MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24b3ce27da78edae630316dc79c7a64d12e6a6dd06643d5141890c6763daa10a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 16

Intelligence 16 IOCs 1 YARA 2 File information Comments

SHA256 hash:	24b3ce27da78edae630316dc79c7a64d12e6a6dd06643d5141890c6763daa10a
SHA3-384 hash:	7ea560af55a73804678cb1945c77cef212e40934318279c4d916db3520131638ba52fe5952cb9d90bad31f099765a62f
SHA1 hash:	d35b54b1d9ae60dc92cf7937fac620a6110de862
MD5 hash:	1084cb0ee42385f1e11ac522ddcbb3e8
humanhash:	november-zulu-maine-pluto
File name:	1084cb0ee42385f1e11ac522ddcbb3e8.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	685'568 bytes
First seen:	2024-11-07 20:05:08 UTC
Last seen:	2024-11-07 21:29:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a1d9a9442e58ba34f06489dca0927010 (2 x Stealc)
ssdeep	12288:IsxUU0QmLuZu7jA4HUEtL0mQ+iThJAtoF9Hr86pmuHjykE:j+vfZwiArFBpmuHjyk
TLSH	T1B1E4E16222F26C0FF6B74A319D39F6F4EB3FBA639D25727D2204762F09312919561702
TrID	67.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 12.2% (.EXE) Win64 Executable (generic) (10522/11/4) 5.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.2% (.EXE) Win32 Executable (generic) (4504/4/1) 2.4% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
File icon (PE):
dhash icon	12716d4cf4c4c4c4 (3 x Stealc, 2 x Smoke Loader, 1 x UACModuleSmokeLoader)
Reporter	abuse_ch
Tags:	exe Stealc

abuse_ch

Stealc C2:
http://95.215.204.182/4d3324bde875e159.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://95.215.204.182/4d3324bde875e159.php	https://threatfox.abuse.ch/ioc/1343055/

Intelligence

File Origin

# of uploads :

# of downloads :

423

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1084cb0ee42385f1e11ac522ddcbb3e8.exe

Verdict:

Malicious activity

Analysis date:

2024-11-07 20:07:38 UTC

Tags:

stealer stealc

Link:

https://app.any.run/tasks/fd686b3c-0281-4934-9d9d-158a23fa4820

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.BootkitX-gen.18200.6630.UNOFFICIAL

Verdict:

Malicious

Score:

91.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=672d1db28d23d9049135215f

Tags:

exploit cobalt small hype

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Connection attempt

Sending an HTTP GET request

Creating a file

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

fingerprint microsoft_visual_cc packed packed packer_detected

Link:

https://www.filescan.io/uploads/672d1dac83eea00c65721fc6/reports/1ada00bf-c9f8-48d1-9ca3-2bff6f188910/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/24b3ce27da78edae630316dc79c7a64d12e6a6dd06643d5141890c6763daa10a

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d2a4898d-98ed-4630-b6a7-0678c04ee56f

Result

Threat name:

Stealc

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1551558

Signature

AI detected suspicious sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking locale)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/24b3ce27da78edae630316dc79c7a64d12e6a6dd06643d5141890c6763daa10a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/24b3ce27da78edae630316dc79c7a64d12e6a6dd06643d5141890c6763daa10a/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=esz44j62pdw24yydc3ohtr5gjujonjw5azsd2ukbreggoy62uefa._file

Verdict:

malicious

Label(s):

shellcode_loader_002

stealc

Similar samples:

error

Stealc

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc botnet:logsdiller discovery stealer

Link:

https://tria.ge/reports/241107-yvdefaxmay/

Behaviour

Program crash

System Location Discovery: System Language Discovery

Stealc

Stealc family

Malware Config

C2 Extraction:

http://95.215.204.182

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/fae5b50d-7d6b-417e-a4af-e47786ed2f7f

Unpacked files

SH256 hash:

81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4

MD5 hash:

eda18948a989176f4eebb175ce806255

SHA1 hash:

ff22a3d5f5fb705137f233c36622c79eab995897

Link:

https://www.unpac.me/results/293577fa-f74a-4009-af55-0c1cb28c8b0b/

SH256 hash:

cea91990b30ad71000549680820e104a5dac11fd95d006c482c49aab272b29e6

MD5 hash:

a25a0e2fa6cae920e64e99592dfedbbe

SHA1 hash:

01bec2fa9a865feb9e8b84fee3f4088f0b2b98ec

Detections:

stealc

detect_Mars_Stealer

Link:

https://www.unpac.me/results/293577fa-f74a-4009-af55-0c1cb28c8b0b/

Parent samples :

6c22ef093091ac0f66d3cccf5f29ab2e32abc63f816d430972a6b2e1c2dcca32
24b3ce27da78edae630316dc79c7a64d12e6a6dd06643d5141890c6763daa10a
b92f1ae301efc178c188be372d89fd6c11ce8efbdba1b6a65b7fc2cb4d8f7436

SH256 hash:

24b3ce27da78edae630316dc79c7a64d12e6a6dd06643d5141890c6763daa10a

MD5 hash:

1084cb0ee42385f1e11ac522ddcbb3e8

SHA1 hash:

d35b54b1d9ae60dc92cf7937fac620a6110de862

Link:

https://www.unpac.me/results/293577fa-f74a-4009-af55-0c1cb28c8b0b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/24b3ce27da78edae630316dc79c7a64d12e6a6dd06643d5141890c6763daa10a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

exe 24b3ce27da78edae630316dc79c7a64d12e6a6dd06643d5141890c6763daa10a

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3243375/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleOutputCharacterA KERNEL32.dll::WriteConsoleA KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetConsoleCursorPosition KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleAliasExesLengthA KERNEL32.dll::GetConsoleAliasW KERNEL32.dll::GetConsoleFontSize KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileA KERNEL32.dll::MoveFileExA KERNEL32.dll::MoveFileW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample