MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b79a6f501554bc68d204d6b0b7ea80cc1619d9dd0ffebb6933edc3e9b8f29ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b79a6f501554bc68d204d6b0b7ea80cc1619d9dd0ffebb6933edc3e9b8f29ac
SHA3-384 hash: 365db6219ba4c7284e8d8a63b7b22321fdc052346f43ce742b433c7a08c55d719df1bb9ae890d47c9eaceb0eceeed897
SHA1 hash: bb381ae78ca1c46db897add5b0da046515985692
MD5 hash: 21617215ffe926fd76b00a8b2f3a28c7
humanhash: six-harry-spring-thirteen
File name:file
Download: download sample
Signature Stealc
Create hunting rule
File size:210'472 bytes
First seen:2024-09-10 18:09:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:utjx0IjyV4+F/0UlDMHIxXh1RLsT9I911w84MtRqdT9P1lThq9fZpYU7cCYfJkZS:suIujssD4I7911w8pReHg9fZpBQLhxEO
TLSH T1DF2412161BA65633EEAC9E34B4F1D7649E64F7AA9CD3450A1B20D823DBC4F383E14274
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:exe Stealc


Avatar
Bitsight
url: http://147.45.44.104/revada/66e0815ab46eb_cry.exe#kiscrypto

Intelligence

File Origin
# of uploads :
1
# of downloads :
387
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-09-10 18:11:20 UTC
Tags:
stealer stealc
Link:
https://app.any.run/tasks/608103b4-bc39-43e0-ad22-047022657b61

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Pwsx-10035189-0
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e08b7c76bc4542b0495dbc
Tags:
Encryption Static
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/3b79a6f501554bc68d204d6b0b7ea80cc1619d9dd0ffebb6933edc3e9b8f29ac
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b6b63b7e-942a-4740-99fa-cc73f3dbe35d
Result
Threat name:
Stealc
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1508881
Signature
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Suricata IDS alerts for network traffic
Writes to foreign memory regions
Yara detected Powershell download and execute
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
Score:
73%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3b79a6f501554bc68d204d6b0b7ea80cc1619d9dd0ffebb6933edc3e9b8f29ac
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b79a6f501554bc68d204d6b0b7ea80cc1619d9dd0ffebb6933edc3e9b8f29ac/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hn42n5ibkvf4ndjajvvqw7vibtawdhm52d76xnuth3od5g4pfgwa._file
Verdict:
malicious
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:cry discovery stealer
Link:
https://tria.ge/reports/240910-wr1z8aydma/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Stealc
Malware Config
C2 Extraction:
http://45.152.113.10
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ab8dd7ce-5b97-47c9-9856-c41813444754
Unpacked files
SH256 hash:
b942a672a54a729085b437eb710b62c64183331c6a57fe0ec22039201de6b689
MD5 hash:
118f57a4bbb5a429ff1fc129c0c739dc
SHA1 hash:
653e9577e9878e3b930bfa178c0aa224fb61f8d5
Detections:
stealc
Create hunting rule
Link:
https://www.unpac.me/results/d041bf3c-c692-4788-802f-1796215ecd5f/
Parent samples :
39799cbca0280a21fa444531c85521db039ef70f963a8960f3fcaca71d3cf802
f7e542218783c81229c438685de0c7c29a619790796833069eddb97b2eb34d29
56ae5bba6fe924b256f6bae52762d29816fe2b92500b7be0baba2ca0ec396db4
3b79a6f501554bc68d204d6b0b7ea80cc1619d9dd0ffebb6933edc3e9b8f29ac
e45ef7fdd1a92c5ed40b3365a895623a112ee16444cf0ebe70619cf09d8628ca
c5d5a4fd2200126f32170a7fd214850c244eed7c7279c5773e41c45049202526
SH256 hash:
3b79a6f501554bc68d204d6b0b7ea80cc1619d9dd0ffebb6933edc3e9b8f29ac
MD5 hash:
21617215ffe926fd76b00a8b2f3a28c7
SHA1 hash:
bb381ae78ca1c46db897add5b0da046515985692
Link:
https://www.unpac.me/results/d041bf3c-c692-4788-802f-1796215ecd5f/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3b79a6f50155/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.09
Link:
https://yomi.yoroi.company/submissions/3b79a6f501554bc68d204d6b0b7ea80cc1619d9dd0ffebb6933edc3e9b8f29ac

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe 3b79a6f501554bc68d204d6b0b7ea80cc1619d9dd0ffebb6933edc3e9b8f29ac

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3165879/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments