MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 12

Intelligence 12 IOCs YARA 11 File information Comments 1

SHA256 hash:	1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20
SHA3-384 hash:	c637d4fbfe8c11412d4bbb9b498659c9e067337f2465bad77ce39f82ed0a3b362cc86fb923fa33597a4a95651d9764b4
SHA1 hash:	403343881d8440f0cae73e82bc41b32c8b9d4816
MD5 hash:	3011d8256ead8820223359556ec2c85b
humanhash:	nine-single-queen-moon
File name:	3011d8256ead8820223359556ec2c85b.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	369'152 bytes
First seen:	2023-03-22 10:15:50 UTC
Last seen:	2023-03-22 12:51:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c3df3d0d993bdeac73a0f5fd62093e4d (6 x Gozi, 3 x Stealc, 3 x LaplasClipper)
ssdeep	3072:040TlxQfw/y/7juaehfHY1Agbv6oL4OHkfk235cDk5v0WKSNyg/fbakoggwn0JV:O8myVs/Al4OHU3ODkJU6f2E
Threatray	113 similar samples on MalwareBazaar
TLSH	T1EB747DC253E16C20E5124B32BE1FC7F86B1EF8609E557B6E2359AE3F0970163D162719
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	02d4c0c048586a4c (1 x Stealc)
Reporter	abuse_ch
Tags:	32 exe Stealc

abuse_ch

Stealc C2:
http://94.131.104.50/c92a19ea55c5076e.php

Intelligence

File Origin

# of uploads :

# of downloads :

247

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3011d8256ead8820223359556ec2c85b.exe

Verdict:

Malicious activity

Analysis date:

2023-03-22 10:18:24 UTC

Tags:

loader

Link:

https://app.any.run/tasks/9566cc73-7f70-4fea-baac-ecf9c09bba1b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/376423/

Detection(s):

Sanesecurity.Malware.29059.BadIN.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Changing a file

Sending a custom TCP request

Creating a file in the %temp% directory

Running batch commands

Creating a process with a hidden window

Launching a process

Creating a process from a recently created file

Launching the default Windows debugger (dwwin.exe)

Creating a file in the %AppData% subdirectories

Searching for the window

Stealing user critical data

Sending an HTTP GET request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult gozi greyware lockbit mikey packed

Link:

https://www.filescan.io/uploads/641ad565c60b3295f52c9528/reports/394238f2-fe3b-4ed3-9dda-a24f24135131/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cd38f65f-f261-426a-8781-020685456103

Result

Threat name:

Laplas Clipper, Stealc, Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1199228

Signature

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking locale)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Self deletion via cmd or bat file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Laplas Clipper

Yara detected Stealc

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20/

Threat name:

Win32.Trojan.Smokeloadder

Status:

Malicious

First seen:

2023-03-22 10:16:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=df4oxiykj3atotijv77k2ouq2qlvzf7fr42es7lzrkvfnzuf34qa._file

Verdict:

malicious

Result

Malware family:

laplas

Score:

10/10

Tags:

family:laplas clipper discovery persistence spyware stealer

Link:

https://tria.ge/reports/230322-mas4lsab6t/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

GoLang User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Laplas Clipper

Malware Config

C2 Extraction:

http://45.87.154.105

Unpacked files

SH256 hash:

5f92d593b153846eea8f83193af65c2729a8a46a711ba353f185a7b83dd1d252

MD5 hash:

6f5a0582f9f73b01889c780a7d498624

SHA1 hash:

6881e3943c9066b0d9becfca2e9c2954491850ea

Detections:

stealc

Link:

https://www.unpac.me/results/9f07d635-0bed-4a3c-ab85-730ea7237b8d/

SH256 hash:

1978eba30a4ec1374d09affead3a90d4175c97e58f34497d798aaa56e685df20

MD5 hash:

3011d8256ead8820223359556ec2c85b

SHA1 hash:

403343881d8440f0cae73e82bc41b32c8b9d4816

Link:

https://www.unpac.me/results/9f07d635-0bed-4a3c-ab85-730ea7237b8d/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers