MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a03ef1bf1d9c906bbfbe60e96c21cc950d84695b1f0fe23ca6c0c12cbe0f97e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a03ef1bf1d9c906bbfbe60e96c21cc950d84695b1f0fe23ca6c0c12cbe0f97e
SHA3-384 hash: 2a79d86e0ac30b4635cabcda9f11f1ff802b953c653286a9b3578d19ced6b82080f52966388914467688cebb90daa446
SHA1 hash: 91a480da0fa5f785c3e4876f61d7c0ce54ac6752
MD5 hash: 35bab7028aa376556c3236b773506a9b
humanhash: colorado-cold-sink-berlin
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:1'247'830 bytes
First seen:2024-09-30 18:13:52 UTC
Last seen:2024-10-01 07:46:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 24576:doP4FOo7B8Zbizh4H1voG+GBnh/AzWXWmPGuI:4CTiZblVvP/Az1mPGuI
Threatray 242 similar samples on MalwareBazaar
TLSH T1B5452310F2B5C8B4C5F10A3529B156982F30F65610E28427F78099EFBA32656D92E73F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 00000000080c0400 (1 x Stealc)
Reporter Bitsight
Tags:exe Stealc


Avatar
Bitsight
url: http://147.45.44.104/malesa/66fad513a308f_SubstituteAgain.exe#abd

Intelligence

File Origin
# of uploads :
2
# of downloads :
481
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://urlhaus.abuse.ch/url/3201544/
Verdict:
Malicious activity
Analysis date:
2024-09-30 17:43:41 UTC
Tags:
loader stealer stealc autoit-loader
Link:
https://app.any.run/tasks/afe928f9-3523-4268-b878-6850584be03f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.HEUR.Backdoor.Win32.Agent.gen.16106.30637.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66faeb671fc3f42f04e86b80
Tags:
Powershell Autoit Emotet Nsis
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Moving a file to the %temp% directory
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
DNS request
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/3a03ef1bf1d9c906bbfbe60e96c21cc950d84695b1f0fe23ca6c0c12cbe0f97e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/360a8243-d732-4f0c-b6ca-071406b3bbe2
Result
Threat name:
Stealc
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1522912
Signature
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found malware configuration
Machine Learning detection for sample
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1522912 Sample: file.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 100 25 rROLWgygby.rROLWgygby 2->25 29 Suricata IDS alerts for network traffic 2->29 31 Found malware configuration 2->31 33 Yara detected Stealc 2->33 35 5 other signatures 2->35 8 file.exe 25 2->8         started        signatures3 process4 process5 10 cmd.exe 2 8->10         started        file6 23 C:\Users\user\AppData\Local\Temp\...\Cal.pif, PE32 10->23 dropped 37 Drops PE files with a suspicious file extension 10->37 14 Cal.pif 13 10->14         started        17 cmd.exe 2 10->17         started        19 conhost.exe 10->19         started        21 7 other processes 10->21 signatures7 process8 dnsIp9 27 62.204.41.159, 49710, 80 TNNET-ASTNNetOyMainnetworkFI United Kingdom 14->27
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3a03ef1bf1d9c906bbfbe60e96c21cc950d84695b1f0fe23ca6c0c12cbe0f97e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a03ef1bf1d9c906bbfbe60e96c21cc950d84695b1f0fe23ca6c0c12cbe0f97e/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hib66g7r3heqno734yhjnqq4zfinqruvwhyp4i6knqgbfs7a7f7a._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Similar samples:
1d50b6e42d9edb6d7ee41781f32972349ecc4ec2eaaef4692e994c858fb8551d
Stealc
2c9896b3eac1e686a331d810308ef7d7e4f131b764ec1c7c9d1205a79d00073f
Stealc
d0e75a424812f8b899626795c8b929c40fdcbf09a0b7445d159f82256b896acf
Stealc
e770d2f423513285e4f7f92dafff648c3ccc9a3623e6134edcd03ac79858d1c8
Stealc
error
Stealc
fe4f289171283f597e3bf13a4cc5d2eff0f8606b4afa4db31e2c2ec63842590f
Stealc
+ 232 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc discovery stealer
Link:
https://tria.ge/reports/240930-wvbvhasfqe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Stealc
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5f3c1ce9-a057-4908-a05d-e41451657d3a
Unpacked files
SH256 hash:
3e3bf017e6774893faae2b462251220c0455ed888f60db4b408848b47f703581
MD5 hash:
d5ed608835b80373b53e3425cbb9ff67
SHA1 hash:
7507dbff5bbe292cea9aabdb043a632f717f578c
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/1431ac5d-35d6-4db1-8102-fd58266b0e58/
Parent samples :
525207b0d7f9df796999b8e184b3a1a2c285ae37e61a29eab0573898b3368e17
3a03ef1bf1d9c906bbfbe60e96c21cc950d84695b1f0fe23ca6c0c12cbe0f97e
a68cb3061a7ec59bbc6188b21ad97c140bf48f19c72e37daa44554ec5a9658a5
SH256 hash:
3a03ef1bf1d9c906bbfbe60e96c21cc950d84695b1f0fe23ca6c0c12cbe0f97e
MD5 hash:
35bab7028aa376556c3236b773506a9b
SHA1 hash:
91a480da0fa5f785c3e4876f61d7c0ce54ac6752
Link:
https://www.unpac.me/results/1431ac5d-35d6-4db1-8102-fd58266b0e58/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a03ef1bf1d9c906bbfbe60e96c21cc950d84695b1f0fe23ca6c0c12cbe0f97e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 3a03ef1bf1d9c906bbfbe60e96c21cc950d84695b1f0fe23ca6c0c12cbe0f97e

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3201544/
  
URLhaus
https://urlhaus.abuse.ch/url/3202204/
  
URLhaus
https://urlhaus.abuse.ch/url/3203138/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments