MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1676f89a9e958079df53c985b55673571919e572e311202b8415fe0417e534ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 11


Intelligence 11 IOCs YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1676f89a9e958079df53c985b55673571919e572e311202b8415fe0417e534ad
SHA3-384 hash: 3b0e129be4ab59b23449a172105b877d6f7141c2da951c1f0649dead1fc041be3c68d2f740a76a62b7e8cfb27c73ae5e
SHA1 hash: 81c7e7d550b8b1ae289773ada8b690b695d4012a
MD5 hash: f26dcd30bef759d312b803a58f792c77
humanhash: virginia-april-jupiter-ack
File name:1719520929.094843_setup.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:4'323'824 bytes
First seen:2024-06-28 19:12:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 448b6888b26145ced7ce018aab459303 (4 x PrivateLoader, 2 x RiseProStealer, 2 x Stealc)
ssdeep 98304:/ABnPScPqMgYg7+LZAF1shVykb+1Ul44PbC4ypCuw+Rajaksx:/ePS6qMgYU+KshVyk+u64D9uw/aks
TLSH T1691612922582C5F8D041CBB0C543B0FD727DBF54CC659887BA997E68BD73A05EE32A42
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon c0d0d1e08cc0d060 (1 x Stealc)
Reporter Chainskilabs
Tags:exe Stealc

