MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 240675a2b1de7df228e776969a6d9d651bc8097254e88c07a8d19f6ce0edd1ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 240675a2b1de7df228e776969a6d9d651bc8097254e88c07a8d19f6ce0edd1ec
SHA3-384 hash: fd4b594887c04f3b3e1986a27b7308b3b27e729979acf552389cf3655fc9d140ffa684ad48891167edd33013de39de17
SHA1 hash: 9ee7960dbd8d81f75369ee2609574d26b5c6ce4e
MD5 hash: 61b9f41b6764ddf5f94bfa96b049e6a3
humanhash: beryllium-cardinal-november-robert
File name:SecuriteInfo.com.Trojan.PackedNET.2742.9443.15673
Download: download sample
Signature Stealc
Create hunting rule
File size:637'664 bytes
First seen:2024-03-14 00:34:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:SehXckxswcXKC2zNWfm2YRm5sm2YRm5hkxswcXKC2zNWB:fXcZX9uWfm2Yysm2YyhZX9uWB
TLSH T1A0D48E0BB302971ACD526D7C94A1C3602735FB69FB439A0BB1BFFB5526431A01EE52D8
TrID 70.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.ICL) Windows Icons Library (generic) (2059/9)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:exe signed Stealc

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2024-03-13T08:09:37Z
Valid to:2025-03-13T08:09:37Z
Serial number: 6fec167781772ee1822490857bd9a81d
Thumbprint Algorithm:SHA256
Thumbprint: fef9593e0875b9487bb3d45e4367e6782891ea97ca921bd23345069146e43644
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
411
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
glupteba
Create hunting rule
ID:
1
File name:
240675a2b1de7df228e776969a6d9d651bc8097254e88c07a8d19f6ce0edd1ec.exe
Verdict:
Malicious activity
Analysis date:
2024-03-14 00:35:34 UTC
Tags:
hello2malware opendir evasion stealer stealc loader glupteba trojan xmrig
Link:
https://app.any.run/tasks/9a64fdec-c7d1-4f9c-87de-3de78471a1f3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/478972/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2742.9443.15673.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a process with a hidden window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a file
Searching for the window
Blocking the User Account Control
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/65f245fec1137bbf149998fc/reports/1f5411ae-53cb-4709-b4ab-7e822bdc0a98/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/240675a2b1de7df228e776969a6d9d651bc8097254e88c07a8d19f6ce0edd1ec
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Wapomi
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3fc172c3-abae-47c6-9d5a-3070e84f404d
Result
Threat name:
Glupteba, Mars Stealer, Socks5Systemz, S
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1408718
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Drops script at startup location
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Mars stealer
Yara detected Socks5Systemz
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1408718 Sample: SecuriteInfo.com.Trojan.Pac... Startdate: 14/03/2024 Architecture: WINDOWS Score: 100 195 Multi AV Scanner detection for domain / URL 2->195 197 Found malware configuration 2->197 199 Malicious sample detected (through community Yara rule) 2->199 201 23 other signatures 2->201 12 SecuriteInfo.com.Trojan.PackedNET.2742.9443.15673.exe 15 3 2->12         started        16 cmd.exe 2->16         started        18 svchost.exe 2->18         started        20 3 other processes 2->20 process3 dnsIp4 179 104.21.54.158 CLOUDFLARENETUS United States 12->179 229 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->229 231 Writes to foreign memory regions 12->231 233 Adds a directory exclusion to Windows Defender 12->233 235 3 other signatures 12->235 22 RegAsm.exe 15 291 12->22         started        27 powershell.exe 23 12->27         started        29 WerFault.exe 12->29         started        31 vrWDMT4ALcn6ES0z3Ww7O6Pl.exe 16->31         started        33 conhost.exe 16->33         started        35 WerFault.exe 18->35         started        37 WerFault.exe 18->37         started        39 conhost.exe 20->39         started        41 2 other processes 20->41 signatures5 process6 dnsIp7 155 107.167.110.211 OPERASOFTWAREUS United States 22->155 157 107.167.110.216 OPERASOFTWAREUS United States 22->157 161 9 other IPs or domains 22->161 109 C:\Users\...\zKQbMWfE1Vkafa6LH5idsOjV.exe, PE32 22->109 dropped 111 C:\Users\...\xUvzzaaj9y5Uqm8rBQ67l511.exe, PE32 22->111 dropped 113 C:\Users\...\u0P2OFWWMwMpaCuBtGWR8tL5.exe, PE32 22->113 dropped 117 193 other malicious files 22->117 dropped 213 Drops script or batch files to the startup folder 22->213 215 Creates HTML files with .exe extension (expired dropper behavior) 22->215 217 Writes many files with high entropy 22->217 43 jyRxVvoybv4YUBeX7NVYvyVG.exe 22->43         started        47 YbrYwTkBhfR13S2bIAtvK3VP.exe 22->47         started        49 xUvzzaaj9y5Uqm8rBQ67l511.exe 22->49         started        53 11 other processes 22->53 51 conhost.exe 27->51         started        159 20.189.173.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->159 115 C:\Users\user\AppData\Local\...\INetC.dll, PE32 31->115 dropped file8 signatures9 process10 dnsIp11 167 185.172.128.187 NADYMSS-ASRU Russian Federation 43->167 169 185.172.128.90 NADYMSS-ASRU Russian Federation 43->169 171 104.26.12.205 CLOUDFLARENETUS United States 43->171 137 C:\Users\user\AppData\Local\...\syncUpd.exe, PE32 43->137 dropped 139 C:\Users\user\AppData\Local\...\INetC.dll, PE32 43->139 dropped 141 C:\Users\user\AppData\...\BroomSetup.exe, PE32 43->141 dropped 56 syncUpd.exe 43->56         started        61 BroomSetup.exe 43->61         started        143 C:\Users\...\YbrYwTkBhfR13S2bIAtvK3VP.tmp, PE32 47->143 dropped 63 YbrYwTkBhfR13S2bIAtvK3VP.tmp 47->63         started        145 C:\Users\...\xUvzzaaj9y5Uqm8rBQ67l511.tmp, PE32 49->145 dropped 65 xUvzzaaj9y5Uqm8rBQ67l511.tmp 49->65         started        173 107.167.110.218 OPERASOFTWAREUS United States 53->173 175 107.167.125.189 OPERASOFTWAREUS United States 53->175 177 6 other IPs or domains 53->177 147 C:\Users\user\AppData\Local\...\INetC.dll, PE32 53->147 dropped 149 C:\Users\user\AppData\Local\...\INetC.dll, PE32 53->149 dropped 151 C:\Users\user\AppData\Local\...\INetC.dll, PE32 53->151 dropped 153 18 other malicious files 53->153 dropped 205 Detected unpacking (changes PE section rights) 53->205 207 Detected unpacking (overwrites its own PE header) 53->207 209 Found Tor onion address 53->209 211 2 other signatures 53->211 67 Vrau7LslL7Lx9qSh13k8hfUN.tmp 53->67         started        69 8q4RjS2AOEV44KcZ4g67Ay6S.tmp 53->69         started        71 gFVxgJrTCcnAWavLpqOzHXqn.tmp 53->71         started        73 2 other processes 53->73 file12 signatures13 process14 dnsIp15 165 185.172.128.145 NADYMSS-ASRU Russian Federation 56->165 123 14 other files (10 malicious) 56->123 dropped 221 Detected unpacking (changes PE section rights) 56->221 223 Detected unpacking (overwrites its own PE header) 56->223 225 Tries to steal Mail credentials (via file / registry access) 56->225 227 7 other signatures 56->227 75 cmd.exe 56->75         started        77 WerFault.exe 56->77         started        80 cmd.exe 61->80         started        125 16 other files (15 malicious) 63->125 dropped 119 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 65->119 dropped 121 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 65->121 dropped 127 11 other files (10 malicious) 65->127 dropped 83 linkdetector32.exe 65->83         started        86 linkdetector32.exe 65->86         started        129 11 other files (10 malicious) 67->129 dropped 131 11 other files (10 malicious) 69->131 dropped 133 11 other files (10 malicious) 71->133 dropped 135 2 other malicious files 73->135 dropped file16 signatures17 process18 dnsIp19 88 BGHIDGCAFC.exe 75->88         started        91 conhost.exe 75->91         started        181 20.189.173.20 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 77->181 189 Uses ping.exe to sleep 80->189 191 Uses schtasks.exe or at.exe to add and modify task schedules 80->191 193 Uses ping.exe to check the status of other devices and networks 80->193 93 conhost.exe 80->93         started        95 chcp.com 80->95         started        97 schtasks.exe 80->97         started        107 C:\...\DirectSoundDriver 2.36.198.67.exe, PE32 83->107 dropped 183 89.105.201.183 NOVOSERVE-ASNL Netherlands 86->183 185 45.155.250.90 MEER-ASmeerfarbigGmbHCoKGDE Germany 86->185 187 195.16.74.230 GTT-BACKBONEGTTDE Russian Federation 86->187 file20 signatures21 process22 signatures23 219 Creates autostart registry keys with suspicious names 88->219 99 cmd.exe 88->99         started        process24 signatures25 203 Uses ping.exe to sleep 99->203 102 PING.EXE 99->102         started        105 conhost.exe 99->105         started        process26 dnsIp27 163 2.2.2.2 FranceTelecom-OrangeFR France 102->163
Score:
90%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/240675a2b1de7df228e776969a6d9d651bc8097254e88c07a8d19f6ce0edd1ec
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/240675a2b1de7df228e776969a6d9d651bc8097254e88c07a8d19f6ce0edd1ec/
Threat name:
ByteCode-MSIL.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-03-13 11:36:20 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eqdhlivr3z67ekhho2lju3m5mun4qclsktuiyb5i2gpwzyhn2hwa._file
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:socks5systemz family:stealc botnet discovery dropper evasion loader spyware stealer trojan upx
Link:
https://tria.ge/reports/240314-awt7ksea9t/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
NSIS installer
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Downloads MZ/PE file
Detect Socks5Systemz Payload
Glupteba
Glupteba payload
Socks5Systemz
Stealc
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://185.172.128.145
Unpacked files
SH256 hash:
240675a2b1de7df228e776969a6d9d651bc8097254e88c07a8d19f6ce0edd1ec
MD5 hash:
61b9f41b6764ddf5f94bfa96b049e6a3
SHA1 hash:
9ee7960dbd8d81f75369ee2609574d26b5c6ce4e
Link:
https://www.unpac.me/results/edf6363e-43f4-473e-8d8f-984b043efb5a/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/240675a2b1de/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/240675a2b1de7df228e776969a6d9d651bc8097254e88c07a8d19f6ce0edd1ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 240675a2b1de7df228e776969a6d9d651bc8097254e88c07a8d19f6ce0edd1ec

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2781338/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/478972/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments