MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a27f01ed2a25d9f6145902608570413d90133aa5e8d9cb7777026447977c9f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a27f01ed2a25d9f6145902608570413d90133aa5e8d9cb7777026447977c9f0
SHA3-384 hash: 45af5ac7df6994c5fb88f292e43014788c89e1db15585377ad49b2c0ecfc7b9a7e1ea7da209a66d6fe989ea4e34b46d1
SHA1 hash: e54acbd5ed2125b5118deeec10c059d4e88803cd
MD5 hash: 01f642a68a587ee691ce6033c436e0e1
humanhash: fruit-ten-river-gee
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:405'752 bytes
First seen:2024-03-23 19:36:18 UTC
Last seen:2024-03-23 21:23:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:9foVL+C+YZTWgnFaF7VVeTJuFi5YFvfYdAE2aJi3yeYKmMvfsNVY1cvG35yp:9c9ZTWaFaFxVQ2YdAE2aJi3uKIN3
TLSH T1A0841260B7C8A267E8DF5B725530958F0739F7E26886D52E68C250065CB7FE0CB26B13
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Bitsight
Tags:exe signed Stealc

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2024-03-23T08:32:01Z
Valid to:2025-03-23T08:32:01Z
Serial number: d0d29d83d263db122050d63cf60a0416
Thumbprint Algorithm:SHA256
Thumbprint: c60446790d9572fc23b291db8b6972e7cc4db1ce2537ca57ff7cb0a125a7e3e1
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
Bitsight
url: https://storage.bunnycdn.com/adn11/installSetup2.exe?accessKey=970f6bd3-ca4f-4101-9339ae04ca8d-b641-47a8&download

Intelligence

File Origin
# of uploads :
2
# of downloads :
384
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2a27f01ed2a25d9f6145902608570413d90133aa5e8d9cb7777026447977c9f0.exe
Verdict:
Malicious activity
Analysis date:
2024-03-23 19:36:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0663eb14-8663-4c3b-b453-8a4e75d48b6e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Connecting to a non-recommended domain
Sending an HTTP GET request
Sending an HTTP GET request to an infection source
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Creating a window
Launching a process
Connection attempt to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/65ff2f5f7a3c2d4da245d778/reports/9ebbd0ac-35cf-4485-84be-44c802417c29/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/2a27f01ed2a25d9f6145902608570413d90133aa5e8d9cb7777026447977c9f0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/980a2c97-e3e1-4b88-b602-1e2d1d209224
Result
Threat name:
Glupteba, Mars Stealer, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1414534
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops script or batch files to the startup folder
Found malware configuration
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Reads the Security eventlog
Reads the System eventlog
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Mars stealer
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1414534 Sample: file.exe Startdate: 23/03/2024 Architecture: WINDOWS Score: 100 168 Found malware configuration 2->168 170 Malicious sample detected (through community Yara rule) 2->170 172 Antivirus detection for dropped file 2->172 174 14 other signatures 2->174 10 file.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        process3 signatures4 198 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->198 200 Writes to foreign memory regions 10->200 202 Sample uses process hollowing technique 10->202 204 3 other signatures 10->204 17 MSBuild.exe 15 333 10->17         started        22 WerFault.exe 10->22         started        24 MSBuild.exe 10->24         started        26 QmwJ9uMKABoMBhzXIlo9EQug.exe 13->26         started        28 conhost.exe 13->28         started        30 conhost.exe 15->30         started        process5 dnsIp6 154 91.92.250.47 THEZONEBG Bulgaria 17->154 156 107.167.110.211 OPERASOFTWAREUS United States 17->156 162 15 other IPs or domains 17->162 106 C:\Users\...\zzCaxpBjv4q1MZQyQlPMDAbn.exe, PE32 17->106 dropped 108 C:\Users\...\xu0QBWKPeINfZRfiTqtUU8cm.exe, PE32 17->108 dropped 110 C:\Users\...\xhIVewr0EJBlAbnqQ7ehuSRY.exe, PE32 17->110 dropped 120 257 other malicious files 17->120 dropped 176 Drops script or batch files to the startup folder 17->176 178 Creates HTML files with .exe extension (expired dropper behavior) 17->178 32 dTZNfve92PJ2bqz9BOgXUwSR.exe 17->32         started        36 uK1nfR5EIJh38bvZrdPSwjYv.exe 17->36         started        39 3GveP3nHzYG7kpfpY9Df3Nia.exe 17->39         started        45 13 other processes 17->45 158 20.189.173.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->158 160 23.209.72.29 AKAMAI-ASN1EU United States 26->160 112 Opera_installer_2403231538185588748.dll, PE32 26->112 dropped 114 C:\Users\user\AppData\Local\...\opera_package, PE32 26->114 dropped 116 C:\Users\...\QmwJ9uMKABoMBhzXIlo9EQug.exe, PE32 26->116 dropped 118 Opera_108.0.5067.4...toupdate_x64[1].exe, PE32 26->118 dropped 41 QmwJ9uMKABoMBhzXIlo9EQug.exe 26->41         started        43 QmwJ9uMKABoMBhzXIlo9EQug.exe 26->43         started        file7 signatures8 process9 dnsIp10 142 107.167.110.217 OPERASOFTWAREUS United States 32->142 144 107.167.125.189 OPERASOFTWAREUS United States 32->144 152 6 other IPs or domains 32->152 100 7 other malicious files 32->100 dropped 47 dTZNfve92PJ2bqz9BOgXUwSR.exe 32->47         started        50 dTZNfve92PJ2bqz9BOgXUwSR.exe 32->50         started        52 dTZNfve92PJ2bqz9BOgXUwSR.exe 32->52         started        146 185.172.128.65 NADYMSS-ASRU Russian Federation 36->146 148 185.172.128.90 NADYMSS-ASRU Russian Federation 36->148 88 C:\Users\user\AppData\Local\Temp\u5m8.1.exe, PE32 36->88 dropped 90 C:\Users\user\AppData\Local\Temp\u5m8.0.exe, PE32 36->90 dropped 180 Detected unpacking (changes PE section rights) 36->180 182 Detected unpacking (overwrites its own PE header) 36->182 54 u5m8.0.exe 36->54         started        58 u5m8.1.exe 36->58         started        60 WerFault.exe 36->60         started        150 23.199.62.77 AKAMAI-ASN1EU United States 39->150 102 4 other malicious files 39->102 dropped 62 3GveP3nHzYG7kpfpY9Df3Nia.exe 39->62         started        64 3GveP3nHzYG7kpfpY9Df3Nia.exe 39->64         started        92 Opera_installer_2403231538210618868.dll, PE32 41->92 dropped 94 Opera_installer_2403231538241967428.dll, PE32 43->94 dropped 96 C:\Users\user\AppData\Local\Temp\u6x4.1.exe, PE32 45->96 dropped 98 C:\Users\user\AppData\Local\Temp\u6x4.0.exe, PE32 45->98 dropped 104 2 other malicious files 45->104 dropped 184 Found Tor onion address 45->184 186 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 45->186 66 6 other processes 45->66 file11 signatures12 process13 dnsIp14 124 Opera_installer_2403231538109017316.dll, PE32 47->124 dropped 126 C:\Users\user\AppData\...\opera_browser.dll, PE32+ 47->126 dropped 128 C:\Users\user\...\opera_autoupdate.exe, PE32+ 47->128 dropped 138 12 other malicious files 47->138 dropped 68 dTZNfve92PJ2bqz9BOgXUwSR.exe 47->68         started        130 Opera_installer_2403231538093922140.dll, PE32 50->130 dropped 132 Opera_installer_2403231538099558128.dll, PE32 52->132 dropped 164 185.172.128.209 NADYMSS-ASRU Russian Federation 54->164 140 12 other files (8 malicious) 54->140 dropped 188 Tries to harvest and steal ftp login credentials 54->188 190 Tries to harvest and steal browser information (history, passwords, etc) 54->190 192 Tries to steal Crypto Currency Wallets 54->192 194 Tries to harvest and steal Bitcoin Wallet information 54->194 71 cmd.exe 58->71         started        166 52.168.117.173 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 60->166 134 Opera_installer_2403231538149398304.dll, PE32 62->134 dropped 136 Opera_installer_2403231538156918476.dll, PE32 64->136 dropped 74 conhost.exe 66->74         started        76 conhost.exe 66->76         started        78 conhost.exe 66->78         started        80 3 other processes 66->80 file15 signatures16 process17 file18 122 Opera_installer_2403231538111987532.dll, PE32 68->122 dropped 196 Uses schtasks.exe or at.exe to add and modify task schedules 71->196 82 conhost.exe 71->82         started        84 chcp.com 71->84         started        86 schtasks.exe 71->86         started        signatures19 process20
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2a27f01ed2a25d9f6145902608570413d90133aa5e8d9cb7777026447977c9f0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a27f01ed2a25d9f6145902608570413d90133aa5e8d9cb7777026447977c9f0/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-03-23 19:37:06 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
2
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fit7ahwsujoz6ykfsataqvyecpmqcm5kl2gzzn3xoatei6lxzhya._file
Verdict:
unknown
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:stealc discovery dropper evasion loader persistence rootkit spyware stealer trojan upx
Link:
https://tria.ge/reports/240323-ybsp1sdh61/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Drops Chrome extension
Drops desktop.ini file(s)
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMonFS driver.
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Modifies Windows Firewall
Glupteba
Glupteba payload
Modifies Windows Defender Real-time Protection settings
Stealc
Windows security bypass
Malware Config
C2 Extraction:
http://185.172.128.209
Unpacked files
SH256 hash:
2a27f01ed2a25d9f6145902608570413d90133aa5e8d9cb7777026447977c9f0
MD5 hash:
01f642a68a587ee691ce6033c436e0e1
SHA1 hash:
e54acbd5ed2125b5118deeec10c059d4e88803cd
Link:
https://www.unpac.me/results/57403103-ae90-43cc-a644-d54070082b3b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2a27f01ed2a2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a27f01ed2a25d9f6145902608570413d90133aa5e8d9cb7777026447977c9f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 2a27f01ed2a25d9f6145902608570413d90133aa5e8d9cb7777026447977c9f0

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2790824/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments