MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c0008391ca8fa90f4609c97b81dddfa7b0d9587c5a480b836040f4ad796bc11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c0008391ca8fa90f4609c97b81dddfa7b0d9587c5a480b836040f4ad796bc11
SHA3-384 hash: f88d823cf91d32f28a4926375f78f79054b4d755595fbb2e073f984ab0867c771a6761c4396905ff6282a6b12df33d5e
SHA1 hash: dd03c8bb8afd68816b9346cbb1c0493342bf8182
MD5 hash: b9e52db8c2b32fe642e7044591872c03
humanhash: whiskey-butter-eleven-nine
File name:b9e52db8c2b32fe642e7044591872c03.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:2'761'216 bytes
First seen:2023-12-27 16:25:07 UTC
Last seen:2023-12-30 02:11:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:3NlbKBQUzBwEp8Ps2eTrqoAb83Df4klSABQ0yEyPLXKG1DcoGHVEeEo4f:7K5zBwEp8Ps2eyoJTQT0Q0HyzXK4DcoR
TLSH T1A4D53313E9F90233DDAA27760DF61253132ABED1AA58569B11DCEF2E1CB42943431B37
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
45.42.45.36:45450

Intelligence

File Origin
# of uploads :
2
# of downloads :
363
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
RisePro
Create hunting rule
Link:
https://www.capesandbox.com/analysis/469466/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Packed.Stealerc-10017072-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Searching for the browser window
DNS request
Sending a custom TCP request
Reading critical registry keys
Сreating synchronization primitives
Launching a service
Creating a file
Running batch commands
Connecting to a non-recommended domain
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer installer lolbin lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/658c501c6b1c2460460b5d39/reports/51e03919-5518-49c4-8ef6-e1e56f47b6bf/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/1c0008391ca8fa90f4609c97b81dddfa7b0d9587c5a480b836040f4ad796bc11
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/00dc6389-cfc2-4b80-b918-22ef66f6681c
Result
Threat name:
RisePro Stealer, SmokeLoader, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1367431
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of sandbox detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
PE file has nameless sections
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1367431 Sample: PEeR32pvuF.exe Startdate: 27/12/2023 Architecture: WINDOWS Score: 100 119 ipinfo.io 2->119 147 Snort IDS alert for network traffic 2->147 149 Found malware configuration 2->149 151 Antivirus detection for dropped file 2->151 153 13 other signatures 2->153 12 PEeR32pvuF.exe 1 4 2->12         started        15 FANBooster131.exe 2->15         started        18 MaxLoonaFest131.exe 2->18         started        20 6 other processes 2->20 signatures3 process4 dnsIp5 117 2 other malicious files 12->117 dropped 23 mc2LD75.exe 1 4 12->23         started        101 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 15->101 dropped 103 C:\...\T3uIeq5S4LMT2m8guGEetqsCMLbxxJPv.zip, Zip 15->103 dropped 179 Antivirus detection for dropped file 15->179 181 Multi AV Scanner detection for dropped file 15->181 183 Detected unpacking (changes PE section rights) 15->183 197 3 other signatures 15->197 27 WerFault.exe 15->27         started        105 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 18->105 dropped 107 C:\...\DNyB1OguEPV8jdor0ZnIKGBbBFuwSLgC.zip, Zip 18->107 dropped 185 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->185 187 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 18->187 189 Tries to steal Mail credentials (via file / registry access) 18->189 29 WerFault.exe 18->29         started        125 ipinfo.io 34.117.186.192, 443, 49774, 49775 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 20->125 109 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 20->109 dropped 111 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 20->111 dropped 113 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 20->113 dropped 115 C:\...\FzW0FF49JUCBI04MYkXWMer8xUxzZpW5.zip, Zip 20->115 dropped 191 Detected unpacking (overwrites its own PE header) 20->191 193 Machine Learning detection for dropped file 20->193 195 Hides threads from debuggers 20->195 31 WerFault.exe 20->31         started        33 WerFault.exe 20->33         started        35 WerFault.exe 20->35         started        file6 signatures7 process8 file9 85 C:\Users\user\AppData\Local\...\lb6sj61.exe, PE32 23->85 dropped 87 C:\Users\user\AppData\Local\...\6gB5zi4.exe, PE32 23->87 dropped 161 Antivirus detection for dropped file 23->161 163 Multi AV Scanner detection for dropped file 23->163 165 Machine Learning detection for dropped file 23->165 37 lb6sj61.exe 1 4 23->37         started        signatures10 process11 file12 81 C:\Users\user\AppData\Local\...