MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 208d115132e8b37828c40f56e9b905c72a40b0bc881736ec3a90a1c03baa1214. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 208d115132e8b37828c40f56e9b905c72a40b0bc881736ec3a90a1c03baa1214
SHA3-384 hash: 6de962b03ceb1796c18f76cf671191aa3ee481152a28cc7922fd68658c1ef8a30902ca4d79911c3f859107914636768e
SHA1 hash: dc1ca01e1e512ab8abda2eb7289bed34ae4e10e7
MD5 hash: fd72f009bcbf63c9586becb726402280
humanhash: yankee-coffee-cat-helium
File name:fd72f009bcbf63c9586becb726402280
Download: download sample
Signature Stealc
Create hunting rule
File size:359'936 bytes
First seen:2023-04-15 01:11:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cc1140ca645618311dea87dffc5ba768 (2 x RedLineStealer, 2 x Vidar, 1 x Amadey)
ssdeep 6144:aWYGtjBQ8thJ+vuNWa7s3qNyZPHAaeV6zvMCV+E:aWjjBdf+vuN3TggaeV6oCVr
Threatray 1'300 similar samples on MalwareBazaar
TLSH T10C745B1262D0A975F222DA79CE3BC6F9272EB4609F15BADB27955B2F0D703E1C172304
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 01612c0622011132 (1 x Stealc)
Reporter zbetcheckin
Tags:32 exe Stealc

Intelligence

File Origin
# of uploads :
1
# of downloads :
826
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
oski
Create hunting rule
ID:
1
File name:
Next scams 2023 - Paladin Research.pdf.zip
Verdict:
Malicious activity
Analysis date:
2023-04-14 09:09:09 UTC
Tags:
loader stealer oski
Link:
https://app.any.run/tasks/2e01a7b3-5e3d-4c97-8d8e-3f15a4b1e84e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382363/
Detection(s):
Sanesecurity.Malware.29209.BadIN.UNOFFICIAL
Create hunting rule

Win.Dropper.Tofsee-9997087-0
Create hunting rule

Win.Dropper.Tofsee-9997088-0
Create hunting rule

Win.Dropper.Tofsee-9997089-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connecting to a non-recommended domain
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/79691/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6439f9e3b4ec50bace60447b/reports/636e6c2c-6e73-4283-ba02-f54bf971fcb3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/208d115132e8b37828c40f56e9b905c72a40b0bc881736ec3a90a1c03baa1214
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e61c6148-487f-4dc2-b29d-7807825bc143
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1214228
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/208d115132e8b37828c40f56e9b905c72a40b0bc881736ec3a90a1c03baa1214/
Threat name:
Win32.Spyware.Stealc
Create hunting rule
Status:
Malicious
First seen:
2023-04-13 01:39:37 UTC
File Type:
PE (Exe)
Extracted files:
57
AV detection:
24 of 24 (100.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ecgrcujs5czxqkgeb5lotoify4vebmf4raltn3b2scq4ao5kcika._file
Verdict:
malicious
Similar samples:
0737c068f2012af8cdb27ec08664ba0aca11c0dced3702efb7359d59e2186338
Stealc
10693518407261cb6d1cae5bd3ad6aa3309e0a6ac1170cc9592a3ed29e3303b3
Stealc
1aabaf257833b939257609dea10af40fb814682dd8de52918145f3bc40441625
Stealc
2050a2f16f735a22589fa28453489733dfa907f5f9b05ce0510b89bcafae0ba4
Stealc
214e9703ba46ea2ec8a747913145d48a8be812ab4beaf8f055e889c204955174
Stealc
5ac8bd1c622637a972de501a4737ee63968ee25b3211ed8ec512775e416518e5
Stealc
9996cf595b1514e53b21ac212c2af6f1ded7488a5b99639711ba4058b1f5e6e3
Stealc
b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0
Stealc
bd92cab108fe5e7fb8da4749f18a1ba88153755e72b9d3b15854295a7394877c
Stealc
d22d3e19a68d8c6efe71df22e21bb6be33925cdc30213f7b82bb38d7ccb65096
Stealc
+ 1'290 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/230415-bkhj3scf22/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Unpacked files
SH256 hash:
65f71e0709fd2d8dbbf3fe72b6d459a2d44e241582050e8224d849cfc51bf543
MD5 hash:
9ea81d126561efc841a0225050555edf
SHA1 hash:
16a347c757ab75aed29ef1ef9bc701f581703456
Detections:
win_stealc_auto
Create hunting rule
win_stealc_a0
Create hunting rule
Link:
https://www.unpac.me/results/8f737401-f536-49aa-887a-fc4a0bc1f2fe/
SH256 hash:
208d115132e8b37828c40f56e9b905c72a40b0bc881736ec3a90a1c03baa1214
MD5 hash:
fd72f009bcbf63c9586becb726402280
SHA1 hash:
dc1ca01e1e512ab8abda2eb7289bed34ae4e10e7
Link:
https://www.unpac.me/results/8f737401-f536-49aa-887a-fc4a0bc1f2fe/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/208d115132e8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/208d115132e8b37828c40f56e9b905c72a40b0bc881736ec3a90a1c03baa1214

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:infostealer_win_stealc_standalone
Create hunting rule
Description:Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_stealc_w0
Create hunting rule
Author:crep1x
Description:Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 208d115132e8b37828c40f56e9b905c72a40b0bc881736ec3a90a1c03baa1214

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2609418/
Cape
Cape
https://www.capesandbox.com/analysis/382363/

Comments


Avatar
zbet commented on 2023-04-15 01:12:01 UTC

url : hxxp://37.220.87.53/troubled_projects.exe