MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15bdd66838428cfc8f89a5dab4dbb8e779cd6b348ec170ab89c1b5e7c4d264c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 18

Intelligence 18 IOCs 1 YARA 2 File information Comments

SHA256 hash:	15bdd66838428cfc8f89a5dab4dbb8e779cd6b348ec170ab89c1b5e7c4d264c3
SHA3-384 hash:	d5bc5156ee13ef07bd91ee487e900da49b7eefbfd10ab52b3f11aefe489569063330bb644d377139fd3ad54187e522c8
SHA1 hash:	46b72c087796e01c722f89e8b171aceb18e307e2
MD5 hash:	f893f8a1e523d6747287111f777e4738
humanhash:	burger-floor-magazine-papa
File name:	f893f8a1e523d6747287111f777e4738.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	699'904 bytes
First seen:	2024-11-03 13:10:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f1370df7dea151b3b0d42359a77acbda (1 x Stealc)
ssdeep	12288:rhLR2jX5IFUtyo6vuTS3dOXaJxGqxg1OgJcr6FJ2wRxcTVsE:rX2jeFUt3Ap3PLdiZnfyBsE
Threatray	160 similar samples on MalwareBazaar
TLSH	T14EE40213E5E2FD7CD5164B368E1DC6E87A3EB5328E582B9F23980A6F0871162D273711
TrID	46.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 25.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 8.5% (.EXE) Win64 Executable (generic) (10522/11/4) 5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
File icon (PE):
dhash icon	020604010a183000 (1 x RedLineStealer, 1 x Stealc)
Reporter	abuse_ch
Tags:	exe Stealc

abuse_ch

Stealc C2:
http://95.215.207.66/f4e83cc9bf3bad72.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://95.215.207.66/f4e83cc9bf3bad72.php	https://threatfox.abuse.ch/ioc/1340672/

Intelligence

File Origin

# of uploads :

# of downloads :

430

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

f893f8a1e523d6747287111f777e4738.exe

Verdict:

Malicious activity

Analysis date:

2024-11-03 13:12:36 UTC

Tags:

stealer stealc

Link:

https://app.any.run/tasks/7c4f6d00-e9f4-4828-ae59-7d0ac5774f32

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6727766c8d23d90491331c6c

Tags:

powershell cobalt lien

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Connection attempt

Sending an HTTP GET request

Creating a file

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

fingerprint microsoft_visual_cc packed packed packer_detected xpack

Link:

https://www.filescan.io/uploads/6727766751a47feab46e3021/reports/161c7511-8426-4373-994e-1dea738e6d62/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/15bdd66838428cfc8f89a5dab4dbb8e779cd6b348ec170ab89c1b5e7c4d264c3

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ef989413-80e6-4674-8fda-6b4e9d595e6c

Result

Threat name:

Stealc

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1547950

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking locale)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Self deletion via cmd or bat file

Suricata IDS alerts for network traffic

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal ftp login credentials

Yara detected Powershell download and execute

Yara detected Stealc

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/15bdd66838428cfc8f89a5dab4dbb8e779cd6b348ec170ab89c1b5e7c4d264c3

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/15bdd66838428cfc8f89a5dab4dbb8e779cd6b348ec170ab89c1b5e7c4d264c3/

Threat name:

Win32.Infostealer.Tinba

Status:

Malicious

First seen:

2024-11-03 13:11:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 38 (47.37%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cw65m2byikgpzd4juxnljw5y454422zur3axbk4jyg26prgsmtbq._file

Verdict:

malicious

Label(s):

stealc

shellcode_loader_002

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc botnet:logsdiller credential_access discovery spyware stealer

Link:

https://tria.ge/reports/241103-qext5svgrj/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads data files stored by FTP clients

Unsecured Credentials: Credentials In Files

Stealc

Stealc family

Malware Config

C2 Extraction:

http://95.215.207.66

Verdict:

Malicious

Tags:

stealc

YARA:

n/a

Link:

https://app.threat.zone/submission/3527ac68-7f8e-442a-9d15-437827f0e7f5

Unpacked files

SH256 hash:

81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4

MD5 hash:

eda18948a989176f4eebb175ce806255

SHA1 hash:

ff22a3d5f5fb705137f233c36622c79eab995897

Link:

https://www.unpac.me/results/ac23821a-4726-453a-8ef3-808e76aef36c/

SH256 hash:

38ff665fb93643153e3b7a9fb764205eed966b3aebc3de609ebb1a10073866de

MD5 hash:

e00a91ad1ddb9b91b02fc6418dd45dc5

SHA1 hash:

1b5d274d944779fa5d180b79e4631a4169f43805

Detections:

stealc

detect_Mars_Stealer

Link:

https://www.unpac.me/results/ac23821a-4726-453a-8ef3-808e76aef36c/

Parent samples :

cc0aa4599a8a2c620282a1b2671905bb09daeaa43d38d9da21b392cc167a2a1e
a4b31ed53ac8fe9745a554b79d1da3657606ba2ad516bb0e0b4009afcd9637ff
2ccf9348d04d5badaf407aa1a7badd928e4f3cc8850b4854f087891494842d97
ae7c55423a0fba87ed316817cb423b5fd562e88b0b978c3a6f8860142c3e6d7e
4a4880d1b307a8e5aa3b518bcf0e9470b793a8d5b98b068bd2404b1b0d952ede
15bdd66838428cfc8f89a5dab4dbb8e779cd6b348ec170ab89c1b5e7c4d264c3

SH256 hash:

15bdd66838428cfc8f89a5dab4dbb8e779cd6b348ec170ab89c1b5e7c4d264c3

MD5 hash:

f893f8a1e523d6747287111f777e4738

SHA1 hash:

46b72c087796e01c722f89e8b171aceb18e307e2

Link:

https://www.unpac.me/results/ac23821a-4726-453a-8ef3-808e76aef36c/

Malware family:

Stealc

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/15bdd6683842/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/15bdd66838428cfc8f89a5dab4dbb8e779cd6b348ec170ab89c1b5e7c4d264c3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

exe 15bdd66838428cfc8f89a5dab4dbb8e779cd6b348ec170ab89c1b5e7c4d264c3

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3243375/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3272322/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessA KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleInputA KERNEL32.dll::WriteConsoleA KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleInputW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleAliasExesW KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileA KERNEL32.dll::GetFileAttributesA KERNEL32.dll::GetTempFileNameA
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample