MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 11


Intelligence 11 IOCs YARA 12 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3
SHA3-384 hash: 572a33e98e6c9a36d45f2efa635dd8cd543270280b4c2a3101daff53d2f445840bfd0e6e7185e02390156445a275fb21
SHA1 hash: 054c541726383f1d70572f72a83ad86061141d64
MD5 hash: edcd9de4254f050ffa56e723be49c0c5
humanhash: august-nuts-floor-lactose
File name:edcd9de4254f050ffa56e723be49c0c5
Download: download sample
Signature Stealc
Create hunting rule
File size:418'960 bytes
First seen:2024-05-07 21:23:47 UTC
Last seen:2024-05-07 22:19:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:AiwMdowCeYkiyh9bGfD7NUwW1ROABchrj9j48Re9TY:AiwQowukiS4iwGROuqrj91
Threatray 5 similar samples on MalwareBazaar
TLSH T12C9412A055BC5708F0BF0B38C9B5E8DA01EE61561A93EA6DCDC164F62A627D513C0BF3
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:64 exe signed Stealc

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2024-05-05T07:57:30Z
Valid to:2025-05-05T07:57:30Z
Serial number: ef0fc7d9453fa28cef4aa95d4a9964cb
Thumbprint Algorithm:SHA256
Thumbprint: cfc195832b3e404aeb9aac89690078dc0050758e64321369299b3ffa260a361f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
452
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://193.233.132.234/files/setup.exe
Verdict:
Malicious activity
Analysis date:
2024-05-07 04:02:17 UTC
Tags:
opendir loader
Link:
https://app.any.run/tasks/78703707-d7d0-49c1-b493-e6f2c58aeb74

