MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04fd3794814871b31fef000b51e51b6c20ad7646b3c74a585a668f95cf14fa06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04fd3794814871b31fef000b51e51b6c20ad7646b3c74a585a668f95cf14fa06
SHA3-384 hash: 4c784269d20a7b0d23e0247f34c63c5c072879cdf7b4c2e62ae86c31cf49961165c28b1a2d9be74c5d35c17148182715
SHA1 hash: 6b42ef81376c6cca75b0f1ce4af5ecea7712f58b
MD5 hash: 9d52b22191c3c662c740429c4688c513
humanhash: fruit-east-tennessee-alabama
File name:9d52b22191c3c662c740429c4688c513.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:5'427'712 bytes
First seen:2023-03-18 02:15:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 20fcca9c4f6d6a96b55e9305c9ac59ff (3 x RedLineStealer, 2 x Tofsee, 2 x LaplasClipper)
ssdeep 98304:gIIrdTmRtD/+0BzJEw07PY5lBOY7d+c7zyVOCBRwihbmjEIgjB:gIyRmRl793uPqr1aL9u
Threatray 1'212 similar samples on MalwareBazaar
TLSH T1EC46237323651045D1F688398927FCC532F21E6D7E92987978E5FACA3A718F0AB03953
TrID 56.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.1% (.EXE) Win32 Executable (generic) (4505/5/1)
3.7% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon fcf4ccccdcdcccd8 (1 x Stealc)
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
185.244.182.218:18742

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9d52b22191c3c662c740429c4688c513.exe
Verdict:
Malicious activity
Analysis date:
2023-03-18 02:16:34 UTC
Tags:
evasion opendir privateloader
Link:
https://app.any.run/tasks/f7c3d111-7982-4067-886c-290224a67084

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/375245/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Modifying a system file
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Replacing files
Launching a service
Launching a process
Reading critical registry keys
Creating a file
Sending a UDP request
Creating a process from a recently created file
Creating a process with a hidden window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a file in the %AppData% subdirectories
Creating a window
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autorun greyware packed shell32.dll strictor zusy
Link:
https://www.filescan.io/uploads/64151ee4da1bbe29caf8e737/reports/3c642bcf-1ccc-4c5b-a577-14e653993271/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/04fd3794814871b31fef000b51e51b6c20ad7646b3c74a585a668f95cf14fa06
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/619c5ddb-9fbc-4bab-b47b-be1f25bd2aff
Result
Threat name:
Amadey, Nymaim, RedLine, SmokeLoader, St
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1196443
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Checks if the current machine is a virtual machine (disk enumeration)
Creates an autostart registry key pointing to binary in C:\Windows
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Downloads files with wrong headers with respect to MIME Content-Type
Found C&C like URL pattern
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Costura Assembly Loader
Yara detected Nymaim
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 829340 Sample: 7rSoC1BfML.exe Startdate: 18/03/2023 Architecture: WINDOWS Score: 100 134 Snort IDS alert for network traffic 2->134 136 Multi AV Scanner detection for domain / URL 2->136 138 Malicious sample detected (through community Yara rule) 2->138 140 24 other signatures 2->140 8 7rSoC1BfML.exe 11 75 2->8         started        process3 dnsIp4 114 94.142.138.113, 49695, 80 IHOR-ASRU Russian Federation 8->114 116 vk.com 87.240.129.133, 443, 49699, 49700 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 8->116 118 19 other IPs or domains 8->118 58 C:\Users\...\yB_l2EC5rLqSbcaPmIZJyVDD.exe, PE32 8->58 dropped 60 C:\Users\...\tKwW25qaNJngcHUZ66b9_eli.exe, MS-DOS 8->60 dropped 62 C:\Users\...\sG7I8IX5FEKgsLE3HgUwZZJh.exe, PE32 8->62 dropped 64 26 other malicious files 8->64 dropped 164 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->164 166 Creates HTML files with .exe extension (expired dropper behavior) 8->166 168 Disables Windows Defender (deletes autostart) 8->168 170 3 other signatures 8->170 13 sG7I8IX5FEKgsLE3HgUwZZJh.exe 8->13         started        16 bZa2b35VCRETnsaBnFDb_cJM.exe 8->16         started        18 CyI2HaCjMNNs9L2SuvruN0TS.exe 18 8->18         started        22 14 other processes 8->22 file5 signatures6 process7 dnsIp8 66 C:\Windows\Temp\321.exe, PE32 13->66 dropped 68 C:\Windows\Temp\1234.exe, PE32 13->68 dropped 70 C:\Windows\Temp\123.exe, PE32 13->70 dropped 24 1234.exe 13->24         started        27 123.exe 13->27         started        29 321.exe 13->29         started        72 C:\Users\user\AppData\Local\...\is-P4G6H.tmp, PE32 16->72 dropped 31 is-P4G6H.tmp 16->31         started        98 45.87.154.30 ASN-POSTLTDRU Russian Federation 18->98 74 C:\Users\user\AppData\...\BKKKFCFIIJ.exe, PE32 18->74 dropped 76 C:\Users\user\AppData\Local\...\lap[1].exe, PE32 18->76 dropped 142 Tries to steal Mail credentials (via file / registry access) 18->142 144 Tries to harvest and steal browser information (history, passwords, etc) 18->144 146 Tries to steal Crypto Currency Wallets 18->146 100 149.154.167.99 TELEGRAMRU United Kingdom 22->100 102 179.43.187.15 PLI-ASCH Panama 22->102 104 7 other IPs or domains 22->104 78 C:\Users\user\AppData\Local\...\kino2271.exe, PE32 22->78 dropped 80 C:\Users\user\AppData\Local\...\ge467228.exe, PE32 22->80 dropped 82 2 other malicious files 22->82 dropped 148 Query firmware table information (likely to detect VMs) 22->148 150 Writes to foreign memory regions 22->150 152 Allocates memory in foreign processes 22->152 154 4 other signatures 22->154 34 Install.exe 22->34         started        36 kino2271.exe 22->36         started        38 chrome.exe 22->38         started        41 5 other processes 22->41 file9 signatures10 process11 dnsIp12 156 Writes to foreign memory regions 24->156 158 Allocates memory in foreign processes 24->158 160 Injects a PE file into a foreign processes 24->160 43 RegSvcs.exe 24->43         started        47 WerFault.exe 24->47         started        49 RegSvcs.exe 27->49         started        51 WerFault.exe 27->51         started        84 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 31->84 dropped 86 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 31->86 dropped 88 C:\...\unins000.exe (copy), PE32 31->88 dropped 96 6 other files (4 malicious) 31->96 dropped 53 FRec317.exe 31->53         started        90 C:\Users\user\AppData\Local\...\Install.exe, PE32 34->90 dropped 162 Multi AV Scanner detection for dropped file 34->162 92 C:\Users\user\AppData\Local\...\kino5947.exe, PE32 36->92 dropped 94 C:\Users\user\AppData\Local\...\en518890.exe, PE32 36->94 dropped 106 js.arcgis.com 18.165.183.40 MIT-GATEWAYSUS United States 38->106 108 18.165.183.51 MIT-GATEWAYSUS United States 38->108 112 13 other IPs or domains 38->112 110 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 41->110 file13 signatures14 process15 dnsIp16 120 ip-api.com 208.95.112.1 TUT-ASUS United States 43->120 122 84.252.73.140 SUPERSERVERSDATACENTERRU Russian Federation 43->122 124 46.173.218.172 GARANT-PARK-INTERNETRU Russian Federation 43->124 172 Creates an autostart registry key pointing to binary in C:\Windows 43->172 126 20.189.173.21 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 47->126 128 45.12.253.56 CMCSUS Germany 53->128 130 45.12.253.72 CMCSUS Germany 53->130 132 45.12.253.75 CMCSUS Germany 53->132 56 C:\Users\user\AppData\Roaming\...\dx7Uz.exe, PE32 53->56 dropped file17 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04fd3794814871b31fef000b51e51b6c20ad7646b3c74a585a668f95cf14fa06/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-03-08 13:44:33 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
24 of 39 (61.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=at6tpfebjby3gh7paafvdzi3nqqk25sgwpduuwc2m2hzltyu7ida._file
Verdict:
malicious
Similar samples:
23c07eb780fc204fc9a5affdb4247fe72d1fdf10e081bf8095a5e2fd597422c4
Stealc
3e8ac08892d633b002ebe862b10025b870e33a7a69435886c2203aa352fd2025
Stealc
5ca0e870b471602e5a5fd8e99d7e1821f12bcdccbd86bfbb240627895ad36419
Stealc
67a95e8478140adae734fd001ef1604be1370201df0c7897c42fae643730c7c3
Stealc
7a62836c8967ef6d3c737f9aba146eb7ef5d08cacc564faaa2699efac7561b97
Stealc
844b92d102379990f96dd712b1eb2ade90bee0412333a11a74f77723ff4f91f9
Stealc
90f43bc5d73e312d03e295e766747937ffd2d12a76463f0cb56a43d3f1a1faed
Stealc
a777c3095983c8f298af961c4414ca0d6daa942f6136f4a8c950f11cf13fb1b2
Stealc
d9138283041d58f85b1e3a19e450bd26e8dac1df4e1a5a9df44fd7b7ec9ac06a
Stealc
de905b4833434a3f8065f6b05b28b0d44465386052f86223fbdacd53b0278986
Stealc
+ 1'202 additional samples on MalwareBazaar
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader loader spyware stealer
Link:
https://tria.ge/reports/230318-cp5qvach7x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
PrivateLoader
Unpacked files
SH256 hash:
b8c79aed0522cea8bdd2193949458ae3f6405de63ba7913aed19971ca136a365
MD5 hash:
b01ee809dac6233132c8ebd838bbbddf
SHA1 hash:
bb14adcc3a7420a2f18a5839b090dbfedb4957ba
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/94222eda-e754-48c6-9168-f04a38dd98d4/
SH256 hash:
04fd3794814871b31fef000b51e51b6c20ad7646b3c74a585a668f95cf14fa06
MD5 hash:
9d52b22191c3c662c740429c4688c513
SHA1 hash:
6b42ef81376c6cca75b0f1ce4af5ecea7712f58b
Link:
https://www.unpac.me/results/94222eda-e754-48c6-9168-f04a38dd98d4/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/04fd37948148/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04fd3794814871b31fef000b51e51b6c20ad7646b3c74a585a668f95cf14fa06

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/375245/

Comments