MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 285493c54c35e3b571e28fc0816baa4b3833329eeec3649601dd6385a60c8d84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 13


Intelligence 13 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 285493c54c35e3b571e28fc0816baa4b3833329eeec3649601dd6385a60c8d84
SHA3-384 hash: c531e633ade34cd4b4fd4758fe503a9a01d389f01c7713d237ca3434512d0616b7762eb78d8c37a6056bb46e35f1a9e4
SHA1 hash: 28fd3345d82da0cdb565a11c648aff196f03d770
MD5 hash: 5aa49622f3dafc184f903b7b78a2fd68
humanhash: angel-sweet-leopard-network
File name:5aa49622f3dafc184f903b7b78a2fd68.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:8'793'696 bytes
First seen:2024-05-07 10:15:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf4d9ea35fa5e6b3d85593ae6f971f8e (1 x Stealc)
ssdeep 98304:YajcsQ5SggQZWfV1bihqdq7mXxUHp/nIaWl49u8cSu+A05TeKY7:cs3amByp/IpS9ASu+K
Threatray 161 similar samples on MalwareBazaar
TLSH T16D96C093B3C8A53DD46B1A7B483BE654993FBA612902CC1B67F44D4CCF35640293AE27
TrID 39.3% (.EXE) Inno Setup installer (107240/4/30)
21.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
15.7% (.EXE) InstallShield setup (43053/19/16)
15.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.8% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon d4c4e4f0f0eabab4 (1 x Stealc)
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
http://193.163.7.82/722c81812703a73d.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
351
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
285493c54c35e3b571e28fc0816baa4b3833329eeec3649601dd6385a60c8d84.exe
Verdict:
Malicious activity
Analysis date:
2024-05-07 10:18:18 UTC
Tags:
hijackloader loader
Link:
https://app.any.run/tasks/0d8b2001-0f39-4ec3-993c-55deeb72126f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Creating a file
Launching a process
Connection attempt
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive fingerprint keylogger overlay packed risepro
Link:
https://www.filescan.io/uploads/6639ff6b98234892b0aa593a/reports/5d22dadf-785f-4144-ad3f-0876099ff442/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/285493c54c35e3b571e28fc0816baa4b3833329eeec3649601dd6385a60c8d84
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e17220d1-6cdf-42ce-b5a6-1437a01dfd50
Result
Threat name:
Mars Stealer, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1437390
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1437390 Sample: hDz7lC2vwq.exe Startdate: 07/05/2024 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Antivirus detection for dropped file 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 7 other signatures 2->55 9 hDz7lC2vwq.exe 8 2->9         started        process3 file4 29 C:\Users\user\AppData\...\vcruntime140.dll, PE32 9->29 dropped 31 C:\Users\user\AppData\Local\...\ptInst.exe, PE32 9->31 dropped 33 C:\Users\user\AppData\Local\...\msvcp140.dll, PE32 9->33 dropped 35 C:\Users\user\AppData\Local\...\WCLDll.dll, PE32 9->35 dropped 12 ptInst.exe 7 9->12         started        process5 file6 37 C:\Users\user\AppData\...\vcruntime140.dll, PE32 12->37 dropped 39 C:\Users\user\AppData\Roaming\...\ptInst.exe, PE32 12->39 dropped 41 C:\Users\user\AppData\...\msvcp140.dll, PE32 12->41 dropped 43 C:\Users\user\AppData\Roaming\...\WCLDll.dll, PE32 12->43 dropped 65 Found direct / indirect Syscall (likely to bypass EDR) 12->65 16 ptInst.exe 1 12->16         started        signatures7 process8 signatures9 45 Maps a DLL or memory area into another process 16->45 47 Found direct / indirect Syscall (likely to bypass EDR) 16->47 19 cmd.exe 2 16->19         started        process10 file11 27 C:\Users\user\AppData\Local\Temp\sibmhls, PE32 19->27 dropped 57 Injects code into the Windows Explorer (explorer.exe) 19->57 59 Deletes itself after installation 19->59 61 Writes to foreign memory regions 19->61 63 Found hidden mapped module (file has been removed from disk) 19->63 23 conhost.exe 19->23         started        25 explorer.exe 19->25         started        signatures12 process13
Score:
74%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/285493c54c35e3b571e28fc0816baa4b3833329eeec3649601dd6385a60c8d84
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/285493c54c35e3b571e28fc0816baa4b3833329eeec3649601dd6385a60c8d84/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-05-07 10:16:06 UTC
File Type:
PE (Exe)
Extracted files:
362
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fbkjhrkmgxr3k4pcr7aic25kjm4dgmu653bwjfqb3vryljqmrwca._file
Verdict:
malicious
Similar samples:
0ff09014efe7b589c172f49db19b9db9a711e993b6da0b4e0fde4a73ffb0048d
Stealc
136aff853514ca7aba662cc26bc54cfb92d58e6477752ce3a8948ff9f1117499
Stealc
1cb385eb8f12a6ffe0f5736416c89bda36f347803ca0f0ef690d82eb5c712d62
Stealc
4ec640dd3a34d0bbdf4316ab8bd73294b18f0ebe733ab6fc842882495655d534
Stealc
83666d2c1b78690ce36a82152f3bf8e6d56a2332c6ef88dff06ffbce4c4337ff
Stealc
844e22dd38a08217c64322ee018ea293ede53e660b79e841417b78ec8a28d0e9
Stealc
ae4c8518b5ec4a8a63ef639b8a489e6df8ebb5f903f4da7363960b25a1b674df
Stealc
bcff7c4c011b77166deccd8682035bfeef00e432eafb704b4044b74e2202a023
Stealc
ee29e3aad14667b58642d965a332ffe5586ee1a2d8a09b2da7a54520b46d598e
Stealc
+ 151 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:stealc loader spyware stealer
Link:
https://tria.ge/reports/240507-matedaed84/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Deletes itself
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Stealc
Malware Config
C2 Extraction:
http://193.163.7.82
Unpacked files
SH256 hash:
68bee500e0080f21c003126e73b6d07804d23ac98b2376a8b76c26297d467abe
MD5 hash:
d4dae7149d6e4dab65ac554e55868e3b
SHA1 hash:
b3bea0a0a1f0a6f251bcf6a730a97acc933f269a
Link:
https://www.unpac.me/results/763ee222-87f6-4655-af31-beb8a3223772/
SH256 hash:
a6edb3fb6d21dd461da3767a7995034e208f7d6b08997f6cf7ee7b0ea833a8f0
MD5 hash:
cabb58bb5694f8b8269a73172c85b717
SHA1 hash:
9ed583c56385fed8e5e0757ddb2fdf025f96c807
Link:
https://www.unpac.me/results/763ee222-87f6-4655-af31-beb8a3223772/
SH256 hash:
fa2c1a454620511f9b16c0b3e7957bffbf32e139415925778eec22170f9de5f2
MD5 hash:
1eeaf7fbfd7a10eba90ae7280fdd9653
SHA1 hash:
9b2ace0262813e6491c5aa1cace418074dd9e5e4
Link:
https://www.unpac.me/results/763ee222-87f6-4655-af31-beb8a3223772/
SH256 hash:
4c703256789cedf542a5fdf16716470e0458c597448029e9d4fc043e9c0b1f5d
MD5 hash:
7a48ddc7ad8fb012d37731d0b275bd92
SHA1 hash:
9ae3d5bdb27919a39a8f6d1e9f322e53cd44515d
Link:
https://www.unpac.me/results/763ee222-87f6-4655-af31-beb8a3223772/
SH256 hash:
91251b4c9ad3b8d3050d280c3f69ba626dcdb5db410194f0904b5577778e72ba
MD5 hash:
a2017c9ba3d480913435539226e89ff8
SHA1 hash:
83e2af7a1c2ca174c4b1dbdb305a3e1c9605b3af
Link:
https://www.unpac.me/results/763ee222-87f6-4655-af31-beb8a3223772/
SH256 hash:
60fa9b4e9e286579df0d11644f7481ec680e00d279f100d5ed6b851014c9a72d
MD5 hash:
530c1d5a5542850a90be9475ac1929f3
SHA1 hash:
4b4eb4d59b04b82d79b34a63723b5e19f57729a4
Link:
https://www.unpac.me/results/763ee222-87f6-4655-af31-beb8a3223772/
SH256 hash:
285493c54c35e3b571e28fc0816baa4b3833329eeec3649601dd6385a60c8d84
MD5 hash:
5aa49622f3dafc184f903b7b78a2fd68
SHA1 hash:
28fd3345d82da0cdb565a11c648aff196f03d770
Link:
https://www.unpac.me/results/763ee222-87f6-4655-af31-beb8a3223772/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/285493c54c35e3b571e28fc0816baa4b3833329eeec3649601dd6385a60c8d84

