MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20611e98cfa1eb933a6f90afaa222b832637a27015251fb40d2fc8fd6157f7a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20611e98cfa1eb933a6f90afaa222b832637a27015251fb40d2fc8fd6157f7a5
SHA3-384 hash: 5bf3b4d136cde9c6ec2ef44b4d8d78db55d22d3cf0ae8f6f1aa26d9b9add03f3cbae25f4960516552ff9ca53d959cae6
SHA1 hash: 9d92de6917f7979aaa5287a11d0b32c0ce7341c0
MD5 hash: 3df3c08e10929aec9ed3deff790e1db3
humanhash: speaker-florida-hamper-kitten
File name:3df3c08e10929aec9ed3deff790e1db3
Download: download sample
Signature Stealc
Create hunting rule
File size:864'480 bytes
First seen:2023-12-22 17:23:56 UTC
Last seen:2023-12-22 19:15:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:JxvKKBYhkWSamCFr8InJHY5Q2nakmep4VZLzH/n0xDhmuWJuf:JBFMkW/wIpY5QNkmeuRUD9f
Threatray 8 similar samples on MalwareBazaar
TLSH T1AC056A6131C8E04ADB4706B30322EDF05D295EBA2DA1E71536CCFA5777B264BD606ACC
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe signed Stealc

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2023-12-22T04:00:21Z
Valid to:2024-12-22T04:00:21Z
Serial number: a8151d6dea2d86c249b84948f6138d77
Thumbprint Algorithm:SHA256
Thumbprint: 10cc0fd3dd3f345d2a522325bf37d010ed199d4157c75462dfc92fc4c82f5250
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
325
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
phorpiex
Create hunting rule
ID:
1
File name:
4363463463464363463463463.exe
Verdict:
Malicious activity
Analysis date:
2023-12-22 08:42:24 UTC
Tags:
loader hausbomber opendir phorpiex trojan rhadamanthys stealer azorult evasion parallax remote purplefox backdoor systembc proxy botnet formbook spyware redline arechclient2 pureloader purecrypter stealc dupzom servstart autoit rat dcrat ramnit lumma amadey metasploit gh0st
Link:
https://app.any.run/tasks/04f9baa5-1f1d-4116-8c28-30d05775f663

