MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f72367bd43d9c3405c880334c577d8a282cd2a5018bc76c67783a326eb754aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealit


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f72367bd43d9c3405c880334c577d8a282cd2a5018bc76c67783a326eb754aa
SHA3-384 hash: 1043ea4a6a4ec352553b81f85330926c5efc0b3f44b695b00b9ad9a07d59b284fa75721109fda8ce8a62f99a644de5a6
SHA1 hash: ce1ba86b7b62436c4dfc03499a20a406c49f921c
MD5 hash: 78d5f4b4b68da593d9264f58ce577fbf
humanhash: fruit-montana-gee-december
File name:Sonic-Glyder.exe
Download: download sample
Signature Stealit
Create hunting rule
File size:77'943'888 bytes
First seen:2024-04-21 15:06:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (533 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:ohgJ39KgRBLt9MXJHNe72TyLKZswmqXwTdvo94JfzQlcCieBE3d:oh74Lt9MZoRGqwmqXAdvzJfzQlcEBE3d
TLSH T1480833643B7EC61EE450F87AAE7EFA3EE5E36B452E10C649C75419866C3CA873C054C2
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
dhash icon a3b9eac8ccf95b8c (1 x Stealit)
Reporter NDA0E
Tags:electron exe SonicGlyder sonicglyder.com Stealit


Avatar
NDA0E
C2: illitluckygirl.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
366
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2f72367bd43d9c3405c880334c577d8a282cd2a5018bc76c67783a326eb754aa.exe
Verdict:
Malicious activity
Analysis date:
2024-04-21 15:14:16 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/2fb96b16-1e50-4c2b-8d1b-9e29529695e2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Searching for the window
Creating a file
Creating a file in the %AppData% subdirectories
Changing a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/66252b9ad2fc149e41169557/reports/609c06ff-01ee-46a0-8bd2-dd6fa5f32484/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/2f72367bd43d9c3405c880334c577d8a282cd2a5018bc76c67783a326eb754aa
Result
Verdict:
MALICIOUS
Result
Threat name:
Stealit
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1429264
Signature
Detected Stealit Stealer
Drops large PE files
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1429264 Sample: Sonic-Glyder.exe Startdate: 21/04/2024 Architecture: WINDOWS Score: 76 71 api.ipify.org 2->71 85 Sigma detected: Rare Remote Thread Creation By Uncommon Source Image 2->85 9 Sonic-Glyder.exe 16 2->9         started        14 Sonic-Glyder.exe 12 195 2->14         started        signatures3 process4 dnsIp5 75 98.66.170.171, 443, 49742, 49743 TWC-11351-NORTHEASTUS United States 9->75 77 api.ipify.org 104.26.12.205, 49745, 80 CLOUDFLARENETUS United States 9->77 57 C:\Users\user\AppData\Local\...\webdata.db, SQLite 9->57 dropped 59 C:\Users\user\AppData\Local\...\passwords.db, SQLite 9->59 dropped 61 1c686ef9-93a1-43b2...145a1da880.tmp.node, PE32+ 9->61 dropped 93 Detected Stealit Stealer 9->93 95 Suspicious powershell command line found 9->95 97 Tries to harvest and steal browser information (history, passwords, etc) 9->97 16 cmd.exe 9->16         started        19 cmd.exe 9->19         started        21 cmd.exe 9->21         started        23 66 other processes 9->23 63 C:\Users\user\AppData\...\Sonic-Glyder.exe, PE32+ 14->63 dropped 65 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 14->65 dropped 67 C:\Users\user\AppData\Local\...\System.dll, PE32 14->67 dropped 69 14 other files (none is malicious) 14->69 dropped 99 Drops large PE files 14->99 file6 signatures7 process8 dnsIp9 79 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 16->79 81 Suspicious powershell command line found 16->81 83 Queries memory information (via WMI often done to detect virtual machines) 16->83 26 WMIC.exe 16->26         started        29 conhost.exe 16->29         started        31 Conhost.exe 16->31         started        33 powershell.exe 19->33         started        35 conhost.exe 19->35         started        37 find.exe 21->37         started        41 2 other processes 21->41 73 chrome.cloudflare-dns.com 162.159.61.3, 443, 49754 CLOUDFLARENETUS United States 23->73 39 tasklist.exe 23->39         started        43 74 other processes 23->43 signatures10 process11 signatures12 87 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 26->87 89 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 26->89 91 Queries memory information (via WMI often done to detect virtual machines) 26->91 45 Conhost.exe 39->45         started        47 Conhost.exe 39->47         started        49 Conhost.exe 43->49         started        51 Conhost.exe 43->51         started        53 Conhost.exe 43->53         started        55 14 other processes 43->55 process13
Score:
9%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/2f72367bd43d9c3405c880334c577d8a282cd2a5018bc76c67783a326eb754aa
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f5zdm66uhwodiboiqazuyv35riuczuvfagf4o3dhpa5de3vxksva._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/240421-shbr7adh29/
Behaviour
Enumerates processes with tasklist
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
An obfuscated cmd.exe command-line is typically used to evade detection.
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

rar e0005227c3c8d598d73108b95758f2a64cc92305614bb111d5e9526a1201ed81

Stealit

Executable exe 2f72367bd43d9c3405c880334c577d8a282cd2a5018bc76c67783a326eb754aa

(this sample)

  
Dropped by
SHA256 e0005227c3c8d598d73108b95758f2a64cc92305614bb111d5e9526a1201ed81
  
Dropped by
MD5 c90d343e960c2a7773097bfd4075f2f5

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::MoveFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments


Avatar
commented on 2024-04-21 15:50:13 UTC

C2: 98.66.170.171:443