MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d5f186a3d1303fe97b7fd87b2dad17051bdd17123259a06cb01e740c9dfdf70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d5f186a3d1303fe97b7fd87b2dad17051bdd17123259a06cb01e740c9dfdf70
SHA3-384 hash: a7cd4d9c851695dc586b1ebaa1e08fde9cb397f3b28e46fe756689be4f69d78d7c329747901fa0a103b1836ef7cbb683
SHA1 hash: 4685f1039f72f93538a51fcc5c036090463384d0
MD5 hash: b4886669691aead88d99a9db939631e7
humanhash: stairway-moon-summer-steak
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:1'935'872 bytes
First seen:2024-02-26 17:27:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9dda1a1d1f8a1d13ae0297b47046b26e (64 x Formbook, 40 x GuLoader, 25 x RemcosRAT)
ssdeep 24576:sPdCL++ku+Pghk4jIO/KqJDSlWZ8v+0HnuCT+Hm4QH:UUQDoh3jIO/KMOP+unPH
Threatray 132 similar samples on MalwareBazaar
TLSH T17595E061A1E4CB77F4274A72C4E7887025E27E8DDAFCC10B71497B9DA5B33C518E6A02
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon e88c969696868084 (4 x Stealc)
Reporter Bitsight
Tags:exe Stealc


Avatar
Bitsight
url: http://185.172.128.109/InstallSetup10.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
338
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/477853/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop13.1313.25407.5867.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Loader.1550.2.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Sending an HTTP GET request to an infection source
DNS request
Connection attempt
Sending a custom TCP request
Searching for the window
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Connecting to a non-recommended domain
Launching the default Windows debugger (dwwin.exe)
Connection attempt to an infection source
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65dcca347ec1345fd98215eb/reports/5cfc3e10-ab4e-43e4-8809-5f7133da56e8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/2d5f186a3d1303fe97b7fd87b2dad17051bdd17123259a06cb01e740c9dfdf70
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/18947895-4a5b-4499-a1ee-5494c9afc6e9
Result
Threat name:
Mars Stealer, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1398975
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Searches for specific processes (likely to inject)
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1398975 Sample: file.exe Startdate: 26/02/2024 Architecture: WINDOWS Score: 100 47 www.google.com 2->47 49 google.com 2->49 59 Snort IDS alert for network traffic 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 8 other signatures 2->65 9 file.exe 1 38 2->9         started        signatures3 process4 dnsIp5 51 185.172.128.90, 49705, 80 NADYMSS-ASRU Russian Federation 9->51 53 185.172.128.127, 49708, 49728, 80 NADYMSS-ASRU Russian Federation 9->53 55 2 other IPs or domains 9->55 31 C:\Users\user\AppData\Local\...\nsz4ADC.tmp, PE32 9->31 dropped 33 C:\Users\user\AppData\Local\...\INetC.dll, PE32 9->33 dropped 35 C:\Users\user\AppData\...\BroomSetup.exe, PE32 9->35 dropped 37 C:\Users\user\AppData\...\syncUpd[1].exe, PE32 9->37 dropped 13 nsz4ADC.tmp 69 9->13         started        18 BroomSetup.exe 2 5 9->18         started        file6 process7 dnsIp8 57 185.172.128.145, 49709, 80 NADYMSS-ASRU Russian Federation 13->57 39 C:\Users\user\AppData\...\softokn3[1].dll, PE32 13->39 dropped 41 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 13->41 dropped 43 C:\Users\user\AppData\...\mozglue[1].dll, PE32 13->43 dropped 45 9 other files (5 malicious) 13->45 dropped 69 Antivirus detection for dropped file 13->69 71 Detected unpacking (changes PE section rights) 13->71 73 Detected unpacking (overwrites its own PE header) 13->73 77 8 other signatures 13->77 20 WerFault.exe 16 13->20         started        75 Multi AV Scanner detection for dropped file 18->75 22 cmd.exe 1 18->22         started        file9 signatures10 process11 signatures12 67 Uses schtasks.exe or at.exe to add and modify task schedules 22->67 25 conhost.exe 22->25         started        27 schtasks.exe 1 22->27         started        29 chcp.com 1 22->29         started        process13
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2d5f186a3d1303fe97b7fd87b2dad17051bdd17123259a06cb01e740c9dfdf70
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d5f186a3d1303fe97b7fd87b2dad17051bdd17123259a06cb01e740c9dfdf70/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-02-26 17:28:08 UTC
File Type:
PE (Exe)
Extracted files:
127
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fvprq2r5cmb75f5x7wd3fwwrobi33ulremszubwlahtubso735ya._file
Verdict:
malicious
Similar samples:
096c1842a51fd1a2e70b5652706625be34b38057928142691d260d5b05581514
Stealc
15845dec2c7e05004d52ed8c1541d3b364fe6155f9263f7599b4e684fab2c3a5
Stealc
1ca559e6b5928c568fbb4f8de0bcb564f687774cbc1e1963ba9af862497f82eb
Stealc
3555805731fe9aeb942a0859e9205481f6367547068658f57ddf38859b8b5cba
Stealc
8c7c39736cf9d51e1763ec21d68b0ff45b229fb265239fcd3b467087ecb2aa80
Stealc
b5a550031245113f336edee9de44a8e5473eb4dd02c4201566a54c129df3f000
Stealc
baf93636b866c7974ce40d6783425066ef229efe94c735d77e52fe6d953eadc5
Stealc
fd0c4ce27e4c30e616b791bde30ffd351faeb416aa3e3717fbf023c41d3c374a
Stealc
+ 122 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/240226-v1zm3sbf72/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Unpacked files
SH256 hash:
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
MD5 hash:
40d7eca32b2f4d29db98715dd45bfac5
SHA1 hash:
124df3f617f562e46095776454e1c0c7bb791cc7
Link:
https://www.unpac.me/results/0121086c-6361-4b9f-99ef-9ea30f455ea6/
SH256 hash:
50a46b3120da828502ef0caba15defbad004a3adb88e6eacf1f9604572e2d503
MD5 hash:
5e94f0f6265f9e8b2f706f1d46bbd39e
SHA1 hash:
d0189cba430f5eea07efe1ab4f89adf5ae2453db
Link:
https://www.unpac.me/results/0121086c-6361-4b9f-99ef-9ea30f455ea6/
SH256 hash:
1e5d63eca9b34d97040a627f90f41beabbf76bd2cd17fcec83840d32e693f14f
MD5 hash:
2b020e74955baf82f1536ea00b86af9f
SHA1 hash:
7cc447e754c0fb61544ebb6157d6dd010132600d
Link:
https://www.unpac.me/results/0121086c-6361-4b9f-99ef-9ea30f455ea6/
SH256 hash:
2d5f186a3d1303fe97b7fd87b2dad17051bdd17123259a06cb01e740c9dfdf70
MD5 hash:
b4886669691aead88d99a9db939631e7
SHA1 hash:
4685f1039f72f93538a51fcc5c036090463384d0
Link:
https://www.unpac.me/results/0121086c-6361-4b9f-99ef-9ea30f455ea6/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2d5f186a3d13/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d5f186a3d1303fe97b7fd87b2dad17051bdd17123259a06cb01e740c9dfdf70

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 2d5f186a3d1303fe97b7fd87b2dad17051bdd17123259a06cb01e740c9dfdf70

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2770966/
Cape
Cape
https://www.capesandbox.com/analysis/477853/

Comments