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Mars_Stealer
Create hunting rule
Author:@malgamy12
Description:detect_Mars_Stealer
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_Stealc_str
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:Stealc infostealer
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:possible_trojan_banker
Create hunting rule
Author:@johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Stealc_b8ab9ab5
Create hunting rule
Author:Elastic Security
Rule name:win_stealc_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.stealc.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 285493c54c35e3b571e28fc0816baa4b3833329eeec3649601dd6385a60c8d84

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2841466/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
MULTIMEDIA_APICan Play Multimediawinmm.dll::sndPlaySoundW
gdi32.dll::StretchDIBits
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteW
WIN32_PROCESS_APICan Create Process and Threadswinhttp.dll::WinHttpCloseHandle
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoW
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetFileAttributesW
kernel32.dll::FindFirstFileW
kernel32.dll::RemoveDirectoryW
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameW
WIN_HTTP_APIUses HTTP serviceswinhttp.dll::WinHttpAddRequestHeaders
winhttp.dll::WinHttpConnect
winhttp.dll::WinHttpGetIEProxyConfigForCurrentUser
winhttp.dll::WinHttpGetProxyForUrl
winhttp.dll::WinHttpOpenRequest
winhttp.dll::WinHttpOpen
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegConnectRegistryW
advapi32.dll::RegCreateKeyExW
advapi32.dll::RegDeleteKeyW
advapi32.dll::RegLoadKeyW
advapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryInfoKeyW
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::EmptyClipboard
user32.dll::FindWindowExW
user32.dll::FindWindowW
user32.dll::OpenClipboard

Comments