MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3730c9435af20010ad3c4a94bb66581cc97e1f6da1c918ac1ce90eea12fa3af0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Stealc

Vendor detections: 16

Intelligence 16 IOCs YARA File information Comments

SHA256 hash:	3730c9435af20010ad3c4a94bb66581cc97e1f6da1c918ac1ce90eea12fa3af0
SHA3-384 hash:	d43f7d2d5404004a8ffad3e294dca4135b649c5b3d2868fddd2cc74c7c8a1d2995706d2dd0e19e3987fd4b0d72980beb
SHA1 hash:	cd01073877e20d88498380186f3d1530d19b400a
MD5 hash:	555beb570292ee36010428dd8a449199
humanhash:	double-summer-bluebird-diet
File name:	555beb570292ee36010428dd8a449199.exe
Download:	download sample
Signature	Stealc Create hunting rule
File size:	194'048 bytes
First seen:	2023-12-29 14:40:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6ea8c534c28e2062536233b200d3f650 (2 x Stealc)
ssdeep	3072:QWawhP5Lr2tU3GsX+PUBeus91+4ILLgfpiRDCwF0XNz:FawzLrKU3vYULuQ5LcfYQwF
TLSH	T10514BE3178F0C2B7E6B7457099F4DAA46A6FB81297B880CF2348171F4E329D15A39367
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	00000c8a03b5cd44 (1 x Stealc)
Reporter	abuse_ch
Tags:	exe Stealc

abuse_ch

Stealc C2:
http://5.42.66.57/3886d2276f6914c4.php

Intelligence

File Origin

# of uploads :

# of downloads :

328

Origin country :

Vendor Threat Intelligence

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Creating a window

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Sending an HTTP GET request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/658eda7e6b1c2460460ec54b/reports/0cbe7ebf-ad32-43b3-a4a7-2810d37c0380/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/3730c9435af20010ad3c4a94bb66581cc97e1f6da1c918ac1ce90eea12fa3af0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/692da5e2-d205-4c96-9ad2-df750599f307

Result

Threat name:

Stealc, Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1367994

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking locale)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Self deletion via cmd or bat file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Yara detected Stealc

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3730c9435af20010ad3c4a94bb66581cc97e1f6da1c918ac1ce90eea12fa3af0

Detection:

stealc

Link:

https://mwdb.cert.pl/sample/3730c9435af20010ad3c4a94bb66581cc97e1f6da1c918ac1ce90eea12fa3af0/

Threat name:

Win32.Spyware.Stealc

Status:

Malicious

First seen:

2023-12-29 14:41:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 23 (78.26%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=g4ymsq226iabblj4jkklwzsydtex4h3nuherrla45ehouex2hlya._file

Verdict:

malicious

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc discovery spyware stealer

Link:

https://tria.ge/reports/231229-r2egrahdb5/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Stealc

Malware Config

C2 Extraction:

http://5.42.66.57

Unpacked files

SH256 hash:

06627ef186f9f578bb0752326fbbd7821506d908554693598e45e2e124155ca7

MD5 hash:

093af6fde09383ecd853fa7b69ad5c7a

SHA1 hash:

eceb6b45df22a2b08ffa34b4faed6d4c7043d9de

Detections:

stealc

win_stealc_auto

win_stealc_a0

Link:

https://www.unpac.me/results/48f4776c-6100-4fe1-9377-b2ec6b550d57/

Parent samples :

3730c9435af20010ad3c4a94bb66581cc97e1f6da1c918ac1ce90eea12fa3af0
e1a43c5dade2825c2dfa9ef9c41c552709f15875174c97af87d1884ca5575e2a
8d9d7bd03b63923dcd739dfd6d836d4b8229268dcb8869526de90c99e5286d9d

SH256 hash:

3730c9435af20010ad3c4a94bb66581cc97e1f6da1c918ac1ce90eea12fa3af0

MD5 hash:

555beb570292ee36010428dd8a449199

SHA1 hash:

cd01073877e20d88498380186f3d1530d19b400a

Link:

https://www.unpac.me/results/48f4776c-6100-4fe1-9377-b2ec6b550d57/

Malware family:

Stealc

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3730c9435af2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3730c9435af20010ad3c4a94bb66581cc97e1f6da1c918ac1ce90eea12fa3af0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

exe 3730c9435af20010ad3c4a94bb66581cc97e1f6da1c918ac1ce90eea12fa3af0

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2736472/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample