MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1140e139bbdfd915c3d86eadcd65aa8d643e4a0aa0cd5d9e536b1b8c528ae4e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1140e139bbdfd915c3d86eadcd65aa8d643e4a0aa0cd5d9e536b1b8c528ae4e6
SHA3-384 hash: 7d4b5dcf563caad30ccfb9f59980ec661ca839a0084af21121211f058856eb9047f0991ac797bfbe8e8e86bdf22e949c
SHA1 hash: a970b37799da109ff1d492df81c4b64fc6c0e595
MD5 hash: 6de6ae7b51d7e7644c988406829b0331
humanhash: carolina-grey-purple-lake
File name:6de6ae7b51d7e7644c988406829b0331.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:5'871'856 bytes
First seen:2024-02-23 16:31:10 UTC
Last seen:2024-02-23 18:23:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 39389b46d0fc73ab23c0909b184bbcf1 (1 x Stealc, 1 x Glupteba)
ssdeep 98304:cj0ivwXuhNqQZBlnOAiu5lbntsjZVrV3JCeeAmWAVF3fj1JaTIkn81eVAxbSmo0W:XiVhBb1lL5d6j/rFFeZxFL1JaMkn8pSf
TLSH T14246336F2391AC41E7576DBACB281EC40B66FB7448E5917EF20F14E4690A31DEBE3205
TrID 45.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
0.0% (.TAR) TAR - Tape ARchive (directory) (10/3)
Reporter abuse_ch
Tags:exe signed Stealc

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2024-02-23T03:18:34Z
Valid to:2025-02-23T03:18:34Z
Serial number: 7946b95569da46c3bd8d1c52f502aac1
Thumbprint Algorithm:SHA256
Thumbprint: 4274684a8befac2078c8d28ff79e26e41c1af5a74827372ac7849d1ca21276ad
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
394
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/477553/
Detection(s):
SecuriteInfo.com.Win64.CrypterX-gen.26189.32050.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
hacktool overlay packed
Link:
https://www.filescan.io/uploads/65d8c88722703c3491acd2a4/reports/38aebf13-ba8c-4a36-97ed-eec4d65ffd6c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/1140e139bbdfd915c3d86eadcd65aa8d643e4a0aa0cd5d9e536b1b8c528ae4e6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5e8d5bc8-53b9-4142-95da-a501d686b0b8
Result
Threat name:
Glupteba, Stealc
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad.rans.phis.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1397835
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops script or batch files to the startup folder
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Chrome's extension installation force list
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1397835 Sample: tZ3J64yk2i.exe Startdate: 23/02/2024 Architecture: WINDOWS Score: 100 178 Malicious sample detected (through community Yara rule) 2->178 180 Antivirus detection for dropped file 2->180 182 Multi AV Scanner detection for dropped file 2->182 184 10 other signatures 2->184 10 tZ3J64yk2i.exe 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        process3 signatures4 190 Query firmware table information (likely to detect VMs) 10->190 192 Writes to foreign memory regions 10->192 194 Allocates memory in foreign processes 10->194 196 4 other signatures 10->196 17 jsc.exe 15 48 10->17         started        22 WerFault.exe 19 16 10->22         started        24 conhost.exe 13->24         started        26 conhost.exe 15->26         started        process5 dnsIp6 144 107.167.110.216 OPERASOFTWAREUS United States 17->144 146 185.172.128.109 NADYMSS-ASRU Russian Federation 17->146 150 10 other IPs or domains 17->150 96 C:\Users\...\wGQrZc5zFGL2vjvS5dvnSl04.exe, PE32 17->96 dropped 98 C:\Users\...\vk9etvZuptTQzCj8E3JlqkIc.exe, PE32 17->98 dropped 100 C:\Users\...\tLfG7mZ44eLWFTyhgt6CRDC4.exe, PE32 17->100 dropped 102 36 other malicious files 17->102 dropped 186 Drops script or batch files to the startup folder 17->186 188 Creates HTML files with .exe extension (expired dropper behavior) 17->188 28 5O8TXENpIkap0NJ42kLZjekR.exe 50 17->28         started        33 3o2Idwtbx8zpYdIZNEWhHYeh.exe 1 35 17->33         started        35 wGQrZc5zFGL2vjvS5dvnSl04.exe 17->35         started        37 9 other processes 17->37 148 52.168.117.173 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->148 file7 signatures8 process9 dnsIp10 152 107.167.110.217 OPERASOFTWAREUS United States 28->152 154 107.167.125.189 OPERASOFTWAREUS United States 28->154 160 5 other IPs or domains 28->160 124 Opera_installer_2402231656296162836.dll, PE32 28->124 dropped 136 8 other malicious files 28->136 dropped 198 Writes many files with high entropy 28->198 39 5O8TXENpIkap0NJ42kLZjekR.exe 28->39         started        42 Assistant_107.0.5045.21_Setup.exe_sfx.exe 28->42         started        44 5O8TXENpIkap0NJ42kLZjekR.exe 28->44         started        46 5O8TXENpIkap0NJ42kLZjekR.exe 28->46         started        156 185.172.128.127 NADYMSS-ASRU Russian Federation 33->156 158 185.172.128.90 NADYMSS-ASRU Russian Federation 33->158 162 2 other IPs or domains 33->162 126 C:\Users\user\AppData\Local\...