\gp2IY88.exe, PE32 37->81 dropped 83 C:\Users\user\AppData\Local\...\4PH409Jv.exe, PE32 37->83 dropped 155 Antivirus detection for dropped file 37->155 157 Multi AV Scanner detection for dropped file 37->157 159 Machine Learning detection for dropped file 37->159 41 4PH409Jv.exe 16 69 37->41         started        46 gp2IY88.exe 1 4 37->46         started        signatures13 process14 dnsIp15 133 193.233.132.62, 49747, 49761, 49763 FREE-NET-ASFREEnetEU Russian Federation 41->133 89 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 41->89 dropped 91 C:\Users\user\AppData\...\FANBooster131.exe, PE32 41->91 dropped 93 C:\Users\user\AppData\...\MaxLoonaFest131.exe, PE32 41->93 dropped 99 2 other malicious files 41->99 dropped 167 Antivirus detection for dropped file 41->167 169 Multi AV Scanner detection for dropped file 41->169 171 Detected unpacking (changes PE section rights) 41->171 177 6 other signatures 41->177 48 cmd.exe 41->48         started        51 cmd.exe 41->51         started        53 WerFault.exe 41->53         started        95 C:\Users\user\AppData\Local\...\2VP7790.exe, PE32 46->95 dropped 97 C:\Users\user\AppData\Local\...\1nz75fs6.exe, PE32 46->97 dropped 173 Binary is likely a compiled AutoIt script file 46->173 175 Machine Learning detection for dropped file 46->175 55 1nz75fs6.exe 12 46->55         started        57 2VP7790.exe 12 46->57         started        file16 signatures17 process18 signatures19 135 Uses schtasks.exe or at.exe to add and modify task schedules 48->135 59 conhost.exe 48->59         started        61 schtasks.exe 48->61         started        63 conhost.exe 51->63         started        65 schtasks.exe 51->65         started        137 Multi AV Scanner detection for dropped file 55->137 139 Binary is likely a compiled AutoIt script file 55->139 141 Machine Learning detection for dropped file 55->141 67 chrome.exe 1 55->67         started        143 Found API chain indicative of sandbox detection 57->143 145 Contains functionality to modify clipboard data 57->145 70 chrome.exe 57->70         started        process20 dnsIp21 121 192.168.2.4, 138, 443, 49254 unknown unknown 67->121 123 239.255.255.250 unknown Reserved 67->123 72 chrome.exe 67->72         started        75 chrome.exe 67->75         started        77 chrome.exe 67->77         started        79 chrome.exe 70->79         started        process22 dnsIp23 127 clients.l.google.com 142.250.114.102, 443, 49729 GOOGLEUS United States 72->127 129 www3.l.google.com 142.250.114.113, 443, 49822 GOOGLEUS United States 72->129 131 14 other IPs or domains 72->131
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1c0008391ca8fa90f4609c97b81dddfa7b0d9587c5a480b836040f4ad796bc11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c0008391ca8fa90f4609c97b81dddfa7b0d9587c5a480b836040f4ad796bc11/
Threat name:
Win32.Trojan.GenSHCode
Create hunting rule
Status:
Malicious
First seen:
2023-12-27 16:26:11 UTC
File Type:
PE (Exe)
Extracted files:
265
AV detection:
15 of 19 (78.95%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dqaaqoi4vd5jb5datsl3qho57j5q3fmhywsibobwaqhuvv4wxqiq._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:smokeloader backdoor brand:google collection discovery persistence phishing spyware stealer trojan
Link:
https://tria.ge/reports/231227-txhpqabhh6/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Detect Lumma Stealer payload V4
Detected google phishing page
Lumma Stealer
SmokeLoader
Malware Config
C2 Extraction:
http://185.215.113.68/fks/index.php
http://soupinterestoe.fun/api
Unpacked files
SH256 hash:
faa1595ae7637cf3ba7bf63557ecc27c58477f0bd8731614422d41a5cabc6148
MD5 hash:
eb683d1eb6dd5b34992a88888d491772
SHA1 hash:
4c5cfceacbf4f3219131b393807fd443f5ad0cb3
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/d47cc0da-ae6a-49aa-8b39-5aba4627a835/
Parent samples :
1c0008391ca8fa90f4609c97b81dddfa7b0d9587c5a480b836040f4ad796bc11
83f87484754b4f4301e2b9cf06e5400d232e14129f86384ad192e42eb4b0d2af
SH256 hash:
1c0008391ca8fa90f4609c97b81dddfa7b0d9587c5a480b836040f4ad796bc11
MD5 hash:
b9e52db8c2b32fe642e7044591872c03
SHA1 hash:
dd03c8bb8afd68816b9346cbb1c0493342bf8182
Link:
https://www.unpac.me/results/d47cc0da-ae6a-49aa-8b39-5aba4627a835/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c0008391ca8fa90f4609c97b81dddfa7b0d9587c5a480b836040f4ad796bc11

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 1c0008391ca8fa90f4609c97b81dddfa7b0d9587c5a480b836040f4ad796bc11

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2744391/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/469466/

Comments