MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0947872f18afd457962627cd08eae78498cd6ed27219da7f45a294a0e9e6c947. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0947872f18afd457962627cd08eae78498cd6ed27219da7f45a294a0e9e6c947
SHA3-384 hash: 971bb65dc0df9610fa34b077b29e66dff0acae365e8321efe615ae9563f5136e7ac18c1888b156409771bbd5c5354447
SHA1 hash: d0a7c56f58342dfc1e0a976074544fd5251f5e42
MD5 hash: 8f8f6a36a8b827ceaae1228fd2669002
humanhash: spring-tennessee-coffee-gee
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:4'611'072 bytes
First seen:2024-07-20 06:33:09 UTC
Last seen:2024-07-21 04:16:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 82a1160ea6d4db9ad17aacb065a21868 (3 x PrivateLoader, 2 x Stealc, 1 x Stop)
ssdeep 98304:Ry6lwYZDXZJeoV95KoyxKxQQYj50PvDUXgTYbhGC/Mg:7Z1JV9N8Tj5EDUwTYNGMMg
TLSH T1D02623D6258A96F8D043C7B4C52278BCB47A3FB2CD741DA73AC93E1B6DB31045C6A285
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon d4b8c9d8deaef4f8 (1 x Stealc)
Reporter Bitsight
Tags:exe Stealc


Avatar
Bitsight
url: https://easy2buy.ae/wp-includes/widgets/AppGate018ver1.exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
403
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
a67f6fa1fa32b492f08ae46e187a143d8b107863df119cdb0759b39446827a68.exe
Verdict:
Malicious activity
Analysis date:
2024-07-20 11:07:15 UTC
Tags:
amadey botnet stealer loader evasion berbew privateloader
Link:
https://app.any.run/tasks/38d4bee3-b7a5-42f9-8321-d55883db9b33

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.23086.12935.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=669b5a5cb302ab76f4480430
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Modifying a system file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Replacing files
Sending an HTTP GET request
Launching a service
Launching a process
Reading critical registry keys
Sending a UDP request
Forced system process termination
Blocking the Windows Defender launch
Connection attempt to an infection source
Adding exclusions to Windows Defender
Sending an HTTP GET request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint lolbin packed shell32
Link:
https://www.filescan.io/uploads/669b5a5c3d7227f93794e390/reports/b5d8f8d4-f2e9-4656-be77-f6c3a0fab7ae/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/0947872f18afd457962627cd08eae78498cd6ed27219da7f45a294a0e9e6c947
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f1dc37c7-f718-4bc3-b2f5-46151d11c3a8
Result
Threat name:
LummaC, Amadey, Babadeda, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1477166
Signature
Adds extensions / path to Windows Defender exclusion list (Registry)
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Exclude list of file types from scheduled, custom, and real-time scanning
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies power options to not sleep / hibernate
Modifies Windows Defender protection settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sigma detected: Disable power options
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Stop EventLog
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Babadeda
Yara detected Generic Downloader
Yara detected LummaC Stealer
Yara detected MSILDownloaderGeneric
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Yara detected Vidar
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1477166 Sample: file.exe Startdate: 20/07/2024 Architecture: WINDOWS Score: 100 145 service-domain.xyz 2->145 147 api4.check-data.xyz 2->147 149 59 other IPs or domains 2->149 175 Snort IDS alert for network traffic 2->175 177 Multi AV Scanner detection for domain / URL 2->177 179 Found malware configuration 2->179 183 34 other signatures 2->183 13 file.exe 11 39 2->13         started        18 Install.exe 2->18         started        20 eqtpkqwqodik.exe 2->20         started        22 4 other processes 2->22 signatures3 181 Performs DNS queries to domains with low reputation 147->181 process4 dnsIp5 167 77.105.133.27, 49737, 49738, 80 PLUSTELECOM-ASRU Russian Federation 13->167 169 applyzxcksdia.shop 188.114.96.3, 443, 49741, 49742 CLOUDFLARENETUS European Union 13->169 173 10 other IPs or domains 13->173 135 C:\Users\...\uwpIVud1clvFptUiFgQbbIcX.exe, PE32 13->135 dropped 137 C:\Users\...\kFR1R6LeJNOVvKrvCPtI5B_x.exe, PE32 13->137 dropped 139 C:\Users\...\i7kUZqgfTxbisV2a4qx6tKH7.exe, PE32 13->139 dropped 143 20 other malicious files 13->143 dropped 239 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->239 241 Drops PE files to the document folder of the user 13->241 243 Found many strings related to Crypto-Wallets (likely being stolen) 13->243 253 6 other signatures 13->253 24 uwpIVud1clvFptUiFgQbbIcX.exe 1 39 13->24         started        29 QPRDE0Ersq6_gbAzazLp7VgT.exe 13->29         started        31 DLzIuWZG9ZLwNSCCdBYR4lBu.exe 3 13->31         started        35 8 other processes 13->35 141 C:\Windows\Temp\...\WQDXzFd.exe, PE32 18->141 dropped 245 Very long command line found 18->245 247 Modifies Windows Defender protection settings 18->247 33 powershell.exe 18->33         started        249 Multi AV Scanner detection for dropped file 20->249 251 Found direct / indirect Syscall (likely to bypass EDR) 20->251 171 127.0.0.1 unknown unknown 22->171 file6 signatures7 process8 dnsIp9 155 85.28.47.31 GES-ASRU Russian Federation 24->155 157 77.91.77.81 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 24->157 159 2 other IPs or domains 24->159 95 C:\Users\user\DocumentsIDBAFHDGDG.exe, PE32 24->95 dropped 97 C:\Users\user\AppData\...\softokn3[1].dll, PE32 24->97 dropped 99 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 24->99 dropped 109 13 other files (9 malicious) 24->109 dropped 187 Detected unpacking (changes PE section rights) 24->187 189 Drops PE files to the document folder of the user 24->189 191 Tries to steal Mail credentials (via file / registry access) 24->191 207 7 other signatures 24->207 37 cmd.exe 24->37         started        39 cmd.exe 24->39         started        101 C:\Users\...\QPRDE0Ersq6_gbAzazLp7VgT.tmp, PE32 29->101 dropped 41 QPRDE0Ersq6_gbAzazLp7VgT.tmp 29->41         started        193 Writes to foreign memory regions 31->193 195 Allocates memory in foreign processes 31->195 197 Injects a PE file into a foreign processes 31->197 44 MSBuild.exe 31->44         started        199 Modifies Windows Defender protection settings 33->199 54 2 other processes 33->54 103 C:\Users\user\AppData\...\PowerExpertNT.exe, PE32 35->103 dropped 105 C:\Users\user\AppData\Local\...