MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cc70201b8f4ac615e81139b1865f1d40740f37e66300e2ada8aa33e05e58028. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2cc70201b8f4ac615e81139b1865f1d40740f37e66300e2ada8aa33e05e58028
SHA3-384 hash: 5d2cc367517400fadb5ca36a4d77ba9c11e8d8b8b425513a61dd842a2ae4c365721b0defd7ea93f6f73dbffba719fa2d
SHA1 hash: ac463e9d83d423c60e788eb383b78180fc1ece16
MD5 hash: d1d9bbc7729327245c54067a3f9bd841
humanhash: jersey-avocado-red-maryland
File name:d1d9bbc7729327245c54067a3f9bd841.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:413'184 bytes
First seen:2024-11-26 20:20:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 789c6d37a5fe4952494416e00f765a42 (2 x Stealc)
ssdeep 12288:ppGDG9SZanvs6CPpURx0rMnv/umh0xZdgcx:3GkkP+xhnHumKxZdgo
Threatray 88 similar samples on MalwareBazaar
TLSH T10B94E121BAF18035F7FB6A346DB1E7501EBBF5672974804E2360266E0E32AD1DE61743
TrID 49.2% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
26.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.9% (.EXE) Win64 Executable (generic) (10522/11/4)
4.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 8e86830b0e8e4e9a (1 x Stealc)
Reporter abuse_ch
Tags:exe Stealc


Avatar
abuse_ch
Stealc C2:
http://92.255.57.88/7bbacc20a3bd2eb5.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://92.255.57.88/7bbacc20a3bd2eb5.php https://threatfox.abuse.ch/ioc/1347220/

Intelligence

File Origin
# of uploads :
1
# of downloads :
387
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d1d9bbc7729327245c54067a3f9bd841.exe
Verdict:
Malicious activity
Analysis date:
2024-11-26 20:21:25 UTC
Tags:
loader stealer stealc
Link:
https://app.any.run/tasks/1f470ff0-7037-4ac7-9058-4d2ad004dde6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.16261.28686.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67462dafb31374f09834ea6a
Tags:
bitcoin crypt lien sage
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/67462daec6810c39d150cd1c/reports/da4d2186-0eaf-44a6-b047-8a873ac97512/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2cc70201b8f4ac615e81139b1865f1d40740f37e66300e2ada8aa33e05e58028
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/23184f82-352e-48e8-b264-c55acb2a2f1d
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1563357
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1563357 Sample: vwkb5DQRAL.exe Startdate: 26/11/2024 Architecture: WINDOWS Score: 100 39 post-to-me.com 2->39 63 Suricata IDS alerts for network traffic 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 11 other signatures 2->69 9 vwkb5DQRAL.exe 1 17 2->9         started        signatures3 process4 dnsIp5 47 176.113.115.37, 49733, 80 SELECTELRU Russian Federation 9->47 49 post-to-me.com 104.21.56.70, 443, 49732 CLOUDFLARENETUS United States 9->49 27 C:\Users\user\AppData\Local\...\B2E2.tmp.exe, PE32 9->27 dropped 29 C:\Users\user\...\ScreenUpdateSync[1].exe, PE32 9->29 dropped 71 Detected unpacking (changes PE section rights) 9->71 73 Detected unpacking (overwrites its own PE header) 9->73 14 B2E2.tmp.exe 35 9->14         started        file6 signatures7 process8 dnsIp9 51 92.255.57.88, 49740, 49756, 80 TELSPRU Russian Federation 14->51 53 127.0.0.1 unknown unknown 14->53 31 C:\Users\user\AppData\...\softokn3[1].dll, PE32 14->31 dropped 33 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 14->33 dropped 35 C:\Users\user\AppData\...\mozglue[1].dll, PE32 14->35 dropped 37 9 other files (5 malicious) 14->37 dropped 55 Multi AV Scanner detection for dropped file 14->55 57 Detected unpacking (changes PE section rights) 14->57 59 Detected unpacking (overwrites its own PE header) 14->59 61 8 other signatures 14->61 19 chrome.exe 14->19         started        22 WerFault.exe 21 16 14->22         started        file10 signatures11 process12 dnsIp13 41 192.168.2.4, 138, 443, 49725 unknown unknown 19->41 43 239.255.255.250 unknown Reserved 19->43 24 chrome.exe 19->24         started        process14 dnsIp15 45 www.google.com 142.250.181.68, 443, 49747, 49748 GOOGLEUS United States 24->45
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2cc70201b8f4ac615e81139b1865f1d40740f37e66300e2ada8aa33e05e58028
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2cc70201b8f4ac615e81139b1865f1d40740f37e66300e2ada8aa33e05e58028/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ftdqeany6swgcxubconrqzpr2qdub436myya4kw2rkrt4bpfqaua._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
shellcode_loader_002
Create hunting rule
Similar samples:
2cc70201b8f4ac615e81139b1865f1d40740f37e66300e2ada8aa33e05e58028
Stealc
4a1c3bd9ad6059315a24b7bbb2cd9d6164375555e41a7bfe2ca2353b54f4a32f
Stealc
52d4318f7c02e0ad5830c8542aa637695d3a68385374eddff73970421695c4de
Stealc
59f029c83e6f6f4c7177c1e190569d4a1d836cb8d2bd0dec49107dccb40f8e36
Stealc
695b8d6b97edf8239d5ae772c2d726740d81a0b4893199c3be812406e0942123
Stealc
6a969fa1ba45ea3d679dbd124e030d82a0ea879d9f97be8338e78f953ef1ff88
Stealc
9f0211ae5c3912eb204d513f0f6341bf5634d6d021db76a4247510e2c4d107be
Stealc
error
Stealc
+ 78 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:551488411 discovery stealer
Link:
https://tria.ge/reports/241126-y4zc9svjdl/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Stealc
Stealc family
Malware Config
C2 Extraction:
http://92.255.57.88
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1cc24381-3715-41ff-adef-178f6d9078b6
Unpacked files
SH256 hash:
b04b976f71bf089829b78a949c28f6b4d58e42a76051ab911756aca580846138
MD5 hash:
2486b650708cef456ac44c61f0e8eac4
SHA1 hash:
e17132c0c0d902aab4efe005651e7f4c52c07ef0
Link:
https://www.unpac.me/results/784a3e2c-e8a4-42c5-8cc1-02181df4eea7/
SH256 hash:
2cc70201b8f4ac615e81139b1865f1d40740f37e66300e2ada8aa33e05e58028
MD5 hash:
d1d9bbc7729327245c54067a3f9bd841
SHA1 hash:
ac463e9d83d423c60e788eb383b78180fc1ece16
Link:
https://www.unpac.me/results/784a3e2c-e8a4-42c5-8cc1-02181df4eea7/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2cc70201b8f4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2cc70201b8f4ac615e81139b1865f1d40740f37e66300e2ada8aa33e05e58028

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 2cc70201b8f4ac615e81139b1865f1d40740f37e66300e2ada8aa33e05e58028

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3224762/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleOutputCharacterW
KERNEL32.dll::WriteConsoleOutputA
KERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleAliasA
KERNEL32.dll::GetConsoleAliasExesLengthW
KERNEL32.dll::GetConsoleAliasesW
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::MoveFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyA

Comments