MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00eb6c93f0d8d0e7a368e8745e0af7ad5b685bf789555b990433f49c43081fe4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00eb6c93f0d8d0e7a368e8745e0af7ad5b685bf789555b990433f49c43081fe4
SHA3-384 hash: 8db55047459ad2c1df995889cf79cbc02fb8c1b992c2bd2cbefc6f82e34942888a0a0f23c2969a9de4d359adc4293bd1
SHA1 hash: 15744c97538400363e3b7bb9c14cb22a3aec1160
MD5 hash: b2a4bdc775e76df1bdf3ed2b0961e24f
humanhash: asparagus-happy-maine-violet
File name:Dcmhpa.bin
Download: download sample
Signature Stealc
Create hunting rule
File size:4'148'424 bytes
First seen:2023-05-30 08:22:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:2Z7oJCPSa/92r9OeVGxEl4aZ9eaC4haQdcuUzOLFOd2mqFQuOQ+pI:2Z7MCPDcJOANer9z8OdlUQul+O
Threatray 42 similar samples on MalwareBazaar
TLSH T10616122DF6E8101ED309BD35C9D34658B95744FB0200E66F9FD8B05BA10F669A3CEBA1
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e8ccf0aa8eaab2cc (1 x Stealc, 1 x Amadey)
Reporter JAMESWT_WT
Tags:exe Stealc

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Office_Setup_v2.65.exe
Verdict:
Malicious activity
Analysis date:
2023-05-29 18:51:04 UTC
Tags:
installer stealc trojan stealer loader
Link:
https://app.any.run/tasks/ee010ff5-ebab-4fb1-ab21-30fdf7d25e8d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/393434/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.17118.18590.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6475b266e464780675a78a38/reports/cc4f12f1-5c86-4024-a1b2-c0ea764dd64c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/00eb6c93f0d8d0e7a368e8745e0af7ad5b685bf789555b990433f49c43081fe4
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/692b828d-e6e2-4b3a-b2eb-0e72f18fcd26
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1245002
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Encrypted powershell cmdline option found
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 878009 Sample: Dcmhpa.bin.exe Startdate: 30/05/2023 Architecture: WINDOWS Score: 100 30 Snort IDS alert for network traffic 2->30 32 Found malware configuration 2->32 34 Antivirus detection for URL or domain 2->34 36 7 other signatures 2->36 8 Dcmhpa.bin.exe 4 2->8         started        process3 file4 26 C:\Users\user\AppData\...\Dcmhpa.bin.exe.log, ASCII 8->26 dropped 38 Encrypted powershell cmdline option found 8->38 40 Self deletion via cmd or bat file 8->40 42 Found evasive API chain (may stop execution after checking locale) 8->42 44 2 other signatures 8->44 12 Dcmhpa.bin.exe 16 8->12         started        16 powershell.exe 16 8->16         started        signatures5 process6 dnsIp7 28 179.43.162.125, 49684, 80 PLI-ASCH Panama 12->28 46 Tries to steal Mail credentials (via file / registry access) 12->46 48 Self deletion via cmd or bat file 12->48 50 Tries to harvest and steal browser information (history, passwords, etc) 12->50 52 Tries to steal Crypto Currency Wallets 12->52 18 cmd.exe 1 12->18         started        20 conhost.exe 16->20         started        signatures8 process9 process10 22 conhost.exe 18->22         started        24 timeout.exe 1 18->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00eb6c93f0d8d0e7a368e8745e0af7ad5b685bf789555b990433f49c43081fe4/
Threat name:
Win32.Spyware.Stealc
Create hunting rule
Status:
Malicious
First seen:
2023-05-29 19:15:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
9 of 24 (37.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=advwze7q3diopi3i5b2f4cxxvvnwqw7xrfkvxgiegp2jyqyid7sa._file
Verdict:
malicious
Similar samples:
1e32754c58c05364d4948c25cb1a1bc6ca99e63353dd5980b52ba3d5cc02fd6c
Stealc
2e4b741045b4b37e50fa55678d713e6a63b87df0f5dc912b90c1487a8e9fcc85
Stealc
32710d6d01f3d637eea39e90247dce8e2007bd9acb91c685713c7f0a1df5ed76
Stealc
4c39950215fb5cfb06df1245ed6544b82430e970e98e1e8d592e2c414e8d9ea6
Stealc
5f07f9ce603f4916b0bebb4c3491273056382d8143edd78b081d5500e0ef9483
Stealc
ad1631eef269b7dd54df995000b702d36e5e278ba0277be7252e294f7517b662
Stealc
b7178573c2e0e321c549d07d474ca385d516675ade291cab6dbe2ebd222f46b2
Stealc
c1f70d82d56a3ddf30730e0ccd8f0e25ec7c6e7489b1ec4d5cc680e91508f239
Stealc
d182fa757e7b1a39ae31bb165ff358931a5454115363bd636faeeb41e2aee3c1
Stealc
db382f9a496a46db8d4eaa52ff67355a1d54ccf8531ba6d5ef06c5b445d5d436
Stealc
+ 32 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230530-j944dagg61/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
ff8c24bce1eb009f0d5c47a09b96caf02726c285cea0d635082ad4da27e63d1b
MD5 hash:
9d6ec6072ee1814a4a01d1eb3fb67ba1
SHA1 hash:
d0b416de1c900b6bcb35dc182b2e8744f16c3289
Link:
https://www.unpac.me/results/3f32adf9-4961-4181-a4c7-7be57049dbd4/
SH256 hash:
b8b7f8e7b11a39920b4b329fcfb2a53d0e5ae5b563302f510ac23854bc0a1552
MD5 hash:
8a3fa71798b3e4dc03f29a33990373d4
SHA1 hash:
b048b84b218499922ae3cc12de4b2940081e6179
Detections:
win_stealc_w0
Create hunting rule
win_stealc_auto
Create hunting rule
win_stealc_a0
Create hunting rule
Link:
https://www.unpac.me/results/3f32adf9-4961-4181-a4c7-7be57049dbd4/
SH256 hash:
06abc0d0a903f512a60c635d547edc38424848b92cb419ee9336fe2ceb4de197
MD5 hash:
65add6836c5896622f5b2e877f3d96fd
SHA1 hash:
6c7df0fa0f8f958462401715c192f4374a7b83d7
Link:
https://www.unpac.me/results/3f32adf9-4961-4181-a4c7-7be57049dbd4/
SH256 hash:
00eb6c93f0d8d0e7a368e8745e0af7ad5b685bf789555b990433f49c43081fe4
MD5 hash:
b2a4bdc775e76df1bdf3ed2b0961e24f
SHA1 hash:
15744c97538400363e3b7bb9c14cb22a3aec1160
Link:
https://www.unpac.me/results/3f32adf9-4961-4181-a4c7-7be57049dbd4/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/00eb6c93f0d8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/00eb6c93f0d8d0e7a368e8745e0af7ad5b685bf789555b990433f49c43081fe4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:NETDIC208_NOCEX_NOREACTOR
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/393434/

Comments