MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29b81b093e9c6695165497d0ba3fd6ef346df1bde79ad1bdd160d1abf29604e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29b81b093e9c6695165497d0ba3fd6ef346df1bde79ad1bdd160d1abf29604e4
SHA3-384 hash: 0fe95714c8b65c4b3a0edc566933c0c4386b34b93126187a0ee6f58b03f25abb972305514a88fcaf2d28b97a43cd8c65
SHA1 hash: 668a9491f874e70893c0be12f696399fb96e57c5
MD5 hash: 314cd474a8e438003dc753eda6e34ef6
humanhash: spring-river-alpha-freddie
File name:314cd474a8e438003dc753eda6e34ef6.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:2'383'360 bytes
First seen:2023-12-15 16:45:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:7fOzsGwNJp72gr0XQZ/8VM+giH+pmGj1DrGpc85Rwxh:SfwnEg4hVvNCm6GpR5Rw
Threatray 17 similar samples on MalwareBazaar
TLSH T165B52323A2D8C472E8D4A375BDF50346273738E108B9C66B2761748FA872AD9E531773
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
91.92.249.253:50500

Intelligence

File Origin
# of uploads :
1
# of downloads :
310
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/467601/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Сreating synchronization primitives
Creating a file
Unauthorized injection to a recently created process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer lolbin lolbin packed replace rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/657c82cba6bc59352f29d417/reports/63684231-d2d2-4bb5-8514-251a0126bdff/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/29b81b093e9c6695165497d0ba3fd6ef346df1bde79ad1bdd160d1abf29604e4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c395915a-262a-45b4-b5ce-931d559647b8
Result
Threat name:
LummaC Stealer, RedLine, RisePro Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1362795
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking computer name)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected LummaC Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected SmokeLoader
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1362795 Sample: B9S5L6XHRu.exe Startdate: 15/12/2023 Architecture: WINDOWS Score: 100 123 soupinterestoe.fun 2->123 125 reviveincapablewew.pw 2->125 127 12 other IPs or domains 2->127 189 Snort IDS alert for network traffic 2->189 191 Found malware configuration 2->191 193 Malicious sample detected (through community Yara rule) 2->193 195 21 other signatures 2->195 10 B9S5L6XHRu.exe 1 4 2->10         started        13 svchost.exe 2->13         started        16 svchost.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 dnsIp5 115 C:\Users\user\AppData\Local\...\5qJ6iu8.exe, PE32 10->115 dropped 117 C:\Users\user\AppData\Local\...\2Mq2881.exe, PE32 10->117 dropped 21 5qJ6iu8.exe 10->21         started        24 2Mq2881.exe 15 3 10->24         started        229 Changes security center settings (notifications, updates, antivirus, firewall) 13->229 27 MpCmdRun.exe 13->27         started        29 WerFault.exe 16->29         started        31 WerFault.exe 16->31         started        129 127.0.0.1 unknown unknown 18->129 33 conhost.exe 18->33         started        35 conhost.exe 18->35         started        file6 signatures7 process8 dnsIp9 197 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->197 199 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 21->199 201 Maps a DLL or memory area into another process 21->201 211 2 other signatures 21->211 37 explorer.exe 21->37 injected 151 77.91.124.172, 49710, 80 ECOTEL-ASRU Russian Federation 24->151 203 Found many strings related to Crypto-Wallets (likely being stolen) 24->203 205 Writes to foreign memory regions 24->205 207 Allocates memory in foreign processes 24->207 209 Injects a PE file into a foreign processes 24->209 42 RegAsm.exe 15 69 24->42         started        44 RegAsm.exe 24->44         started        46 conhost.exe 27->46         started        signatures10 process11 dnsIp12 131 185.215.113.68, 49717, 80 WHOLESALECONNECTIONSNL Portugal 37->131 133 5.42.65.125, 49728, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 37->133 139 2 other IPs or domains 37->139 99 C:\Users\user\AppData\Local\Temp\7709.exe, PE32 37->99 dropped 101 C:\Users\user\AppData\Local\Temp\62D4.exe, PE32 37->101 dropped 103 C:\Users\user\AppData\Local\Temp\3B36.exe, PE32 37->103 dropped 111 4 other malicious files 37->111 dropped 213 System process connects to network (likely due to code injection or exploit) 37->213 215 Benign windows process drops PE files 37->215 48 25C8.exe 37->48         started        52 3B36.exe 37->52         started        54 1A2D.exe 37->54         started        63 7 other processes 37->63 135 91.92.249.253, 49712, 50500 THEZONEBG Bulgaria 42->135 137 ipinfo.io 34.117.186.192, 443, 49716 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 42->137 105 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 42->105 dropped 107 C:\...\HxbbnvinbC3Lyxph5MenUwrltxAD3ru4.zip, Zip 42->107 dropped 109 C:\Users\user\AppData\...\FANBooster131.exe, PE32 42->109 dropped 113 2 other files (none is malicious) 42->113 dropped 217 Found many strings related to Crypto-Wallets (likely being stolen) 42->217 219 Tries to harvest and steal browser information (history, passwords, etc) 42->219 57 cmd.exe 1 42->57         started        59 cmd.exe 1 42->59         started        61 WerFault.exe 42->61         started        221 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 44->221 223 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 44->223 225 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 44->225 227 Queries memory information (via WMI often done to detect virtual machines) 44->227 file13 signatures14 process15 dnsIp16 85 C:\Users\user\AppData\Roaming\...\File2.exe, PE32 48->85 dropped 87 C:\Users\user\AppData\Roaming\...\File1.exe, PE32 48->87 dropped 153 Multi AV Scanner detection for dropped file 48->153 155 Machine Learning detection for dropped file 48->155 65 File1.exe 48->65         started        69 File2.exe 48->69         started        71 conhost.exe 48->71         started        89 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 52->89 dropped 157 Writes to foreign memory regions 52->157 177 3 other signatures 52->177 73 RegSvcs.exe 52->73         started        141 soupinterestoe.fun 104.21.24.252, 49718, 80 CLOUDFLARENETUS United States 54->141 143 neighborhoodfeelsa.fun 104.21.87.137, 49721, 80 CLOUDFLARENETUS United States 54->143 149 3 other IPs or domains 54->149 159 Antivirus detection for dropped file 54->159 161 Detected unpacking (changes PE section rights) 54->161 163 Detected unpacking (overwrites its own PE header) 54->163 165 Found evasive API chain (may stop execution after checking computer name) 54->165 75 WerFault.exe 54->75         started        167 Uses schtasks.exe or at.exe to add and modify task schedules 57->167 79 2 other processes 57->79 81 2 other processes 59->81 145 176.123.7.190, 32927, 49720, 49727 ALEXHOSTMD Moldova Republic of 63->145 147 77.105.132.161 PLUSTELECOM-ASRU Russian Federation 63->147 91 C:\Users\user\AppData\Local\Temp\tuc3.exe, PE32 63->91 dropped 93 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 63->93 dropped 95 C:\Users\user\AppData\...\InstallSetup9.exe, PE32 63->95 dropped 97 C:\...\31839b57a4f11171d6abc8bbc4451ee4.exe, PE32 63->97 dropped 169 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 63->169 171 Found many strings related to Crypto-Wallets (likely being stolen) 63->171 173 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 63->173 175 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 63->175 77 InstallSetup9.exe 63->77         started        83 3 other processes 63->83 file17 signatures18 process19 dnsIp20 119 176.123.10.211, 47430, 49726 ALEXHOSTMD Moldova Republic of 65->119 179 Multi AV Scanner detection for dropped file 65->179 181 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 65->181 183 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 65->183 185 Tries to steal Crypto Currency Wallets 69->185 121 195.20.16.103 EITADAT-ASFI Finland 73->121 187 Tries to harvest and steal browser information (history, passwords, etc) 73->187 signatures21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/29b81b093e9c6695165497d0ba3fd6ef346df1bde79ad1bdd160d1abf29604e4
Detection:
smokeloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/29b81b093e9c6695165497d0ba3fd6ef346df1bde79ad1bdd160d1abf29604e4/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-15 16:46:06 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fg4bwcj6trtjkfsus7ilup6w542g34n546nndpormdi2x4uwatsa._file
Verdict:
malicious
Similar samples:
139b12dd41cbd5265eb479b207e18bf881ebc1f26787be435067b7b1ffd717b4
Stealc
192d98bd15eee402481b2a81edd1d4d599d9a70521c578cada78debfd0d96efb
Stealc
4c5609ce8dd9b57e711e6c032032ec2fdadf0a3eb89a044847e3e6f85a603e30
Stealc
5056ba5567b664efedda9c48d380f84eeeafc0aafa4ff723d897368972763ce0
Stealc
9b115d4d9d27cca513836b8222f9cddd3697ca71ec2456645bab03a788cf30e2
Stealc
+ 7 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:redline family:smokeloader botnet:@oleh_ps backdoor collection discovery infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/231215-t9yxgagbgn/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Detect Lumma Stealer payload V4
Lumma Stealer
RedLine
RedLine payload
SmokeLoader
Malware Config
C2 Extraction:
http://185.215.113.68/fks/index.php
176.123.7.190:32927
Unpacked files
SH256 hash:
0aa9f8be2a6cb4862d1fd423159080d2100f7adf8ced157d463460230049c31a
MD5 hash:
492ff386974529e80c08385cfef08765
SHA1 hash:
73ac0062ec57d058fd0f1ba161eb1f94cbc1120e
Link:
https://www.unpac.me/results/7e883590-bea7-4a88-8252-96915159696b/
SH256 hash:
49db0c315574d3ca3a4adfc40e395e42185caabec1eb8f4e70b1ee54e6b8e282
MD5 hash:
aa69f5b53395932b4525f33be01defb4
SHA1 hash:
5ef97517c90da30df79815a6770c5aa3c252aa76
Detections:
SmokeLoaderStage2
Create hunting rule
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/7e883590-bea7-4a88-8252-96915159696b/
SH256 hash:
29b81b093e9c6695165497d0ba3fd6ef346df1bde79ad1bdd160d1abf29604e4
MD5 hash:
314cd474a8e438003dc753eda6e34ef6
SHA1 hash:
668a9491f874e70893c0be12f696399fb96e57c5
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/7e883590-bea7-4a88-8252-96915159696b/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/29b81b093e9c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/29b81b093e9c6695165497d0ba3fd6ef346df1bde79ad1bdd160d1abf29604e4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 29b81b093e9c6695165497d0ba3fd6ef346df1bde79ad1bdd160d1abf29604e4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2738241/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/467601/

Comments