\Install.exe, PE32 35->105 dropped 107 C:\Users\user\AppData\...xtreamFanV5.exe, PE32 35->107 dropped 111 2 other malicious files 35->111 dropped 201 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 35->201 203 Query firmware table information (likely to detect VMs) 35->203 205 Contains functionality to inject code into remote processes 35->205 209 5 other signatures 35->209 48 Install.exe 35->48         started        50 MSBuild.exe 35->50         started        52 sc.exe 35->52         started        56 10 other processes 35->56 file10 signatures11 process12 dnsIp13 58 userAAFIJKKEHJ.exe 37->58         started        62 conhost.exe 37->62         started        64 conhost.exe 39->64         started        113 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 41->113 dropped 115 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 41->115 dropped 117 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 41->117 dropped 129 34 other files (23 malicious) 41->129 dropped 66 audiooutputswitcher32_64.exe 41->66         started        68 audiooutputswitcher32_64.exe 41->68         started        161 t.me 149.154.167.99 TELEGRAMRU United Kingdom 44->161 163 77.105.132.27 PLUSTELECOM-ASRU Russian Federation 44->163 165 2 other IPs or domains 44->165 119 C:\Users\user\AppData\...\warsong[1].exe, PE32 44->119 dropped 121 C:\Users\user\AppData\...\djsoftware[1].exe, PE32 44->121 dropped 123 C:\ProgramData\BKJDGCGDAA.exe, PE32 44->123 dropped 125 C:\ProgramData\BFBGDGIDBA.exe, PE32 44->125 dropped 229 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 44->229 231 Tries to steal Crypto Currency Wallets 44->231 233 Tries to harvest and steal Bitcoin Wallet information 44->233 127 C:\Users\user\AppData\Local\...\Install.exe, PE32 48->127 dropped 71 Install.exe 48->71         started        235 Tries to harvest and steal ftp login credentials 50->235 237 Tries to harvest and steal browser information (history, passwords, etc) 50->237 75 2 other processes 52->75 73 conhost.exe 56->73         started        77 7 other processes 56->77 file14 signatures15 process16 dnsIp17 131 C:\Users\user\AppData\Local\...\explorti.exe, PE32 58->131 dropped 213 Antivirus detection for dropped file 58->213 215 Detected unpacking (changes PE section rights) 58->215 217 Tries to detect sandboxes and other dynamic analysis tools (window names) 58->217 227 6 other signatures 58->227 133 C:\...\BACKEND Design Tool 7.19.66.exe, PE32 66->133 dropped 151 aqgvznu.ru 94.156.8.80 NET1-ASBG Bulgaria 68->151 153 89.105.201.183 NOVOSERVE-ASNL Netherlands 68->153 219 Multi AV Scanner detection for dropped file 71->219 221 Very long command line found 71->221 223 Uses schtasks.exe or at.exe to add and modify task schedules 71->223 225 Modifies Windows Defender protection settings 71->225 79 forfiles.exe 71->79         started        81 schtasks.exe 71->81         started        file18 signatures19 process20 process21 83 cmd.exe 79->83         started        86 conhost.exe 79->86         started        88 conhost.exe 81->88         started        signatures22 185 Suspicious powershell command line found 83->185 90 powershell.exe 83->90         started        process23 signatures24 211 Modifies Windows Defender protection settings 90->211 93 WMIC.exe 90->93         started        process25
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0947872f18afd457962627cd08eae78498cd6ed27219da7f45a294a0e9e6c947
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0947872f18afd457962627cd08eae78498cd6ed27219da7f45a294a0e9e6c947/
Threat name:
Win64.Spyware.Stealc
Create hunting rule
Status:
Malicious
First seen:
2024-07-20 06:34:07 UTC
File Type:
PE+ (Exe)
Extracted files:
12
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bfdyolyyv7kfpfrge7gqr2xhqsmm23wsoim5u72fukkkb2pgzfdq._file
Verdict:
malicious
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader evasion loader
Link:
https://tria.ge/reports/240720-hbrjystgje/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Looks up external IP address via web service
Modifies firewall policy service
PrivateLoader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8c5a5380-13ab-4c23-a049-2c724798c5c6
Unpacked files
SH256 hash:
0947872f18afd457962627cd08eae78498cd6ed27219da7f45a294a0e9e6c947
MD5 hash:
8f8f6a36a8b827ceaae1228fd2669002
SHA1 hash:
d0a7c56f58342dfc1e0a976074544fd5251f5e42
Link:
https://www.unpac.me/results/621bdd1c-25ef-4e49-b61f-125761d49356/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0947872f18afd457962627cd08eae78498cd6ed27219da7f45a294a0e9e6c947

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 0947872f18afd457962627cd08eae78498cd6ed27219da7f45a294a0e9e6c947

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3053997/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (NX_COMPAT)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CoInitializeSecurity
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::WriteProcessMemory
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::WriteConsoleA
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW
KERNEL32.dll::GetFileAttributesA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegSetValueExA

Comments