\nstDE26.tmp, PE32 33->126 dropped 128 C:\Users\user\AppData\Local\...\INetC.dll, PE32 33->128 dropped 138 2 other malicious files 33->138 dropped 48 nstDE26.tmp 33->48         started        52 BroomSetup.exe 33->52         started        130 C:\Users\...\wGQrZc5zFGL2vjvS5dvnSl04.tmp, PE32 35->130 dropped 54 wGQrZc5zFGL2vjvS5dvnSl04.tmp 35->54         started        132 C:\Users\...\Lu3Rvfpt4MnEMAceNOEmMLPR.tmp, PE32 37->132 dropped 134 Opera_installer_2402231656352041268.dll, PE32 37->134 dropped 140 3 other malicious files 37->140 dropped 200 Detected unpacking (changes PE section rights) 37->200 202 Detected unpacking (overwrites its own PE header) 37->202 204 Found Tor onion address 37->204 206 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 37->206 56 Lu3Rvfpt4MnEMAceNOEmMLPR.tmp 37->56         started        58 10 other processes 37->58 file11 signatures12 process13 dnsIp14 110 24 other malicious files 39->110 dropped 60 5O8TXENpIkap0NJ42kLZjekR.exe 39->60         started        112 6 other malicious files 42->112 dropped 104 Opera_installer_2402231656314201712.dll, PE32 44->104 dropped 106 Opera_installer_2402231656331765832.dll, PE32 46->106 dropped 142 185.172.128.145 NADYMSS-ASRU Russian Federation 48->142 114 12 other files (8 malicious) 48->114 dropped 164 Detected unpacking (changes PE section rights) 48->164 166 Detected unpacking (overwrites its own PE header) 48->166 168 Tries to steal Mail credentials (via file / registry access) 48->168 176 3 other signatures 48->176 170 Multi AV Scanner detection for dropped file 52->170 63 cmd.exe 52->63         started        116 9 other files (8 malicious) 54->116 dropped 172 Modifies Chrome's extension installation force list 54->172 174 Writes many files with high entropy 54->174 66 taskkill.exe 54->66         started        68 taskkill.exe 54->68         started        108 C:\Users\user\AppData\Local\...\shlwapi.dll, PE32+ 56->108 dropped 118 6 other files (4 malicious) 56->118 dropped 70 taskkill.exe 56->70         started        72 taskkill.exe 56->72         started        120 2 other malicious files 58->120 dropped 74 powershell.exe 58->74         started        76 conhost.exe 58->76         started        78 5 other processes 58->78 file15 signatures16 process17 file18 122 Opera_installer_2402231656359455820.dll, PE32 60->122 dropped 208 Uses schtasks.exe or at.exe to add and modify task schedules 63->208 80 conhost.exe 63->80         started        82 chcp.com 63->82         started        84 schtasks.exe 63->84         started        86 conhost.exe 66->86         started        88 conhost.exe 68->88         started        90 conhost.exe 70->90         started        92 conhost.exe 72->92         started        94 conhost.exe 74->94         started        signatures19 process20
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1140e139bbdfd915c3d86eadcd65aa8d643e4a0aa0cd5d9e536b1b8c528ae4e6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1140e139bbdfd915c3d86eadcd65aa8d643e4a0aa0cd5d9e536b1b8c528ae4e6/
Threat name:
Win64.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2024-02-23 06:58:45 UTC
File Type:
PE+ (Exe)
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cfaocon337mrlq6yn2w42znkrvsd4sqkudgv3hstnmnyyuuk4tta._file
Verdict:
unknown
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:stealc dropper evasion loader stealer trojan upx
Link:
https://tria.ge/reports/240223-t1y6waec2t/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Drops startup file
Executes dropped EXE
UPX packed file
Downloads MZ/PE file
Modifies Windows Firewall
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Glupteba
Glupteba payload
Stealc
Malware Config
C2 Extraction:
http://185.172.128.145
Unpacked files
SH256 hash:
1140e139bbdfd915c3d86eadcd65aa8d643e4a0aa0cd5d9e536b1b8c528ae4e6
MD5 hash:
6de6ae7b51d7e7644c988406829b0331
SHA1 hash:
a970b37799da109ff1d492df81c4b64fc6c0e595
Link:
https://www.unpac.me/results/754863bf-fbb8-4ef1-b0ad-9f0814f4a461/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1140e139bbdf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1140e139bbdfd915c3d86eadcd65aa8d643e4a0aa0cd5d9e536b1b8c528ae4e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 1140e139bbdfd915c3d86eadcd65aa8d643e4a0aa0cd5d9e536b1b8c528ae4e6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2754067/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/477553/

Comments