MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3779f1b904ee4cf41f4a266505490682559d09337deb30a2cc08793c2e69385c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3779f1b904ee4cf41f4a266505490682559d09337deb30a2cc08793c2e69385c
SHA3-384 hash: d2349b8be97fbb7c2c8f26f68e0df40a8291616ab475fa40713efa18ca02d7ad4d00cf709ca6113f1102711a45f371e1
SHA1 hash: 18e9e6d893bab03d9b1a47951c9d408a31c59ba4
MD5 hash: cfab7a2f5302b8fcdd98159c3c892404
humanhash: glucose-thirteen-winner-ohio
File name:Agreement_eSign.pdf
Download: download sample
Signature Stealc
Create hunting rule
File size:86'773 bytes
First seen:2024-02-04 06:43:22 UTC
Last seen:Never
File type: pdf
MIME type:application/pdf
ssdeep 1536:hqICCqKqIXY1RYZpfg99xyUb1V7fbxp7kWJx362lKXH7WPsi4Dym15gF:hqLdIGYZiZbz7FpJJxUCPsiSn1GF
TLSH T1DE83026E8D270483E8DB1EBA744C69B34A6B12DB23112EE53524DB730844BDB7E50BF5
Reporter iamdeadlyz
Tags:194-120-116-120 CVE-2023-27363 pdf Stealc


Avatar
Iamdeadlyz
Outfoxing a Malicious PDF: An attacker's attempt to deliver a Stealc infostealer. Exploiting CVE-2023-27363.

Drops officeupdate.hta [persisting via startup folder]
Retrieves: hxxps://brazilanimalshelp[.]com/updating/stale.exe
StealC C&C: hxxp://194.120.116[.]120/7a957ef6cc168ff6.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
526
Origin country :
SG SG
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.31932.19867.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
File Type:
PDF File
Link:
https://app.docguard.net/3779f1b904ee4cf41f4a266505490682559d09337deb30a2cc08793c2e69385c/results/dashboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/65bf3233b012cce0edbb85a7/reports/7411662d-db4a-4f09-9070-37cd2f872542/overview
Verdict:
Suspicious
Labled as:
Trojan.Script.Heuristic
Link:
https://www.hybrid-analysis.com/sample/3779f1b904ee4cf41f4a266505490682559d09337deb30a2cc08793c2e69385c
Label:
Benign
Suspicious Score:
4.6/10
Score Malicious:
47%
Score Benign:
53%
Link:
https://www.malware.ai/gui/files/?id=1324c46b-b30d-4265-a801-98cd6e5f1d06
Result
Verdict:
MALICIOUS
Details
Malicious Scriptlet 7 of 7
Detected a malicious pivot typically seen during the 'file-less' pivot commonly seen in malware carriers.
Document With Minimal Content
Document contains less than 1 kilobyte of semantic information.
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1386274
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1386274 Sample: Agreement_eSign.pdf Startdate: 04/02/2024 Architecture: WINDOWS Score: 48 16 Multi AV Scanner detection for submitted file 2->16 7 Acrobat.exe 18 79 2->7         started        process3 process4 9 AcroCEF.exe 105 7->9         started        process5 11 AcroCEF.exe 2 9->11         started        dnsIp6 14 23.63.158.36, 443, 49739 AKAMAI-ASUS United States 11->14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3779f1b904ee4cf41f4a266505490682559d09337deb30a2cc08793c2e69385c/
Threat name:
Document-PDF.Trojan.Stealc
Create hunting rule
Status:
Suspicious
First seen:
2024-01-31 22:01:45 UTC
File Type:
Document
Extracted files:
13
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g547doie5zgpih2kezsqksigqjkz2cjtpxvtbiwmbb4tyltjhboa._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Stealc
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3779f1b904ee4cf41f4a266505490682559d09337deb30a2cc08793c2e69385c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

pdf 3779f1b904ee4cf41f4a266505490682559d09337deb30a2cc08793c2e69385c

(this sample)

Stealc

Executable exe 85735229bd3b6ae1d0c60d43f3e24a2be5f0d21d87b7f2c01f13373c051c82a5

Stealc

HTML Application (hta) hta 84626884775edba43d27869acfe98ce6e7bf687bc1d71fa4a4383d69cfe9d0b6

  
Link
https://iamdeadlyz.gitbook.io/malware-research/february-2024/outfoxing-a-malicious-pdf-an-attackers-attempt-to-deliver-a-stealc-infostealer
  
X
https://twitter.com/oscarxferral/status/1752765232190251037
  
Dropping
SHA256 84626884775edba43d27869acfe98ce6e7bf687bc1d71fa4a4383d69cfe9d0b6
  
Dropping
SHA256 85735229bd3b6ae1d0c60d43f3e24a2be5f0d21d87b7f2c01f13373c051c82a5
  
Delivery method
Distributed via web download
  
Dropping
MD5 4913fe0e4d17f0a4b18a9acb04c255ac
  
Dropping
MD5 a7e899088ee574a2e977080acb00c849
  
Dropping
SHA256 a9a4d321d6ccfe6ba9e0f870fb1bf590535c6e10a091805020930dce46e116b7
  
Dropping
MD5 084222b639a1b3f35be40ca5282a6e0a

Comments