MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 038fad0cd10c3cf36e3640a2ea4c079f83c7f6133e400407773bf804bc1c5f49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 9


Intelligence 9 IOCs YARA 69 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 038fad0cd10c3cf36e3640a2ea4c079f83c7f6133e400407773bf804bc1c5f49
SHA3-384 hash: 27e49b169ea894ec7b7f4c49a947e228a5b5dbbce03210b0f2596ed48482923dfd3f4dc230b7e9209e3f88652d0addfb
SHA1 hash: 5be3c3b32d61134cb2380a9e15d1e0468da39415
MD5 hash: ff248a4222851b97d522117737c68be7
humanhash: enemy-mars-tennis-apart
File name:smart1.zip
Download: download sample
Signature Stealc
Create hunting rule
File size:7'245'419 bytes
First seen:2024-08-10 17:11:10 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 196608:MSMjxkmxt+ui5tDAyyr4pF67C40b+a+jkE3F6G8slsY8/uDAvz/b5i:MVjxbt+uibcyOWoW40bV+fAG8Ot8/uks
TLSH T13A76336BD5F18E80BBF48D514AF0291626EECB856EE3157A6CB3436E54D6084CEC1CB8
Reporter aachum
Tags:Stealc zip


Avatar
iamaachum
https://bidvertiser.b-cdn.net/smart1.zip

Stealc C2: http://193.176.153.234/587ec30955d49a9c.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
414
Origin country :
ES ES
File Archive Information

This file archive contains 7 file(s), sorted by their relevance:

File name:Qt5SqlVBox.dll
File size:224'032 bytes
SHA256 hash: eaa9efde1704fa6abbef9878eecfa386e89003f23e07adcaf641a6c741893ba1
MD5 hash: bbc454dfbd919ce1524e75478582c04d
MIME type:application/x-dosexec
Signature Stealc
File name:VBoxSupLib.dll
File size:22'928 bytes
SHA256 hash: 34e8bd19a7dd241a1275a3cf77a8a59a7df1fc529f864f92d8548cc7e0429b26
MD5 hash: 9636cd28f536dd3fb438c866f28610a9
MIME type:application/x-dosexec
Signature Stealc
File name:VBoxSharedFolders.dll
File size:80'104 bytes
SHA256 hash: 45b9bd24a786f5f9eaf3782f1c1d659fccee5e9b6ac941c756c43f09f0d10819
MD5 hash: 93f9f9335e95aebd2c914971c9f6bc58
MIME type:application/x-dosexec
Signature Stealc
File name:VBoxSharedClipboard.dll
File size:69'688 bytes
SHA256 hash: 9fdc76da45016187d325b992b83980227112ba14ed1cb3a2dea8929046163a13
MD5 hash: a802413b13e45c7d526705cbd3974ae5
MIME type:application/x-dosexec
Signature Stealc
File name:VBoxVMM.dll
File size:5'158'168 bytes
SHA256 hash: ddebdb740915cdb367c3adf61d62f7b9cf1c7535cc8edbb7d80c9b8add055afa
MD5 hash: dbfcdd86bda68ab53d8b50329ef713f5
MIME type:application/x-dosexec
Signature Stealc
File name:Qt5PrintSupportVBox.dll
File size:332'992 bytes
SHA256 hash: 056ab54b2a424d420637c2e44463813e7b3247222d7e907a1f34e22b1726ae95
MD5 hash: 6615a634804dfa5071efa1502eda3a2b
MIME type:application/x-dosexec
Signature Stealc
File name:0SmartAssem.exe
File size:14'349'824 bytes
SHA256 hash: 97d308c2b061ca49a8834dfd527a1485442aab95060ad69e54bf034e8a043c67
MD5 hash: 517c4a0a27d1c022a3319af316407810
MIME type:application/x-dosexec
Signature Stealc
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win64.Malware-gen.11143.5910.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b79f65b35234d5cc65c7c2
Tags:
Encryption Static
Result
Verdict:
Suspicious
File Type:
PE File
Link:
https://app.docguard.net/038fad0cd10c3cf36e3640a2ea4c079f83c7f6133e400407773bf804bc1c5f49/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Unknown
Threat level:
n/a  -.1/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc overlay packed
Link:
https://www.filescan.io/uploads/66b79f67b1392db6bab1f2d5/reports/f5559d77-1755-41dd-abbd-93f911d2d2eb/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/038fad0cd10c3cf36e3640a2ea4c079f83c7f6133e400407773bf804bc1c5f49
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/038fad0cd10c3cf36e3640a2ea4c079f83c7f6133e400407773bf804bc1c5f49
Score:
50%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/038fad0cd10c3cf36e3640a2ea4c079f83c7f6133e400407773bf804bc1c5f49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/038fad0cd10c3cf36e3640a2ea4c079f83c7f6133e400407773bf804bc1c5f49/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-08-10 11:54:31 UTC
File Type:
Binary (Archive)
Extracted files:
28
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aoh22dgrbq6pg3rwicroutaht6b4p5qthzaaib3xhp4ajpa4l5eq._file
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:cr3 discovery stealer
Link:
https://tria.ge/reports/240810-wr1z8a1cpm/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Stealc
Malware Config
C2 Extraction:
http://193.176.153.234
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/038fad0cd10c3cf36e3640a2ea4c079f83c7f6133e400407773bf804bc1c5f49

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

PowerShell (PS) ps1 8d80e5c7d07aef7d4565f4ddc61d3fc5819a5ea68f2d5282e6ae3e5e17d60e3d

Stealc

Executable exe 760b5e6a856d503c20d46f910a2405f51944afef16479ebc0174eb213c2c0132

Stealc

zip 038fad0cd10c3cf36e3640a2ea4c079f83c7f6133e400407773bf804bc1c5f49

(this sample)

Stealc

Executable exe 97d308c2b061ca49a8834dfd527a1485442aab95060ad69e54bf034e8a043c67

  
Link
https://tria.ge/240810-vk4l4ayeqm
  
Dropped by
SHA256 760b5e6a856d503c20d46f910a2405f51944afef16479ebc0174eb213c2c0132
  
Delivery method
Distributed via web download
  
Dropping
SHA256 97d308c2b061ca49a8834dfd527a1485442aab95060ad69e54bf034e8a043c67
  
Dropping
MD5 517c4a0a27d1c022a3319af316407810
  
Dropped by
MD5 d1fe96463bb2db299645b3c39176d006

Comments