MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73d7458f2325b5cf6ddc5bd22fba550654447ca0086c77e72bfebe909ae36541. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CrealStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73d7458f2325b5cf6ddc5bd22fba550654447ca0086c77e72bfebe909ae36541
SHA3-384 hash: c75294dae922d08d8cfaa1e535febf38ce16ebcb484e4db45a4fe932c94deabcc12825547b65fa6d59801fe55a913597
SHA1 hash: b6d04d11a840191522280dec62fec4fe32bcc498
MD5 hash: 75b5ea20b576d353e05c273c32d7f5cf
humanhash: batman-zebra-east-oranges
File name:gpt-chat-setup_x64.exe
Download: download sample
Signature CrealStealer
Create hunting rule
File size:10'846'140 bytes
First seen:2023-02-23 16:47:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b5552dccd9d0a834cea55c0c8fc05be (16 x LunaLogger, 16 x BlankGrabber, 8 x CrealStealer)
ssdeep 196608:4OenwPwnjMeNFiFJMIDJhgsAGKs4u0RFT1o0W8/LahmytUh4UtJE+:dwwPwnf0FqyhgsaJBW8kg4R+
Threatray 32 similar samples on MalwareBazaar
TLSH T1E2B633B2320004E1F87D4BB72EC6EA7759EDBC7F0AC4598513DC35F4497322099ADA6A
TrID 64.5% (.EXE) InstallShield setup (43053/19/16)
15.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.0% (.ICL) Windows Icons Library (generic) (2059/9)
3.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon c8e2eae6e292c2ee (14 x ArkeiStealer, 10 x RedLineStealer, 3 x Vidar)
Reporter Chainskilabs
Tags:CrealStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
334
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
gpt-chat-setup_x64.exe
Verdict:
Malicious activity
Analysis date:
2023-02-23 16:49:25 UTC
Tags:
installer
Link:
https://app.any.run/tasks/26bb542c-c2ca-4f24-b591-22e204692f1a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/369323/
Detection(s):
SecuriteInfo.com.HEUR.Trojan-PSW.Python.Agent.gen.8588.26986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
DNS request
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Launching a process
Searching for the window
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Creating a window
Сreating synchronization primitives
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63f798c5124864afb39daef9/reports/9bdc138c-0e8d-4799-869e-13ffc6eb2951/overview
Verdict:
Malicious
Labled as:
Trojan.Shelm
Link:
https://www.hybrid-analysis.com/sample/73d7458f2325b5cf6ddc5bd22fba550654447ca0086c77e72bfebe909ae36541
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ef38c98c-510e-4fa5-a04e-2b697e7fb12f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.troj.adwa.spyw
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1181469
Signature
Drops PE files to the startup folder
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via ARP
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 814300 Sample: gpt-chat-setup_x64.exe Startdate: 23/02/2023 Architecture: WINDOWS Score: 64 38 mercvip.com 2->38 40 lumtest.com 2->40 42 api.telegram.org 2->42 54 Multi AV Scanner detection for submitted file 2->54 56 Uses the Telegram API (likely for C&C communication) 2->56 9 gpt-chat-setup_x64.exe 501 2->9         started        12 MS Excel.exe 501 2->12         started        signatures3 process4 file5 58 Drops PE files to the startup folder 9->58 60 Performs a network lookup / discovery via ARP 9->60 15 gpt-chat-setup_x64.exe 5 9->15         started        30 C:\Users\user\AppData\...\win32crypt.pyd, PE32+ 12->30 dropped 32 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 12->32 dropped 34 C:\Users\user\AppData\Local\...\tk86t.dll, PE32+ 12->34 dropped 36 65 other files (none is malicious) 12->36 dropped signatures6 process7 dnsIp8 44 api.telegram.org 149.154.167.220, 443, 49702, 49703 TELEGRAMRU United Kingdom 15->44 46 104.21.36.191, 443, 49700, 49701 CLOUDFLARENETUS United States 15->46 48 2 other IPs or domains 15->48 28 C:\Users\user\AppData\...\MS Excel.exe, PE32+ 15->28 dropped 50 Tries to harvest and steal browser information (history, passwords, etc) 15->50 52 Performs a network lookup / discovery via ARP 15->52 20 ARP.EXE 1 1 15->20         started        22 cmd.exe 1 15->22         started        file9 signatures10 process11 process12 24 conhost.exe 20->24         started        26 conhost.exe 22->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/73d7458f2325b5cf6ddc5bd22fba550654447ca0086c77e72bfebe909ae36541/
Threat name:
Win64.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2023-02-23 16:48:31 UTC
File Type:
PE+ (Exe)
Extracted files:
2201
AV detection:
15 of 25 (60.00%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=opluldzdew2463o4lpjc7osvazkei7fabbwhpzzl727jbgxdmvaq._file
Verdict:
unknown
Similar samples:
08da286f669199a5c2b131f66614bbb3718b159e48885f4a2b1c9af718256dd0
CrealStealer
1e6112420d4e9561e458e074dad3ebed54ae6f759d5c3ae9844c8a61ac7f33d3
CrealStealer
22cb2fba2dde578f61c82ed450c88c9060629fa7736bb7e27a584c97473c0883
CrealStealer
3c1b7eed78ed128b6463c8b6eb35e46b78f2a9946d0b2a093e51630919b5054a
CrealStealer
46999cbbe226041097ff64dce22728d3531b46e004d4facc86ec9cc91118ea36
CrealStealer
75e9498c9de4ca202f86709a5b58448b64f09ab94440007fe6a9a0ea7c1e633e
CrealStealer
77555fc73bde72d601c995f884b564d9f12e3577221ffece363c0f8786745dff
CrealStealer
8e4ce102a531d540a1f643396d6ddfc0da9acc963ca995bcba9d07909ebb58e0
CrealStealer
a20cc7c8887cad9fce369f6b2113b21958926bdef91f6b544f01bbbbd2b12dc7
CrealStealer
a3d391dac8cecf22acc946063a6c0afe18d3778cbdfc168b96b67fe5c15d9494
CrealStealer
+ 22 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller spyware stealer upx
Link:
https://tria.ge/reports/230223-va4t4sge88/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Unpacked files
SH256 hash:
73d7458f2325b5cf6ddc5bd22fba550654447ca0086c77e72bfebe909ae36541
MD5 hash:
75b5ea20b576d353e05c273c32d7f5cf
SHA1 hash:
b6d04d11a840191522280dec62fec4fe32bcc498
Link:
https://www.unpac.me/results/d2222115-9e82-492f-9b3b-66379d4966e4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/73d7458f2325b5cf6ddc5bd22fba550654447ca0086c77e72bfebe909ae36541

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CrealStealer

Executable exe 73d7458f2325b5cf6ddc5bd22fba550654447ca0086c77e72bfebe909ae36541

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/369323/

Comments