MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 024294f22a290e5e1729596c49f2509955f301f29106fe0f67413f7e2a88f2d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	024294f22a290e5e1729596c49f2509955f301f29106fe0f67413f7e2a88f2d9
SHA3-384 hash:	740cc12b685caf4d4c597c17438ca4f2e55dc68704b2f6b2cc607ac55eb83afc2aa067b05f28603a400df8eb4220fca6
SHA1 hash:	5b133899a53375e5d97540fba94a57a065bd8927
MD5 hash:	6162ac18a404aca27ee981ce4231df59
humanhash:	lake-lima-diet-video
File name:	6162ac18a404aca27ee981ce4231df59.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	266'752 bytes
First seen:	2024-05-10 07:45:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7728fdfee954e106d39411e9e7e8ccc0 (2 x LummaStealer, 1 x Stealc)
ssdeep	6144:oS/IbfGEBTZIkhQ0/CMAb8zfJXKbTYeJK:XgbJZIk6MjhXwdJK
TLSH	T11B44AD216690EC21CF5647338A35C2E46A6ABF6C5B7461BE7244BBCF1973EF0E252305
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.9% (.EXE) Win32 Executable (generic) (4504/4/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	64d29a9891998989 (1 x Stealc)
Reporter	abuse_ch
Tags:	exe Stealc

Intelligence

File Origin

# of uploads :

# of downloads :

281

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe

Verdict:

Malicious activity

Analysis date:

2024-05-09 07:31:02 UTC

Tags:

loader gcleaner

Link:

https://app.any.run/tasks/37549896-74a4-474f-a66b-0a9f94497f7c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Trojan.Windigo-10028444-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Connection attempt to an infection source

Sending an HTTP GET request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

fingerprint

Link:

https://www.filescan.io/uploads/663dd0c2b8652ad994a48dcb/reports/32e48980-7003-4e95-ba3c-dd6f235887c6/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/024294f22a290e5e1729596c49f2509955f301f29106fe0f67413f7e2a88f2d9

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/33721463-dc6c-4910-886d-77c24d866404

Result

Threat name:

Mars Stealer, PrivateLoader, Stealc, Vid

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1439390

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking locale)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Snort IDS alert for network traffic

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Yara detected Mars stealer

Yara detected PrivateLoader

Yara detected Stealc

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/024294f22a290e5e1729596c49f2509955f301f29106fe0f67413f7e2a88f2d9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/024294f22a290e5e1729596c49f2509955f301f29106fe0f67413f7e2a88f2d9/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2024-05-09 07:46:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ajbjj4rkfehf4fzjlfwet4sqtfk7gapssedp4d3hie7x4kui6lmq._file

Verdict:

malicious

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc discovery spyware stealer

Link:

https://tria.ge/reports/240510-jly78aed85/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Enumerates physical storage devices

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Stealc

Malware Config

C2 Extraction:

http://185.172.128.150

Unpacked files

SH256 hash:

18f53dd06e6d9d5dfe1b60c4834a185a1cf73ba449c349b6b43c753753256f62

MD5 hash:

8022ef84cfe9deb72b1c66cd17cac1cd

SHA1 hash:

a952b1ed963346d5029a9acb3987d5e3a65c47a3

Detections:

stealc

win_stealc_auto

Link:

https://www.unpac.me/results/df3f926a-bf70-41ce-9270-307acf1ed1db/

Parent samples :

f98a232e9e666e4af8894757f171505040762677b4fcfa4e00269ea548ca13f7
6760a4705383711ee29812a1e6f56b8d60c48a5375382025ce98ad4d0f2893ac
52aa0c072e5c7fef19391a933cb34b085bf34d258d3fd7603a99907b262d547d
fc78e8de8a0ef72dba38b06c7f884087a37db530035976a88a230fe0c683c4cc
508baf86ec9cd4c0ed812dfa9cbdd444a14a54de40f50543d71b21b052da72d2
a825b92f75bda1a0ab93970d92a09b91c04ea7cccae4c7524b2fa4aa9108ffbd
7da7503189aac8a6be5b013858eb04b2e4c2e605c0c39b7a19279fca10241261
091f1847e19348057903f9118cbffe6c61eb097deb75ccfd9faa19f4f2566a37
40aafb9123cf17b680ab9bf168950a073d7c1c703af7f61cf3b6ab907ec4244a
2144c4137bde2e41c2cd63b8c509889c33b564f6a9bc40f0c2dfb8edad66026b
d37f54aa31485a49ae8d66d29e1d235cad52c576403da0785b82df6dab97db29
49367aa06446dda922e9fff631a7e35bd85555f5e6554d22728d69c543111b82
dce56b03d138ced62c5137c164d18240efe3e4a084c70547614b657e2049c6af
024294f22a290e5e1729596c49f2509955f301f29106fe0f67413f7e2a88f2d9
7dbf762b2ef2b651a4e8c7b7d9b8996a1de0cfa44119452f1d3f29bfe03dfd86

SH256 hash:

024294f22a290e5e1729596c49f2509955f301f29106fe0f67413f7e2a88f2d9

MD5 hash:

6162ac18a404aca27ee981ce4231df59

SHA1 hash:

5b133899a53375e5d97540fba94a57a065bd8927

Link:

https://www.unpac.me/results/df3f926a-bf70-41ce-9270-307acf1ed1db/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/024294f22a290e5e1729596c49f2509955f301f29106fe0f67413f7e2a88f2d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

exe 024294f22a290e5e1729596c49f2509955f301f29106fe0f67413f7e2a88f2d9

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2803113/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleA KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetConsoleScreenBufferSize KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample