MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 0afa4569c1a394ae2f6544f983962af55d2e912a87708a8e6c9d9088b018fdda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Stealc
Vendor detections: 15
| SHA256 hash: | 0afa4569c1a394ae2f6544f983962af55d2e912a87708a8e6c9d9088b018fdda |
|---|---|
| SHA3-384 hash: | 6bc20bbbaea877e814d3ac56dfab5f7f95e9723d94dcd4fede6b562d3448fd68c240bd28a09a3210b4f31153de5903de |
| SHA1 hash: | 141f2e7b9c7f8c750f63ea2bdf7727c8502f2464 |
| MD5 hash: | 9db07be55154176e1818c19ad244c72e |
| humanhash: | mars-eleven-eight-iowa |
| File name: | 9DB07BE55154176E1818C19AD244C72E.exe |
| Download: | download sample |
| Signature | Stealc |
| File size: | 409'600 bytes |
| First seen: | 2024-10-26 07:20:39 UTC |
| Last seen: | 2024-10-26 08:32:34 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 3a3cf377a376176e1689a108901c2ac7 (1 x Stealc) |
| ssdeep | 6144:qAH9kHH9smsdXL6v4emUDpjVK48fnat2MjM7QpP0TU2zkAOzi+5XoZm7GN1l:qAH9msRggemo6nFMw7QqUkkY+eAk |
| Threatray | 305 similar samples on MalwareBazaar |
| TLSH | T18494AE21FA82D0B2C17306308F25EFB556FD7B6049319AA777E85A2D1F744D0DA32B62 |
| TrID | 32.2% (.EXE) Win64 Executable (generic) (10522/11/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4504/4/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13) |
| Magika | pebin |
| File icon (PE): |  |
| dhash icon | 0ec7830b0f0e4d0b (3 x LummaStealer, 2 x Stealc) |
| Reporter |  abuse_ch |
| Tags: | exe Stealc |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| http://62.204.41.177/edd20096ecef326d.php | https://threatfox.abuse.ch/ioc/1339382/ |
Intelligence
File Origin
# of uploads :
2
# of downloads :
372
Origin country :
NLVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9DB07BE55154176E1818C19AD244C72E.exe
Verdict:
Malicious activity
Analysis date:
2024-10-26 07:33:25 UTC
Tags:
loader stealer stealc
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Tags:
Exploit Cobalt Extens Trojan
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a window
Sending an HTTP GET request to an infection source
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching the default Windows debugger (dwwin.exe)
Connection attempt to an infection source
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
fingerprint lolbin microsoft_visual_cc overlay shell32 stealc
Verdict:
Malicious
Labled as:
Ser.Fragtor.Generic
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Result
Threat name:
Stealc
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
Behaviour
Behavior Graph:
Score:
98%
Verdict:
Malware
File Type:
PE
Threat name:
Win32.Spyware.Stealc
Status:
Malicious
First seen:
2024-10-17 20:00:13 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
20 of 24 (83.33%)
Threat level:
2/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
shellcode_loader_002
stealc
Similar samples:
+ 295 additional samples on MalwareBazaar
Result
Malware family:
stealc
Score:
10/10
Tags:
family:stealc botnet:default9_cap discovery stealer
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Stealc
Stealc family
Malware Config
C2 Extraction:
http://62.204.41.177
Verdict:
Malicious
Tags:
stealc
YARA:
n/a
Unpacked files
SH256 hash:
0afa4569c1a394ae2f6544f983962af55d2e912a87708a8e6c9d9088b018fdda
MD5 hash:
9db07be55154176e1818c19ad244c72e
SHA1 hash:
141f2e7b9c7f8c750f63ea2bdf7727c8502f2464
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
No further information available
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
| CHECK_PIE | Missing Position-Independent Executable (PIE) Protection | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| GDI_PLUS_API | Interfaces with Graphics | gdiplus.dll::GdiplusStartup gdiplus.dll::GdiplusShutdown gdiplus.dll::GdipGetImageEncodersSize gdiplus.dll::GdipGetImageEncoders gdiplus.dll::GdipAlloc |
| SHELL_API | Manipulates System Shell | SHELL32.dll::ShellExecuteExW |
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::CloseHandle WININET.dll::InternetCloseHandle KERNEL32.dll::CreateThread |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineW KERNEL32.dll::GetCommandLineA |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::GetTempFileNameW |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegSetValueExW |
| WIN_USER_API | Performs GUI Actions | USER32.dll::EmptyClipboard USER32.dll::OpenClipboard USER32.dll::CreateWindowExW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.