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.26875.13042.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request to an infection source
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Searching for analyzing tools
Creating a file in the %temp% subdirectories
Modifying a system file
Using the Windows Management Instrumentation requests
Running batch commands
Replacing files
Reading critical registry keys
Launching a service
Launching cmd.exe command interpreter
Blocking the User Account Control
Connection attempt to an infection source
Query of malicious DNS domain
Sending a TCP request to an infection source
Blocking the Windows Defender launch
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/663a9bf311114a9ab5e1efb6/reports/8374c783-cfab-4c1f-ab8a-705636b48598/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/eae207d1-a33c-4229-abc6-be708eb43001
Result
Threat name:
PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1437811
Signature
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Exclude list of file types from scheduled, custom, and real-time scanning
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected PureLog Stealer
Yara detected UAC Bypass using CMSTP
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1437811 Sample: bS6MkUwj0r.exe Startdate: 07/05/2024 Architecture: WINDOWS Score: 100 105 Malicious sample detected (through community Yara rule) 2->105 107 Antivirus detection for URL or domain 2->107 109 Antivirus detection for dropped file 2->109 111 11 other signatures 2->111 10 bS6MkUwj0r.exe 1 4 2->10         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 2 other processes 2->17 process3 signatures4 147 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->147 149 Writes to foreign memory regions 10->149 151 Allocates memory in foreign processes 10->151 155 4 other signatures 10->155 19 MSBuild.exe 15 369 10->19         started        24 powershell.exe 23 10->24         started        26 WerFault.exe 10->26         started        30 2 other processes 10->30 153 Tries to delay execution (extensive OutputDebugStringW loop) 13->153 28 WerFault.exe 13->28         started        process5 dnsIp6 97 200.45.93.45 TelecomArgentinaSAAR Argentina 19->97 99 93.103.167.123 T-2-ASASsetpropagatedbyT-2dooSI Slovenia 19->99 103 19 other IPs or domains 19->103 83 C:\Users\...\zXoI8BT5j7tOOFp0OsZGgxdA.exe, PE32 19->83 dropped 85 C:\Users\...\yhvBNZYCj6MI58My5FJ4UBW8.exe, PE32 19->85 dropped 87 C:\Users\...\xjvuknCrNURzYk2zQH3FpVul.exe, PE32 19->87 dropped 89 208 other malicious files 19->89 dropped 135 Installs new ROOT certificates 19->135 137 Drops script or batch files to the startup folder 19->137 139 Creates HTML files with .exe extension (expired dropper behavior) 19->139 143 2 other signatures 19->143 32 aekcQ8qcEP2FLbDiUJtCCRsT.exe 19->32         started        37 Tasi74EzR7zuuFajNk7MQ1ub.exe 19->37         started        39 MMFULDF2l8C3HLvuAG68lPOQ.exe 19->39         started        43 20 other processes 19->43 141 Loading BitLocker PowerShell Module 24->141 41 conhost.exe 24->41         started        101 20.189.173.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->101 file7 signatures8 process9 dnsIp10 91 87.240.137.164 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 32->91 93 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 32->93 95 19 other IPs or domains 32->95 67 C:\Users\...\z4tPh0L2xT1SfSdzLOrvttVr.exe, PE32 32->67 dropped 69 C:\Users\...\wLXt3m6qUBQ_OQlQdOtR2EPJ.exe, PE32 32->69 dropped 71 C:\Users\...\vaou1zeayAPyycnA48wEOuQ9.exe, PE32 32->71 dropped 79 29 other malicious files 32->79 dropped 113 Query firmware table information (likely to detect VMs) 32->113 115 Drops PE files to the document folder of the user 32->115 117 Creates HTML files with .exe extension (expired dropper behavior) 32->117 133 6 other signatures 32->133 119 Detected unpacking (changes PE section rights) 37->119 121 Tries to detect sandboxes and other dynamic analysis tools (window names) 37->121 123 Hides threads from debuggers 37->123 125 Found direct / indirect Syscall (likely to bypass EDR) 37->125 127 Tries to detect sandboxes / dynamic malware analysis system (registry check) 39->127 129 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 39->129 73 C:\Users\user\AppData\Local\...\Install.exe, PE32 43->73 dropped 75 C:\Users\user\AppData\Local\...\CastSrv.exe, PE32+ 43->75 dropped 77 C:\Users\user\AppData\Local\...\Install.exe, PE32 43->77 dropped 81 12 other malicious files 43->81 dropped 131 Writes many files with high entropy 43->131 45 Install.exe 43->45         started        48 Install.exe 43->48         started        50 cmd.exe 43->50         started        52 3 other processes 43->52 file11 signatures12 process13 signatures14 157 Multi AV Scanner detection for dropped file 45->157 159 Modifies Windows Defender protection settings 45->159 54 cmd.exe 45->54         started        57 cmd.exe 48->57         started        59 conhost.exe 50->59         started        process15 signatures16 145 Modifies Windows Defender protection settings 54->145 61 conhost.exe 54->61         started        63 forfiles.exe 54->63         started        65 conhost.exe 57->65         started        process17
Score:
58%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3/
Threat name:
ByteCode-MSIL.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-05-07 21:24:05 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b7taicepypfw6b52a5fucadcoi432ocfn4swveed6luocloyfljq._file
Verdict:
malicious
Similar samples:
8408dcfb8751f971ab0f3f4ec16abc52586a90a507ac8e6be0b02219980758f3
Stealc
d09f47363c21f002a615eb6476973cf907eb9c4ab16b1f9aa3909e200665ac45
Stealc
d393c369fcce5b961018081cd6b15105eed1cc2a74ff235beb5439be050393dc
Stealc
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:privateloader family:stealc family:zgrat discovery dropper evasion execution loader persistence rat rootkit spyware stealer themida trojan
Link:
https://tria.ge/reports/240507-z81ybsge61/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Drops Chrome extension
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Themida packer
Windows security modification
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies boot configuration data using bcdedit
Detect ZGRat V1
Glupteba
Glupteba payload
Modifies firewall policy service
PrivateLoader
Stealc
UAC bypass
Windows security bypass
ZGRat
Malware Config
C2 Extraction:
http://185.172.128.150
Unpacked files
SH256 hash:
0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3
MD5 hash:
edcd9de4254f050ffa56e723be49c0c5
SHA1 hash:
054c541726383f1d70572f72a83ad86061141d64
Link:
https://www.unpac.me/results/7a097d66-30af-485e-8e2a-998fdd45c973/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0fe604088fc3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.03
Link:
https://yomi.yoroi.company/submissions/0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:MSIL_TinyDownloader_Generic
Create hunting rule
Author:albertzsigovits
Description:Detects small-sized dotNET downloaders
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2842298/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments


Avatar
zbet commented on 2024-05-07 21:23:48 UTC

url : hxxp://193.233.132.234/files/newexe.exe