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/469066/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.7115.26938.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive overlay packed
Link:
https://www.filescan.io/uploads/6585c633b855eb3693ee037c/reports/59d4fdd5-cce1-41d1-b0ee-5885c5ad90ab/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/20611e98cfa1eb933a6f90afaa222b832637a27015251fb40d2fc8fd6157f7a5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0d0f2061-2efe-46b6-a252-b91450519111
Result
Threat name:
Glupteba, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1366338
Signature
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Encrypted powershell cmdline option found
Found malware configuration
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: Schedule system process
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
UAC bypass detected (Fodhelper)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1366338 Sample: XKpsAUCtnp.exe Startdate: 22/12/2023 Architecture: WINDOWS Score: 100 212 Found malware configuration 2->212 214 Malicious sample detected (through community Yara rule) 2->214 216 Antivirus detection for URL or domain 2->216 218 19 other signatures 2->218 12 XKpsAUCtnp.exe 2 4 2->12         started        15 PakvKTY.exe 2->15         started        18 cmd.exe 2->18         started        20 2 other processes 2->20 process3 file4 274 Writes to foreign memory regions 12->274 276 Allocates memory in foreign processes 12->276 278 Adds extensions / path to Windows Defender exclusion list (Registry) 12->278 284 3 other signatures 12->284 22 InstallUtil.exe 15 241 12->22         started        27 powershell.exe 23 12->27         started        184 C:\Windows\Temp\...\YkmngNn.exe, PE32 15->184 dropped 280 Very long command line found 15->280 282 Modifies Windows Defender protection settings 15->282 29 powershell.exe 15->29         started        31 8K5GVYMf976fpnKleo1CnTVO.exe 18->31         started        33 conhost.exe 18->33         started        35 conhost.exe 20->35         started        37 conhost.exe 20->37         started        signatures5 process6 dnsIp7 188 194.104.136.64 SMEERBOEL-ASSMEERBOELBVNL Netherlands 22->188 190 5.42.64.35 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 22->190 192 12 other IPs or domains 22->192 140 C:\Users\...\zuyhdP9GzFWygdt6u6JlNpo2.exe, PE32 22->140 dropped 142 C:\Users\...\zsf3IXWR5d3QHAAbwWHHxvZc.exe, PE32 22->142 dropped 144 C:\Users\...\yYd7QXoUtO9ARYdEFJDCPu3L.exe, PE32 22->144 dropped 146 191 other malicious files 22->146 dropped 238 Drops script or batch files to the startup folder 22->238 240 Creates HTML files with .exe extension (expired dropper behavior) 22->240 242 Uses cmd line tools excessively to alter registry or file data 22->242 244 Writes many files with high entropy 22->244 39 ITqJk2bQCDEwWxgJmlC9vxGY.exe 22->39         started        44 NNbZTAAzBwukqLp1plLbjExK.exe 22->44         started        46 AYuCXnieH8leFIMceK6v2BiX.exe 22->46         started        56 3 other processes 22->56 48 conhost.exe 27->48         started        246 Modifies Windows Defender protection settings 29->246 50 cmd.exe 29->50         started        52 conhost.exe 29->52         started        54 reg.exe 29->54         started        58 6 other processes 29->58 248 Detected unpacking (changes PE section rights) 31->248 250 Detected unpacking (overwrites its own PE header) 31->250 252 UAC bypass detected (Fodhelper) 31->252 254 Machine Learning detection for dropped file 31->254 file8 signatures9 process10 dnsIp11 194 107.167.110.216 OPERASOFTWAREUS United States 39->194 196 107.167.110.217 OPERASOFTWAREUS United States 39->196 206 6 other IPs or domains 39->206 158 9 other malicious files 39->158 dropped 256 Writes many files with high entropy 39->256 60 ITqJk2bQCDEwWxgJmlC9vxGY.exe 39->60         started        63 ITqJk2bQCDEwWxgJmlC9vxGY.exe 39->63         started        65 ITqJk2bQCDEwWxgJmlC9vxGY.exe 39->65         started        198 192.186.7.211 FEDERAL-ONLINE-GROUP-LLCUS United States 44->198 200 38.6.193.13 COGENT-174US United States 44->200 148 C:\Users\user\AppData\Local\Temp\...\Zip.dll, PE32 44->148 dropped 150 C:\Users\user\AppData\Local\...\Checker.dll, PE32 44->150 dropped 152 C:\Users\user\AppData\Local\...\nsdD669.tmp, DOS 44->152 dropped 160 12 other malicious files 44->160 dropped 258 Query firmware table information (likely to detect VMs) 44->258 260 Creates an undocumented autostart registry key 44->260 262 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 44->262 264 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 44->264 202 104.237.62.212 WEBNXUS United States 46->202 204 91.92.254.7 THEZONEBG Bulgaria 46->204 154 C:\Users\user\AppData\...\nsvDB0E.tmp.exe, PE32 46->154 dropped 156 C:\Users\user\AppData\Local\...\INetC.dll, PE32 46->156 dropped 162 2 other malicious files 46->162 dropped 67 nsvDB0E.tmp.exe 46->67         started        71 BroomSetup.exe 46->71         started        266 Uses cmd line tools excessively to alter registry or file data 50->266 73 reg.exe 50->73         started        164 2 other malicious files 56->164 dropped 268 Detected unpacking (changes PE section rights) 56->268 270 Detected unpacking (overwrites its own PE header) 56->270 272 Found Tor onion address 56->272 75 Install.exe 56->75         started        77 powershell.exe 56->77         started        79 3 other processes 56->79 file12 signatures13 process14 dnsIp15 166 Opera_installer_2312221724589177236.dll, PE32 60->166 dropped 168 C:\Users\user\AppData\...\win8_importing.dll, PE32+ 60->168 dropped 170 C:\Users\user\...\win10_share_handler.dll, PE32+ 60->170 dropped 180 21 other malicious files 60->180 dropped 81 ITqJk2bQCDEwWxgJmlC9vxGY.exe 60->81         started        172 Opera_installer_2312221724577255892.dll, PE32 63->172 dropped 174 Opera_installer_2312221724582155660.dll, PE32 65->174 dropped 186 77.91.76.36 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 67->186 176 C:\Users\user\AppData\...\softokn3[1].dll, PE32 67->176 dropped 182 11 other files (7 malicious) 67->182 dropped 220 Detected unpacking (changes PE section rights) 67->220 222 Detected unpacking (overwrites its own PE header) 67->222 224 Tries to steal Mail credentials (via file / registry access) 67->224 228 2 other signatures 67->228 226 Multi AV Scanner detection for dropped file 71->226 178 C:\Users\user\AppData\Local\...\Install.exe, PE32 75->178 dropped 84 Install.exe 75->84         started        87 conhost.exe 77->87         started        89 conhost.exe 77->89         started        91 powershell.exe 79->91         started        93 conhost.exe 79->93         started        95 powershell.exe 79->95         started        file16 signatures17 process18 file19 134 Opera_installer_2312221724596267320.dll, PE32 81->134 dropped 136 C:\Users\user\AppData\Local\...\PakvKTY.exe, PE32 84->136 dropped 138 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 84->138 dropped 230 Uses schtasks.exe or at.exe to add and modify task schedules 84->230 232 Modifies Windows Defender protection settings 84->232 234 Adds extensions / path to Windows Defender exclusion list 84->234 236 Modifies Group Policy settings 84->236 97 forfiles.exe 84->97         started        100 forfiles.exe 84->100         started        102 schtasks.exe 84->102         started        106 3 other processes 84->106 104 conhost.exe 91->104         started        signatures20 process21 signatures22 208 Modifies Windows Defender protection settings 97->208 210 Adds extensions / path to Windows Defender exclusion list 97->210 108 cmd.exe 97->108         started        111 conhost.exe 97->111         started        113 cmd.exe 100->113         started        115 conhost.exe 100->115         started        117 conhost.exe 102->117         started        119 conhost.exe 106->119         started        121 conhost.exe 106->121         started        123 conhost.exe 106->123         started        process23 signatures24 286 Uses cmd line tools excessively to alter registry or file data 108->286 125 reg.exe 108->125         started        128 reg.exe 108->128         started        130 reg.exe 113->130         started        132 reg.exe 113->132         started        process25 signatures26 288 Adds extensions / path to Windows Defender exclusion list (Registry) 125->288
Score:
81%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/20611e98cfa1eb933a6f90afaa222b832637a27015251fb40d2fc8fd6157f7a5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20611e98cfa1eb933a6f90afaa222b832637a27015251fb40d2fc8fd6157f7a5/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2023-12-22 11:57:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
39
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ebqr5ggpuhvzgotpscx2uirlqmtdpitqcusr7nanf7ep2ykx66sq._file
Verdict:
malicious
Similar samples:
0d14d4e3b742bfea99aebb68954101b2509b7c92de33d27006fe81110e5ea3ae
Stealc
23a626f850c9095449d2b206838d49d157c2d0dae3d7fb877067685c33b7549b
Stealc
50c57233d3be4189fc1d3512d523f2dd6e2dbcdce66193bc7ee341c3c251a800
Stealc
9e8236c0031bc36b82d7d6964a8f46ba037bc826c4eb7a23ea74e4e1f4f6b643
Stealc
b2e09b439d7b6af1c30f4d626d29ad458476bb12739164f2650752445ce0e210
Stealc
bba099a7d260b2f39a2e84ffbabfc021d1ffaa1c13f38fc5c6c72b27bc476515
Stealc
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:stealc dropper evasion loader stealer trojan upx
Link:
https://tria.ge/reports/231222-vypebscgfn/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
NSIS installer
Enumerates physical storage devices
Program crash
Launches sc.exe
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
UPX packed file
Windows security modification
Downloads MZ/PE file
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies boot configuration data using bcdedit
Glupteba
Glupteba payload
Stealc
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://77.91.76.36
Unpacked files
SH256 hash:
20611e98cfa1eb933a6f90afaa222b832637a27015251fb40d2fc8fd6157f7a5
MD5 hash:
3df3c08e10929aec9ed3deff790e1db3
SHA1 hash:
9d92de6917f7979aaa5287a11d0b32c0ce7341c0
Link:
https://www.unpac.me/results/63638f2c-8c7f-4428-8e2f-db5f737b1343/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/20611e98cfa1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.26
Link:
https://yomi.yoroi.company/submissions/20611e98cfa1eb933a6f90afaa222b832637a27015251fb40d2fc8fd6157f7a5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 20611e98cfa1eb933a6f90afaa222b832637a27015251fb40d2fc8fd6157f7a5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2738073/
Cape
Cape
https://www.capesandbox.com/analysis/469066/

Comments


Avatar
zbet commented on 2023-12-22 17:23:57 UTC

url : hxxp://15.204.49.148/files/InstallSetup2.exe