3c Stealer gathers system information, running processes, directory trees, and saved Wi-Fi credentials.
- It captures screenshots and webcam images, and can display deceptive error dialogs.
- The malware targets saved passwords, cookies, autofill entries, browsing history, crypto wallets, Discord tokens, and Telegram sessions.
- It injects code into Discord for persistence and token harvesting.
- Persistence is achieved via Windows Startup folder installation and an optional UAC bypass.
- Anti-analysis features include virtual machine checks and the ability to block antivirus update sites.
- Upon completion, it can self-delete (“melt”) to erase traces.
- A “pump stub” feature artificially inflates the executable size to evade simple heuristic detections.
Static Analysis of BUILD.EXE
The sample’s import table lists functions across five categories:
- File/Directory Operations (WriteFile, DeleteFileW, FindFirstFileW) enable content enumeration and manipulation.
- Process Management (OpenProcessToken, GetTokenInformation, K32EnumProcessModules) facilitate privilege checks and process inspection.
- System Control (GetEnvironmentVariableW, SystemParametersInfoW) allow reading and modifying host configuration.
- Memory/Anti-Debug (VirtualProtect, RaiseException, QueryPerformanceFrequency) support in-memory code unpacking and timing checks.
- Security Management (ConvertStringSecurityDescriptorToSecurityDescriptorW) enable ACL adjustments.
Packed with UPX and PyInstaller, the binary hides Python libraries and scripts in its overlay. Using a PyInstaller extractor, analysts retrieved embedded .pyc files and resources.
Among the extracted logic is a routine that leverages rar.exe to create a password-protected archive (default password “blank123”) of all collected files, confirming the malware’s secure packaging design.
When executed, Build.exe silently launches PowerShell and CMD commands to run systeminfo, getmac, and tasklist, saving outputs as text files. It captures screenshots as PNG images and enumerates directory contents via tree /A /F.
All artifacts are organized into subdirectories—Credentials, Directories, System—within a %TEMP% workspace. After archiving the workspace into a RAR file, the grabber connects to a Discord webhook or bot named “Blank Grabber” to upload the archive, completing automated exfiltration.
External Threat Landscape
Inf0s3c Stealer’s modular architecture, obfuscation routines (Base64 compression, runtime reconstruction), and automated Discord-based exfiltration mirror techniques seen in other projects by the same developer, such as Umbral-Stealer.
Its ability to bypass defenses, maintain persistence, and self-delete underscores a trend toward highly adaptable Python malware.
Security teams should fortify endpoint protection, deploy network egress monitoring to flag anomalous Discord traffic, and engage in threat intelligence sharing to anticipate variant developments.
Inf0s3c Stealer exemplifies the growing sophistication of Python-based information stealers. By combining layered packing, extensive API utilization, structured data collection, encrypted archiving, and covert exfiltration over Discord, it achieves powerful stealth and automation.
Proactive defenses—continuous monitoring, robust endpoint controls, user awareness training, and rapid threat intelligence dissemination—are essential to detect and mitigate emerging variants before significant data losses occur.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