Intelligence

File Origin
# of uploads :
1
# of downloads :
452
Origin country :
RO RO
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=667f0b7817db6c2841b21ff5win10vpnfull_triage
Tags:
Encryption Crypt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Modifying a system file
Using the Windows Management Instrumentation requests
Replacing files
Launching a service
Launching a process
Sending a UDP request
Connection attempt
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Reading critical registry keys
Forced system process termination
Blocking the Windows Defender launch
Connection attempt to an infection source
Adding exclusions to Windows Defender
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/1676f89a9e958079df53c985b55673571919e572e311202b8415fe0417e534ad
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f7f2f84e-2264-4942-aeee-554b0b7353c4
Result
Threat name:
LummaC Stealer, Mars Stealer, PrivateLoa
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1464455
Signature
Adds extensions / path to Windows Defender exclusion list (Registry)
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Exclude list of file types from scheduled, custom, and real-time scanning
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies power options to not sleep / hibernate
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Disable power options
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected LummaC Stealer
Yara detected Mars stealer
Yara detected Powershell download and execute
Yara detected PrivateLoader
Yara detected PureLog Stealer
Yara detected Socks5Systemz
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1464455 Sample: 1719520929.094843_setup.exe Startdate: 28/06/2024 Architecture: WINDOWS Score: 100 136 service-domain.xyz 2->136 138 api.check-data.xyz 2->138 140 32 other IPs or domains 2->140 162 Found malware configuration 2->162 164 Malicious sample detected (through community Yara rule) 2->164 166 Antivirus detection for dropped file 2->166 170 24 other signatures 2->170 12 1719520929.094843_setup.exe 11 41 2->12         started        17 svchost.exe 2->17         started        19 svchost.exe 2->19         started        21 2 other processes 2->21 signatures3 168 Performs DNS queries to domains with low reputation 138->168 process4 dnsIp5 154 vk.com 87.240.132.72, 49712, 49713, 49718 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 12->154 156 ps.userapi.com 87.240.190.76 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 12->156 160 14 other IPs or domains 12->160 128 C:\Users\...\x25ibhClqZEgGGnZMnmShBJ0.exe, PE32+ 12->128 dropped 130 C:\Users\...\usxSxed5X8e1lQlz4jrX8VDT.exe, PE32 12->130 dropped 132 C:\Users\...\rjlUhEQ26sSaVorUdPXCNQJL.exe, PE32 12->132 dropped 134 15 other malicious files 12->134 dropped 220 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->220 222 Drops PE files to the document folder of the user 12->222 224 Creates HTML files with .exe extension (expired dropper behavior) 12->224 226 7 other signatures 12->226 23 ZybKZnBqBLCGro2Wl5RdK9Km.exe 12->23         started        26 usxSxed5X8e1lQlz4jrX8VDT.exe 37 12->26         started        30 FHi_DoTMO9n0XLK0ZI3jNefl.exe 12->30         started        32 8 other processes 12->32 158 127.0.0.1 unknown unknown 17->158 file6 signatures7 process8 dnsIp9 110 C:\Users\...\ZybKZnBqBLCGro2Wl5RdK9Km.tmp, PE32 23->110 dropped 34 ZybKZnBqBLCGro2Wl5RdK9Km.tmp 23->34         started        150 85.28.47.4 GES-ASRU Russian Federation 26->150 152 77.91.77.81 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 26->152 112 C:\Users\user\AppData\...\KFBAECBAEG.exe, PE32 26->112 dropped 114 C:\Users\user\AppData\...\softokn3[1].dll, PE32 26->114 dropped 116 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 26->116 dropped 124 11 other files (7 malicious) 26->124 dropped 194 Detected unpacking (changes PE section rights) 26->194 196 Tries to steal Mail credentials (via file / registry access) 26->196 198 Found many strings related to Crypto-Wallets (likely being stolen) 26->198 212 4 other signatures 26->212 200 Writes to foreign memory regions 30->200 202 Allocates memory in foreign processes 30->202 204 Injects a PE file into a foreign processes 30->204 37 MSBuild.exe 30->37         started        41 MSBuild.exe 30->41         started        43 MSBuild.exe 30->43         started        118 C:\Users\user\AppData\Local\...\polaris.exe, PE32+ 32->118 dropped 120 C:\Users\user\AppData\...\PowerExpertNT.exe, PE32 32->120 dropped 122 C:\Users\user\AppData\Local\...\Install.exe, PE32 32->122 dropped 126 4 other malicious files 32->126 dropped 206 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 32->206 208 Query firmware table information (likely to detect VMs) 32->208 210 Tries to detect sandboxes and other dynamic analysis tools (window names) 32->210 214 6 other signatures 32->214 45 Install.exe 32->45         started        47 cmd.exe 32->47         started        49 MSBuild.exe 32->49         started        51 9 other processes 32->51 file10 signatures11 process12 dnsIp13 88 C:\Users\user\AppData\...\unins000.exe (copy), PE32 34->88 dropped 90 C:\Users\user\...\totalrecorderfree32_64.exe, PE32 34->90 dropped 92 C:\Users\user\AppData\...\openh264.dll (copy), PE32+ 34->92 dropped 102 34 other files (23 malicious) 34->102 dropped 53 totalrecorderfree32_64.exe 34->53         started        56 totalrecorderfree32_64.exe 34->56         started        142 t.me 149.154.167.99 TELEGRAMRU United Kingdom 37->142 144 77.105.132.27 PLUSTELECOM-ASRU Russian Federation 37->144 146 2 other IPs or domains 37->146 94 C:\Users\user\AppData\...\rise2806[1].exe, PE32 37->94 dropped 96 C:\Users\user\AppData\Local\...\sqlt[1].dll, PE32 37->96 dropped 104 5 other malicious files 37->104 dropped 172 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 37->172 174 Tries to harvest and steal ftp login credentials 37->174 176 Tries to steal Crypto Currency Wallets 37->176 178 Tries to harvest and steal Bitcoin Wallet information 37->178 98 C:\Users\user\AppData\Local\...\Install.exe, PE32 45->98 dropped 180 Multi AV Scanner detection for dropped file 45->180 59 Install.exe 45->59         started        62 polaris.exe 47->62         started        64 conhost.exe 47->64         started        182 Tries to harvest and steal browser information (history, passwords, etc) 49->182 100 C:\Users\user\AppData\Local\...\Install.exe, PE32 51->100 dropped 66 Install.exe 51->66         started        68 conhost.exe 51->68         started        70 conhost.exe 51->70         started        72 5 other processes 51->72 file14 signatures15 process16 dnsIp17 106 C:\ProgramData\...\AGP BUS Driver 6.28.66.exe, PE32 53->106 dropped 148 ejiijal.ua 94.156.8.80 NET1-ASBG Bulgaria 56->148 216 Multi AV Scanner detection for dropped file 59->216 218 Modifies Windows Defender protection settings 59->218 74 cmd.exe 59->74         started        108 C:\Users\user\AppData\Local\...\pokafdw.exe, PE32 62->108 dropped 77 pokafdw.exe 62->77         started        file18 signatures19 process20 signatures21 184 Modifies Windows Defender protection settings 74->184 79 forfiles.exe 74->79         started        82 conhost.exe 74->82         started        186 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 77->186 188 Query firmware table information (likely to detect VMs) 77->188 190 Tries to harvest and steal ftp login credentials 77->190 192 2 other signatures 77->192 84 Conhost.exe 77->84         started        process22 signatures23 228 Modifies Windows Defender protection settings 79->228 86 cmd.exe 79->86         started        process24
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1676f89a9e958079df53c985b55673571919e572e311202b8415fe0417e534ad
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1676f89a9e958079df53c985b55673571919e572e311202b8415fe0417e534ad/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-06-27 23:44:10 UTC
File Type:
PE+ (Exe)
Extracted files:
27
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cz3prgu6swahtx2tzgc3kvttk4mrtzls4misak4ecx7aif7fgswq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion
Link:
https://tria.ge/reports/240628-xw2yrasenl/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Drops file in System32 directory
Looks up external IP address via web service
Modifies firewall policy service
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e3aaa9e3-e8f8-4c5e-afd0-0401e6158b76
Unpacked files
SH256 hash:
1676f89a9e958079df53c985b55673571919e572e311202b8415fe0417e534ad
MD5 hash:
f26dcd30bef759d312b803a58f792c77
SHA1 hash:
81c7e7d550b8b1ae289773ada8b690b695d4012a
Link:
https://www.unpac.me/results/490c84ed-a228-4629-95e9-9633556bf59b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Redline
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1676f89a9e958079df53c985b55673571919e572e311202b8415fe0417e534ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Mars_Stealer
Create hunting rule
Author:@malgamy12
Description:detect_Mars_Stealer
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:EXE_Vidar_May_2024
Create hunting rule
Author:NDA0E
Description:Detects Vidar payload
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of MFA browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_Stealc_str
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:Stealc infostealer
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Trojan_Stealc_b8ab9ab5
Create hunting rule
Author:Elastic Security
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (NX_COMPAT)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA

Comments