MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3555805731fe9aeb942a0859e9205481f6367547068658f57ddf38859b8b5cba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 10


Intelligence 10 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3555805731fe9aeb942a0859e9205481f6367547068658f57ddf38859b8b5cba
SHA3-384 hash: 066f00148d864a5b303152272227935cdebc83c55853cb24e7f0e5154fdbf22e1ed296a4fd6be8a65818f3ae31e1d24c
SHA1 hash: a2cc8c949d1404058657ca7fb81854ae092762f3
MD5 hash: 9fbddfa2696d5061750e6e0ff2162c28
humanhash: arkansas-whiskey-three-utah
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:5'220'576 bytes
First seen:2024-01-16 16:32:05 UTC
Last seen:2024-01-16 18:22:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0751433fb799ff99dbf59b2d0c85d83d (4 x StormKitty, 3 x AgentTesla, 2 x Stealc)
ssdeep 49152:ty/agNoehGYQBcQSiiQMchTQU0Pglz1OCuFTeeoXSS0x1HMToTQFAxTi4I0HQiuq:7CU0Pg91TXKs8Tk4W+f64X
Threatray 42 similar samples on MalwareBazaar
TLSH T19A36BF1AB7E405E4E87BC631CA1AC732D2B2B86A0631834B0928D34E1E777D54F7B675
TrID 60.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
17.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
10.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.1% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 009286868686f800 (4 x Stealc, 4 x AgentTesla, 3 x Smoke Loader)
Reporter jstrosch
Tags:exe signed Stealc X64

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2024-01-11T02:17:23Z
Valid to:2025-01-11T02:17:23Z
Serial number: a5e49767ef9252b15cb95aefc5320853
Thumbprint Algorithm:SHA256
Thumbprint: 0f6f7477cec4f7899681554ba1242017f377872041e3ed94b9a1cb7826e0d3b8
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
jstrosch
Found at hxxp://15.204.49[.]148/files/File1.exe by #subcrawl

Intelligence

File Origin
# of uploads :
2
# of downloads :
328
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471170/
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.28692.32723.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug control hacktool lolbin overlay packed stealer
Link:
https://www.filescan.io/uploads/65a6afc799da41ccd7d5820e/reports/6738e0ee-6b4d-4237-9aca-144b532a1afc/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/3555805731fe9aeb942a0859e9205481f6367547068658f57ddf38859b8b5cba
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/98126178-9d7b-47a4-9216-f77d796e9260
Result
Threat name:
HTMLPhisher, Fabookie, Glupteba, Stealc
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1375536
Signature
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Encrypted powershell cmdline option found
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: Schedule system process
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected BlockedWebSite
Yara detected Fabookie
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1375536 Sample: file.exe Startdate: 16/01/2024 Architecture: WINDOWS Score: 100 195 Found malware configuration 2->195 197 Malicious sample detected (through community Yara rule) 2->197 199 Antivirus detection for URL or domain 2->199 201 17 other signatures 2->201 12 file.exe 1 2->12         started        15 cmd.exe 2->15         started        17 powershell.exe 2->17         started        process3 signatures4 235 Writes to foreign memory regions 12->235 237 Allocates memory in foreign processes 12->237 239 Adds a directory exclusion to Windows Defender 12->239 241 3 other signatures 12->241 19 jsc.exe 15 477 12->19         started        24 powershell.exe 23 12->24         started        26 conhost.exe 15->26         started        28 conhost.exe 17->28         started        process5 dnsIp6 165 194.104.136.64 SMEERBOEL-ASSMEERBOELBVNL Netherlands 19->165 167 107.167.110.211 OPERASOFTWAREUS United States 19->167 169 14 other IPs or domains 19->169 119 C:\Users\...\ztRwbIGFkW33hdMd91YmbJnV.exe, PE32+ 19->119 dropped 121 C:\Users\...\zrQKbeLq92TYAa7CJDAjcaHJ.exe, PE32 19->121 dropped 123 C:\Users\...\yiFa8ZCCsphSBA0orFHW4lZ8.exe, PE32 19->123 dropped 125 361 other malicious files 19->125 dropped 225 Drops script or batch files to the startup folder 19->225 227 Creates HTML files with .exe extension (expired dropper behavior) 19->227 229 Writes many files with high entropy 19->229 30 8Mt89Zf8AQQJY5QhrFp1nIs4.exe 19->30         started        35 vOK65IIh6cnseMxpGBFf5xN4.exe 19->35         started        37 9BvAswxMa5kbL0HZaCcOhnAU.exe 19->37         started        41 10 other processes 19->41 39 conhost.exe 24->39         started        file7 signatures8 process9 dnsIp10 171 107.167.110.217 OPERASOFTWAREUS United States 30->171 173 107.167.125.189 OPERASOFTWAREUS United States 30->173 181 7 other IPs or domains 30->181 145 Opera_installer_2401161635595727976.dll, PE32 30->145 dropped 157 9 other malicious files 30->157 dropped 185 Writes many files with high entropy 30->185 43 8Mt89Zf8AQQJY5QhrFp1nIs4.exe 30->43         started        46 8Mt89Zf8AQQJY5QhrFp1nIs4.exe 30->46         started        48 8Mt89Zf8AQQJY5QhrFp1nIs4.exe 30->48         started        175 185.172.128.53 NADYMSS-ASRU Russian Federation 35->175 177 185.172.128.90 NADYMSS-ASRU Russian Federation 35->177 147 C:\Users\user\AppData\Local\...\nsu5614.tmp, PE32 35->147 dropped 149 C:\Users\user\AppData\Local\...\INetC.dll, PE32 35->149 dropped 151 C:\Users\user\AppData\...\BroomSetup.exe, PE32 35->151 dropped 153 C:\Users\user\AppData\...\syncUpd[1].exe, PE32 35->153 dropped 50 nsu5614.tmp 35->50         started        54 BroomSetup.exe 35->54         started        159 2 other malicious files 37->159 dropped 56 Install.exe 37->56         started        179 107.167.110.218 OPERASOFTWAREUS United States 41->179 183 5 other IPs or domains 41->183 155 Opera_installer_2401161636154024020.dll, PE32 41->155 dropped 161 5 other malicious files 41->161 dropped 187 Detected unpacking (changes PE section rights) 41->187 189 Detected unpacking (overwrites its own PE header) 41->189 191 Found Tor onion address 41->191 193 2 other signatures 41->193 58 HFsrcpZVRUjB3GSMm4A7klvl.exe 41->58         started        60 powershell.exe 41->60         started        62 powershell.exe 41->62         started        file11 signatures12 process13 dnsIp14 127 Opera_installer_2401161636036863304.dll, PE32 43->127 dropped 129 C:\Users\user\AppData\...\win8_importing.dll, PE32+ 43->129 dropped 131 C:\Users\user\...\win10_share_handler.dll, PE32+ 43->131 dropped 141 21 other malicious files 43->141 dropped 64 8Mt89Zf8AQQJY5QhrFp1nIs4.exe 43->64         started        133 Opera_installer_2401161636009058040.dll, PE32 46->133 dropped 135 C:\...\Opera_installer_240116163601949896.dll, PE32 48->135 dropped 163 185.172.128.79 NADYMSS-ASRU Russian Federation 50->163 143 12 other files (8 malicious) 50->143 dropped 207 Detected unpacking (changes PE section rights) 50->207 209 Detected unpacking (overwrites its own PE header) 50->209 211 Tries to steal Mail credentials (via file / registry access) 50->211 213 3 other signatures 50->213 67 cmd.exe 54->67         started        137 C:\Users\user\AppData\Local\...\Install.exe, PE32 56->137 dropped 70 Install.exe 56->70         started        139 Opera_installer_2401161636163863056.dll, PE32 58->139 dropped 72 conhost.exe 60->72         started        74 conhost.exe 62->74         started        file15 signatures16 process17 file18 113 Opera_installer_2401161636045037504.dll, PE32 64->113 dropped 215 Uses cmd line tools excessively to alter registry or file data 67->215 217 Uses schtasks.exe or at.exe to add and modify task schedules 67->217 76 conhost.exe 67->76         started        78 chcp.com 67->78         started        80 schtasks.exe 67->80         started        115 C:\Users\user\AppData\Local\...\qbnZEVh.exe, PE32 70->115 dropped 117 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 70->117 dropped 219 Modifies Windows Defender protection settings 70->219 221 Adds extensions / path to Windows Defender exclusion list 70->221 223 Modifies Group Policy settings 70->223 82 forfiles.exe 70->82         started        85 forfiles.exe 70->85         started        87 schtasks.exe 70->87         started        89 schtasks.exe 70->89         started        signatures19 process20 signatures21 203 Modifies Windows Defender protection settings 82->203 205 Adds extensions / path to Windows Defender exclusion list 82->205 91 cmd.exe 82->91         started        94 conhost.exe 82->94         started        96 cmd.exe 85->96         started        98 conhost.exe 85->98         started        100 conhost.exe 87->100         started        102 conhost.exe 89->102         started        process22 signatures23 233 Uses cmd line tools excessively to alter registry or file data 91->233 104 reg.exe 91->104         started        107 reg.exe 91->107         started        109 reg.exe 96->109         started        111 reg.exe 96->111         started        process24 signatures25 231 Adds extensions / path to Windows Defender exclusion list (Registry) 104->231
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3555805731fe9aeb942a0859e9205481f6367547068658f57ddf38859b8b5cba
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3555805731fe9aeb942a0859e9205481f6367547068658f57ddf38859b8b5cba/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-01-11 16:23:35 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gvkyavzr72noxfbkbbm6sicuqh3dm5kha2dfr5l5344ilg4lls5a._file
Verdict:
unknown
Similar samples:
0c482a3a2510cf8f323c5c4d9097850be9e77f09cf163b1de2c2220cfad3beb8
Stealc
166b798b46ade1deb2065fdae79134537ca4eaa83ad3a4598878b07ac94c8861
Stealc
3fefd283343b7f7c7f4b41c4b1cd4d396db892a5866361722d22b28a632a95bb
Stealc
b42c2d040474f0dcce74562fda0cca005e2be2e9ede6a70cd49f1a2878d8eb99
Stealc
ea0ac7277d0fdf801972b56bdc57184fc51ac8be47438873396436736f3694a9
Stealc
eab4a2382263fbfedbddaed6cd19627ba3d5d9f5db8060a2a1adc2b1c4ca7125
Stealc
+ 32 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:fabookie family:glupteba family:stealc dropper evasion loader spyware stealer trojan upx
Link:
https://tria.ge/reports/240116-t3s3mseghq/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Program crash
Launches sc.exe
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
UPX packed file
Downloads MZ/PE file
Modifies Windows Firewall
Detect Fabookie payload
Fabookie
Glupteba
Glupteba payload
Stealc
UAC bypass
Malware Config
C2 Extraction:
http://185.172.128.79
Unpacked files
SH256 hash:
3555805731fe9aeb942a0859e9205481f6367547068658f57ddf38859b8b5cba
MD5 hash:
9fbddfa2696d5061750e6e0ff2162c28
SHA1 hash:
a2cc8c949d1404058657ca7fb81854ae092762f3
Link:
https://www.unpac.me/results/529fe3e4-5c6c-4c6f-907a-0a9e3b1d17ca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3555805731fe9aeb942a0859e9205481f6367547068658f57ddf38859b8b5cba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 3555805731fe9aeb942a0859e9205481f6367547068658f57ddf38859b8b5cba

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/471170/

Comments